guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amarjeet Singh <amarjee...@gmail.com>
Subject Re: Same shared Drive redirected to all users : Privacy and Security breach
Date Sun, 07 Jan 2018 14:48:43 GMT
 If I don't pass username and password then ${GUAC_USERNAME} fails to
resolve [ *Scenario : I want users to enter username and password on
Windows screen* ]. It create directory with it's own name i.e.
${GUAC_USERNAME}


So, Creating filesystem solved this issue and It created directories of
users at runtime using "*enable-create-drive*" parameter.

Now, I need to look into the following to achieve quotas per sub-volumes or
each user's directory. :-

ZFS or btrfs, for example, allow for sub-volumes and quotas per-volume,
> per-user, and/or per-group
>

 Using SFTP  is a good idea though but in case I want the user to
enter *username
and password* on the Windows screen then It would fail.

*Can't save username and password on the user-mapping.xml file for security
purposes.*



On Sun, Jan 7, 2018 at 7:24 PM, Nick Couchman <vnick@apache.org> wrote:

> On Sat, Jan 6, 2018 at 3:21 PM, Mike Jumper <mike.jumper@guac-dev.org>
> wrote:
>
>> On Sat, Jan 6, 2018 at 12:10 PM, Amarjeet Singh <amarjeetxc@gmail.com>
>> wrote:
>>
>>> Hi Mike,
>>>
>>> Use separate filesystems to hold the drive
>>>
>>> contents,  not the root filesystem of your Guacamole server.
>>>
>>>
>>>
>>> If I have 500 users then I can't have separate file system for each one
>>> of them on the same  machine where guacamole server runs [ centos 7 ] .
>>>
>>>
>> Can't or won't? ;)
>>
>> If you wanted to, you probably actually could do this (write an extension
>> to dynamically create a temporary filesystem on a per-connection basis
>> which is cleaned up upon disconnect), but I meant that you could create a
>> single separate file system to isolate the overall base for all users'
>> drives. If a number of users end up using way too much space, then the
>> damage is limited to just RDP drive usage, and the rest of your server is
>> unaffected.
>>
>>
> ...and this should be pretty easy to manage with some of the newer
> filesystems - ZFS or btrfs, for example, allow for sub-volumes and quotas
> per-volume, per-user, and/or per-group.  So, it should be relatively
> straight-forward to create a filesystem or volume that has home directories
> for each user and that can be passed using the ${GUAC_USERNAME} token, as
> Mike mentioned,
>
> Alternatively, if you make the user directories available via SFTP (e.g.
> on another Linux fileserver) you can enable SFTP support, use AD domain
> authentication on the Linux server, and enable SFTP on the connection using
> the same username/password (tokens, for example) as they are using to log
> into the connection.
>
> Point is...there are many ways to accomplish what you are trying to do
> with minimal administrative burden.
>
> -Nick
>

Mime
View raw message