guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@glyptodon.org>
Subject Re: Plaintext passwords in guacamole.properties
Date Thu, 12 Jul 2018 16:40:25 GMT
On Thu, Jul 12, 2018 at 9:36 AM, Erik Berndt
<erikberndt@superiorpaving.net> wrote:
>>Your best option is to set filesystem permissions appropriately such that
>> only Guacamole can read guacamole.properties.
>
> I had a similar thought a few months ago and this is your best best. Yes,
> the password is stored in plain text on a publicly available server, but
> it's not being transmitted externally, so locking it down should be
> sufficient. We use smtp relay on a couple of servers and have the config
> files storing the credentials set to 644. I just checked and
> guacamole.properties is set to 604, which from what I can recall was the
> most restrictive mode without the service becoming inaccessible.
>

In general, I'd recommend creating a group specific to Guacamole (like
"guacamole"), adding the Tomcat user to that group, and ensuring
guacamole.properties is owned by "root:guacamole" with 640 permissions
(read/write for root, read-only to guacamole, unreadable to all
others). That should lock things down nicely.

- Mike

Mime
View raw message