guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Plaintext passwords in
Date Thu, 12 Jul 2018 16:40:25 GMT
On Thu, Jul 12, 2018 at 9:36 AM, Erik Berndt
<> wrote:
>>Your best option is to set filesystem permissions appropriately such that
>> only Guacamole can read
> I had a similar thought a few months ago and this is your best best. Yes,
> the password is stored in plain text on a publicly available server, but
> it's not being transmitted externally, so locking it down should be
> sufficient. We use smtp relay on a couple of servers and have the config
> files storing the credentials set to 644. I just checked and
> is set to 604, which from what I can recall was the
> most restrictive mode without the service becoming inaccessible.

In general, I'd recommend creating a group specific to Guacamole (like
"guacamole"), adding the Tomcat user to that group, and ensuring is owned by "root:guacamole" with 640 permissions
(read/write for root, read-only to guacamole, unreadable to all
others). That should lock things down nicely.

- Mike

View raw message