On Mon, Mar 11, 2019 at 7:37 AM Robert Dinse <nanook@eskimo.com> wrote:

      /var/run is a tempfs file system and recreated at each boot so changing
the perms on it are gone on the next boot.  As for the encryption key, lots
of things run as daemon, I don't want them all having access to the key.

Yes.  I addressed both of these issues in my previous e-mail:
- /var/run is managed by tmpfilesd on most systems where it is completely temporary and that also run systemd.  So, you can put rules into /etc/tmpfiles.d that create these files for you.
- You do not have to use the "daemon" user.  It was a convenient default for the purposes of creating and distributing the systemd unit file, but you can run guacd under any user account that you like.  Again, as already mentioned, I generally create a "guac" user account and run both Tomcat and guacd under that user account. This way I can 1) make sure neither guacd or Tomcat are running as root, and 2) that both have the necessary access to the files and folders under /etc/guacamole that define the configuration for Guacamole, including sensitive information like certificates/keys, database username/password, etc.
 

       At any rate, that's my suggestion for functionality.

Appreciated.  You're welcome to file a feature request in JIRA for this and see where it goes.  The point is, it isn't required to get where you want to go.
 

       I still have some other issues to work out but they're with my hosts
not with guacamole.  I have sound working on debian and mint.  Have not been
able to get it to work on ubuntu yet nor on any redhat derived system, I get
connection refused from the pulseaudio port on those machines even after adding
the suggested configuration change to /etc/pulse/default.pa.


RedHat has firewalld enabled and active by default, I believe, so it's possible that's blocking something.  Not sure about Ubuntu.

-Nick