On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg <[email protected]>
wrote:
> Hello Nick & Gabriel,
>
> before thinking about encryption, what is the user and authorization
> concept for that share? Can every user see and change all other users
> files? Or are the paths somehow distinct for all users, disallowing
> sharing? The doc only states, the guacd process needs to be able to
> read/write the directory, nothing else.
>
It's important to understand that the access to the redirected folder is
done by the user running guacd. So, if you point all users to the same
exact folder in the redirection, everyone will have access to all of the
files. This can be mitigated in a couple of ways:
* Use tokens in Guacamole to point users to their own folders -
for example, the path in the redirection could be
/files/guacamole/${GUAC_USERNAME}, which means each user logging into
Guacamole (not necessarily the remote system) will have their own folder.
* Instead of using folder redirection, use SSH on a server with Samba
installed, so you can transparently share that folder both with the remote
system (via SMB) and with the Guacamole browser (via SSH).
> In fact I never enabled that drive, because I never understood and thus
> referred my users to using standard shares that support ACLs (and all the
> shares are ultimately protected by Bitlocker, as is my Guacamole setup as
> it runs on Hyper-V).
>
Yes, folder redirection is different than a file share.
>
>
> Thanks for your answer Nick!
>
> It's not so clear to me how this can be implemented only on the remote
> server side since files are uploaded by Guacamole without any involvement
> of the remote server, unless it somehow monitors the folder and each time a
> new file is created it encrypts it immediately.
>
> I will look into it, thanks!
>
Yeah, you're correct about that - it wouldn't work for the remote access
from Guacamole (the browser) to the remote server. So, there'd have to be
some additional work (coding) done to make it work for both the remote
system (server via RDP) and the web browser.
-Nick
