On Fri, Sep 15, 2023 at 6:35 AM khmadhu <[email protected]> wrote: > Hi, > > I am looking for an option to disable ALL file transfers like shared > drives / SFTP, for all default users in a connection group, even though if > user have the option to create connections, the file transfer options must > be disabled, is that possible?, how can we achieve this?. >
There's no configuration option you can set to disable this globally - basically, if you give users the ability to create connections, you're giving them administrative privileges to the system, and that includes all of the capabilities of any of the connections, including file transfer. If you don't want people to be able to create connections with file transfer capability, you probably shouldn't give them the ability to create connections - there may be other things they can do (saving credentials, for example) that you may not want done. I can think of a couple of theoretical ways to accomplish this, but without having tried either of them, I don't know exactly how they would work: * Run guacd in a container or chroot jail, where the user account running guacd does not have write access to any part of the filesystem, including /tmp (normally world-writable). * Run guacd inside a filesystem that has quotas enabled and set, and restrict the quota for the user account to essentially nothing. This would also have to factor in places that are normally world-writable, like /tmp, /var/tmp, etc. * Use a reverse proxy or web application firewall to restrict access to the REST API endpoints that handle file transfers. I don't know what these are off the top of my head, but, since everything in Guacamole is done via the REST API, there is an API endpoint responsible for it, and it should be possible to block it, either in your proxy configuration (Nginx, Apache httpd, Traefik, etc.) or with a WAF. -Nick
