From 2aac12e7cef0f0ab931a68f206eb399bf3a5118e Mon Sep 17 00:00:00 2001 From: itiligent Date: Wed, 6 Sep 2023 12:59:23 +1000 Subject: [PATCH] extension permissions read only --- 2-install-guacamole.sh | 12 +++++++++-- upgrade-guac.sh | 45 ++++++++++++++++++++++++------------------ 2 files changed, 36 insertions(+), 21 deletions(-) diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index cd58ef4..a8b6b75 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -256,14 +256,16 @@ ldconfig # Move files to correct install locations (guacamole-client & Guacamole authentication extensions) cd .. mv -f guacamole-${GUAC_VERSION}.war /etc/guacamole/guacamole.war +chmod 664 /etc/guacamole/guacamole.war mv -f guacamole-auth-jdbc-${GUAC_VERSION}/mysql/guacamole-auth-jdbc-mysql-${GUAC_VERSION}.jar /etc/guacamole/extensions/ +chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${GUAC_VERSION}.jar # Create a symbolic link for Tomcat ln -sf /etc/guacamole/guacamole.war /var/lib/${TOMCAT_VERSION}/webapps/ - # Move MySQL connector/j files echo -e "${GREY}Moving mysql-connector-j-${MYSQLJCON}.jar (/etc/guacamole/lib/mysql-connector-java.jar)..." mv -f mysql-connector-j-${MYSQLJCON}/mysql-connector-j-${MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar +chmod 664 /etc/guacamole/lib/mysql-connector-java.jar if [ $? -ne 0 ]; then echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 exit 1 @@ -285,6 +287,7 @@ echo "mysql-password: ${GUAC_PWD}" >>/etc/guacamole/guacamole.properties if [ "${INSTALL_TOTP}" = true ]; then echo -e "${GREY}Moving guacamole-auth-totp-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-auth-totp-${GUAC_VERSION}/guacamole-auth-totp-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${GUAC_VERSION}.jar if [ $? -ne 0 ]; then echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 exit 1 @@ -298,6 +301,7 @@ fi if [ "${INSTALL_DUO}" = true ]; then echo -e "${GREY}Moving guacamole-auth-duo-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-auth-duo-${GUAC_VERSION}/guacamole-auth-duo-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${GUAC_VERSION}.jar echo "#duo-api-hostname: " >>/etc/guacamole/guacamole.properties echo "#duo-integration-key: " >>/etc/guacamole/guacamole.properties echo "#duo-secret-key: " >>/etc/guacamole/guacamole.properties @@ -316,6 +320,7 @@ fi if [ "${INSTALL_LDAP}" = true ]; then echo -e "${GREY}Moving guacamole-auth-ldap-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar echo "#If you have issues with LDAP, check the formatting is exactly as below or you will despair!" >>/etc/guacamole/guacamole.properties echo "#Be extra careful with spaces at line ends or with windows line feeds." >>/etc/guacamole/guacamole.properties echo "#ldap-hostname: dc1.yourdomain.com dc2.yourdomain.com" >>/etc/guacamole/guacamole.properties @@ -341,6 +346,7 @@ fi if [ "${INSTALL_QCONNECT}" = true ]; then echo -e "${GREY}Moving guacamole-auth-quickconnect-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-auth-quickconnect-${GUAC_VERSION}/guacamole-auth-quickconnect-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${GUAC_VERSION}.jar if [ $? -ne 0 ]; then echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 exit 1 @@ -354,6 +360,7 @@ fi if [ "${INSTALL_HISTREC}" = true ]; then echo -e "${GREY}Moving guacamole-history-recording-storage-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-history-recording-storage-${GUAC_VERSION}/guacamole-history-recording-storage-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${GUAC_VERSION}.jar #Setup the default recording path mkdir -p ${HISTREC_PATH} chown daemon:tomcat ${HISTREC_PATH} @@ -369,8 +376,9 @@ if [ "${INSTALL_HISTREC}" = true ]; then fi # Apply a branded interface and dark theme. You may delete this file and restart guacd & tomcat for the default console -echo -e "${GREY}Setting the Guacamole console to a branded and customisable dark mode themed template..." +echo -e "${GREY}Setting the Guacamole console to a (customisable) dark mode themed template..." mv branding.jar /etc/guacamole/extensions +chmod 664 /etc/guacamole/extensions/branding.jar if [ $? -ne 0 ]; then echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 exit 1 diff --git a/upgrade-guac.sh b/upgrade-guac.sh index b6a5cbf..7d8f8a8 100644 --- a/upgrade-guac.sh +++ b/upgrade-guac.sh @@ -164,6 +164,7 @@ if [ $? -ne 0 ]; then else rm /etc/guacamole/guacamole.war mv -f guacamole-${NEW_GUAC_VERSION}.war /etc/guacamole/guacamole.war + chmod 664 /etc/guacamole/guacamole.war fi echo -e "${LGREEN}Upgraded Guacamole client to version ${NEW_GUAC_VERSION}${GREY}" @@ -177,6 +178,7 @@ else tar -xzf guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz rm /etc/guacamole/extensions/guacamole-auth-jdbc-*.jar mv -f guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar fi echo -e "${LGREEN}Upgraded Guacamole SQL jdbc to version ${NEW_GUAC_VERSION}${GREY}" @@ -255,6 +257,26 @@ else echo fi +# Check for TOTP extension and upgrade if found +for file in /etc/guacamole/extensions/guacamole-auth-totp*.jar; do + if [[ -f $file ]]; then + echo -e "${LGREEN}TOTP authentication extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-auth-totp*.jar &>>${LOG_LOCATION} + wget -q --show-progress -O guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz + if [ $? -ne 0 ]; then + echo -e "${LRED}Failed to download guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} + mv -f guacamole-auth-totp-${NEW_GUAC_VERSION}/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} + chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded TOTP extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi +done + # Check for DUO extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-duo*.jar; do if [[ -f $file ]]; then @@ -268,6 +290,7 @@ for file in /etc/guacamole/extensions/guacamole-auth-duo*.jar; do fi tar -xzf guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} mv -f guacamole-auth-duo-${NEW_GUAC_VERSION}/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} + chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar echo -e "${LGREEN}Upgraded DUO extension to version ${NEW_GUAC_VERSION}${GREY}" echo break @@ -287,31 +310,13 @@ for file in /etc/guacamole/extensions/guacamole-auth-ldap*.jar; do fi tar -xzf guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} mv -f guacamole-auth-ldap-${NEW_GUAC_VERSION}/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} + chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar echo -e "${LGREEN}Upgraded LDAP extension to version ${NEW_GUAC_VERSION}${GREY}" echo break fi done -# Check for TOTP extension and upgrade if found -for file in /etc/guacamole/extensions/guacamole-auth-totp*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}TOTP authentication extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-auth-totp*.jar &>>${LOG_LOCATION} - wget -q --show-progress -O guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} - mv -f guacamole-auth-totp-${NEW_GUAC_VERSION}/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} - echo -e "${LGREEN}Upgraded TOTP extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi -done - # Check for Quick Connection extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-quickconnect*.jar; do if [[ -f $file ]]; then @@ -325,6 +330,7 @@ for file in /etc/guacamole/extensions/guacamole-auth-quickconnect*.jar; do fi tar -xzf guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} mv -f guacamole-auth-quickconnect-${NEW_GUAC_VERSION}/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} + chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar echo -e "${LGREEN}Upgraded Quick Connect extension to version ${NEW_GUAC_VERSION}${GREY}" echo break @@ -344,6 +350,7 @@ for file in /etc/guacamole/extensions/guacamole-history-recording-storage*.jar; fi tar -xzf guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz &>>${LOG_LOCATION} mv -f guacamole-history-recording-storage-${NEW_GUAC_VERSION}/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${LOG_LOCATION} + chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar echo -e "${LGREEN}Upgraded History Recording Storage extension to version ${NEW_GUAC_VERSION}${GREY}" echo break