custom guacd service account option

1-setup.sh

@@ -120,6 +120,7 @@ GUAC_DB=""                      # If blank "" default is guacamole_db
 GUAC_USER=""                    # If blank "" default is guacamole_user
 MYSQL_ROOT_PWD=""               # Manadatory entry here or at script prompt
 GUAC_PWD=""                     # Manadatory entry here or at script prompt
+GUACD_ACCOUNT="guacd"           # Service account guacd will run under (and will be very heavily locked down)
 DB_TZ=$(cat /etc/timezone)      # Blank "" defaults to UTC, for local timezone: $(cat /etc/timezone)
 INSTALL_TOTP=""                 # Add TOTP MFA extension (true/false), can't be installed simultaneously with DUO)
 INSTALL_DUO=""                  # Add DUO MFA extension (true/false, can't be installed simultaneously with TOTP)
@@ -146,6 +147,7 @@ BACKUP_RETENTION="30"           # Days to keep SQL backups locally
 RDP_SHARE_HOST=""               # Custom RDP host name shown in Windows Explorer (eg. "RDP_SHARE_LABEL on RDP_SHARE_HOST"). Blank "" = $SERVER_NAME
 RDP_SHARE_LABEL="RDP Share"     # Custom RDP shared drive name in Windows Explorer (eg. "RDP_SHARE_LABEL on RDP_SHARE_HOST" eg. "your RDP share name on server01"
 RDP_PRINTER_LABEL="RDP Printer" # Custom RDP printer name shown in Windows
+CRON_DENY_FILE="/etc/cron.deny" # Distro's cron deny file
 
 #######################################################################################################################
 # Download GitHub setup scripts. BEFORE RUNNING SETUP, COMMENT OUT DOWNLOAD LINES OF ANY SCRIPTS YOU HAVE EDITED ! ####
@@ -691,6 +693,7 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
 sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
 sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
 sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
+sed -i "s|GUACD_ACCOUNT=|GUACD_ACCOUNT='${GUACD_ACCOUNT}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
 
 sed -i "s|RDP_SHARE_HOST=|RDP_SHARE_HOST='${RDP_SHARE_HOST}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
 sed -i "s|RDP_SHARE_LABEL=|RDP_SHARE_LABEL='${RDP_SHARE_LABEL}'|g" $DOWNLOAD_DIR/upgrade-guacamole.sh
@@ -756,6 +759,7 @@ export GUAC_DB=$GUAC_DB
 export GUAC_USER=$GUAC_USER
 export MYSQL_ROOT_PWD="${MYSQL_ROOT_PWD}"
 export GUAC_PWD="${GUAC_PWD}"
+export GUACD_ACCOUNT=$GUACD_ACCOUNT
 export DB_TZ="${DB_TZ}"
 export INSTALL_TOTP=$INSTALL_TOTP
 export INSTALL_DUO=$INSTALL_DUO
@@ -782,6 +786,7 @@ export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}"
 export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}"
 export LOCAL_DOMAIN=$LOCAL_DOMAIN
 export DOMAIN_SUFFIX=$DOMAIN_SUFFIX
+export CRON_DENY_FILE=$CRON_DENY_FILE
 
 # Run the Guacamole install script (with all exported variables from this current shell)
 sudo -E ./2-install-guacamole.sh

2-install-guacamole.sh

@@ -268,19 +268,31 @@ rm -rf /etc/guacamole/extensions/
 mkdir -p /etc/guacamole/lib/
 mkdir -p /etc/guacamole/extensions/
 
-# Setup freerdp profile permissions for storing certificates
-mkdir -p /usr/sbin/.config/freerdp
-chown daemon:daemon /usr/sbin/.config/freerdp
+# Create a custom guacd service account and heavily lock it down
+adduser "${GUACD_ACCOUNT}" --disabled-password --disabled-login --gecos "" > /dev/null 2>&1
+gpasswd -d "${GUACD_ACCOUNT}" users > /dev/null 2>&1
+echo -e "\nMatch User ${GUACD_ACCOUNT}\n    X11Forwarding no\n    AllowTcpForwarding no\n    PermitTTY no\n    ForceCommand cvs server" | sudo tee -a /etc/ssh/sshd_config > /dev/null 2>&1
+systemctl restart sshd
+touch "${CRON_DENY_FILE}"
+chmod 644 "${CRON_DENY_FILE}"
+chown root:root "${CRON_DENY_FILE}"
+if ! grep -q "^${GUACD_ACCOUNT}$" "${CRON_DENY_FILE}"; then
+   echo "$GUACD_ACCOUNT" | sudo tee -a "$CRON_DENY_FILE" > /dev/null 2>&1
+fi
 
-# Setup correct permissions for history recorded storage feature
+# Setup freerdp profile permissions for storing certificates
+mkdir -p /home/"${GUACD_ACCOUNT}"/.config/freerdp
+chown ${GUACD_ACCOUNT}:${GUACD_ACCOUNT} /home/"${GUACD_ACCOUNT}"/.config/freerdp
+
+# Setup guacamole permissions
 mkdir -p /var/guacamole
-chown daemon:daemon /var/guacamole
+chown "${GUACD_ACCOUNT}":"${GUACD_ACCOUNT}" /var/guacamole
 
 # Make and install guacd (Guacamole-Server)
-cd guacamole-server-${GUAC_VERSION}/
 echo
 echo -e "${GREY}Compiling Guacamole-Server from source with with GCC $(gcc --version | head -n1 | grep -oP '\)\K.*' | awk '{print $1}'), this might take a few minutes...${GREY}"
 
+cd guacamole-server-${GUAC_VERSION}/
 # Skip any deprecated software warnings various distros may throw during build
 export CFLAGS="-Wno-error"
 
@@ -487,7 +499,7 @@ if [[ "${INSTALL_HISTREC}" = true ]]; then
     chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${GUAC_VERSION}.jar
     #Setup the default recording path
     mkdir -p ${HISTREC_PATH}
-    chown daemon:tomcat ${HISTREC_PATH}
+    chown ${GUACD_ACCOUNT}:tomcat ${HISTREC_PATH}
     chmod 2750 ${HISTREC_PATH}
     echo "recording-search-path: ${HISTREC_PATH}" >>/etc/guacamole/guacamole.properties
     if [[ $? -ne 0 ]]; then
@@ -690,6 +702,9 @@ fi
 
 # Ensure guacd is started
 echo -e "${GREY}Starting guacd service & enable at boot..."
+# Update the systemd unit file the default daemon to the chosen service account 
+sudo sed -i "s/\bdaemon\b/${GUACD_ACCOUNT}/g" /etc/systemd/system/guacd.service
+systemctl daemon-reload
 systemctl enable guacd
 systemctl stop guacd 2>/dev/null
 systemctl start guacd

README.md

@@ -4,17 +4,16 @@
 
 </div>
 
-## Introduction
-
-This project allows you to easily set up a Guacamole jump-host for secure remote access.
-
-
 <p align="center">
 <a href="https://www.paypal.com/donate/?business=PSZ878JBJDMB8&amount=10&no_recurring=0&item_name=Thankyou+for+your+support+in+maintaining+this+project&currency_code=AUD">
   <img src="https://github.com/itiligent/Guacamole-Install/raw/main/.github/ISSUE_TEMPLATE/paypal-donate-button.png" width="125" />
 </a>
 </p>
 
+## Introduction
+
+This project allows you to easily set up a Guacamole jump-host for secure remote access.
+
 This modular suite of build and management scripts makes provisioning a secure Guacamole jump server a breeze. It supports TLS reverse proxy (self-signed or Let's Encrypt), Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, a custom UI theme creation tool & template (dark themed), auto database backup, email alerts, internal security hardening options, and a fail2ban policy for defence against brute force attacks. The suite also includes code for an enterprise deployment similar to [Amazon's Guacamole Bastion Cluster](http://netcubed-ami.s3-website-us-east-1.amazonaws.com/guaws/v2.3.1/cluster/).
 
 ## Automatic Installation

upgrade-guacamole.sh

@@ -78,6 +78,7 @@ MYSQL_ROOT_PWD=
 RDP_SHARE_HOST=
 RDP_SHARE_LABEL=
 RDP_PRINTER_LABEL=
+GUACD_ACCOUNT=
 
 # Standardise on a distro version identification lexicon
 source /etc/os-release
@@ -342,16 +343,20 @@ for file in /etc/guacamole/extensions/guacamole-history-recording-storage*.jar;
     fi
 done
 
-# Setup freerdp profile permissions for storing certificates
-mkdir -p /usr/sbin/.config/freerdp
-chown daemon:daemon /usr/sbin/.config/freerdp
-
-# Setup correct permissions for history recorded storage feature
-mkdir -p /var/guacamole
-chown daemon:daemon /var/guacamole
-
 # Bring guacd and Tomcat back up
 echo -e "${GREY}Starting guacd and Tomcat services..."
+
+# Reset freerdp profile permissions for storing certificates
+mkdir -p /home/"${GUACD_ACCOUNT}"/.config/freerdp
+chown ${GUACD_ACCOUNT}:${GUACD_ACCOUNT} /home/"${GUACD_ACCOUNT}"/.config/freerdp
+
+# Reset guacamole permissions
+mkdir -p /var/guacamole
+chown "${GUACD_ACCOUNT}":"${GUACD_ACCOUNT}" /var/guacamole
+
+# Reset the guacd systemd unit file's default service account 
+sudo sed -i "s/\bdaemon\b/${GUACD_ACCOUNT}/g" /etc/systemd/system/guacd.service
+systemctl daemon-reload
 systemctl enable guacd
 systemctl start guacd
 systemctl start ${TOMCAT_VERSION}