From c25df905554ef2c268ff75267e0b8b362084d7c3 Mon Sep 17 00:00:00 2001
From: benrubson <6764151+benrubson@users.noreply.github.com>
Date: Sun, 21 Feb 2021 09:27:29 +0100
Subject: [PATCH] GUACAMOLE-890: Security: Allow image to run as non-root user

---
 Dockerfile                    |  9 +++++++++
 guacamole-docker/bin/start.sh | 10 ++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 2b70f6739..1b6e9be17 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -56,6 +56,15 @@ WORKDIR /opt/guacamole
 # Copy artifacts from builder image into this image
 COPY --from=builder /opt/guacamole/ .
 
+# Create a new user guacamole
+ARG UID=1001
+ARG GID=1001
+RUN groupadd --gid $GID guacamole
+RUN useradd --system --create-home --shell /usr/sbin/nologin --uid $UID --gid $GID guacamole
+
+# Run with user guacamole
+USER guacamole
+
 # Start Guacamole under Tomcat, listening on 0.0.0.0:8080
 EXPOSE 8080
 CMD ["/opt/guacamole/bin/start.sh" ]
diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 62f9496dd..09d35c648 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -659,9 +659,15 @@ associate_header() {
 ##
 start_guacamole() {
 
+    # User-only writable CATALINA_BASE
+    export CATALINA_BASE=$HOME/tomcat
+    for dir in logs temp webapps work; do
+        mkdir -p $CATALINA_BASE/$dir
+    done
+    cp -R /usr/local/tomcat/conf $CATALINA_BASE
+
     # Install webapp
-    rm -Rf /usr/local/tomcat/webapps/${WEBAPP_CONTEXT:-guacamole}
-    ln -sf /opt/guacamole/guacamole.war /usr/local/tomcat/webapps/${WEBAPP_CONTEXT:-guacamole}.war
+    ln -sf /opt/guacamole/guacamole.war $CATALINA_BASE/webapps/${WEBAPP_CONTEXT:-guacamole}.war
 
     # Start tomcat
     cd /usr/local/tomcat