Closed craddm closed 2 weeks ago
craddm
commented
1 month ago The current version of the security checklist in the docs does not include this claim, so there is now nothing to do. From the current documentation, it is not clear to me how it would be possible to configure guacamole to allow it. Thus, although it was seemingly possible on older versions of the DSH, I don't see how it would be now.
jemrobinson
commented
1 month ago Using Right click -> Copy and Right click -> Paste should save the text to a virtual clipboard that is mounted in the user's home directory (at a weird path that I forget the name of). This ought to still be possible.
craddm
commented
1 month ago I found the weird virtual clipboard in the thinclient_drives folder, but copy and pasting still doesn't work for me. A quick look at the xrdp.ini suggests it should as the relevant variables are set to true. The Guacamole clipboard that you can see by using Ctrl+Alt+Shift doesn't work either.
JimMadge
commented
1 month ago @craddm What copy/paste settings are you using?
From memory, last time I deployed a workspace with copy/paste allowed I could put text in the Guacamole clipboard, and then paste that inside the workspace. It did seem a bit tempermental, and I don't think I got copying from the workspace to the clipboard to work.
Didn't try copying between workspaces. We might need to enumerate all of the cases,
Copy/paste between workspaces means 3 and 4 must work. >=T2 requires 1 and 2 to be false.
craddm
commented
1 month ago To be clear, I was under the impression that copy + pasting between workspaces within an SRE always worked; it was copy pasting from outside to in or inside to out that was disabled. The old docs are not explicit about this. I seem to remember it working, and it being via the local thinclient_drives folder would be a potential mechanism.
JimMadge
commented
1 month ago Yeah that is what I thought too. Although I'm not 100% about how it works. Might be that disabling copy/paste stops all of the options because they use the same clipboard system.
It might also have been that before our docs were trying to describe both Guac and MS RDS so was intentionally a bit vague.
craddm
commented
1 month ago Ok, just tried again, with both desktops open and it actually worked ¯_(ツ)_/¯
JimMadge
commented
1 month ago @craddm Can you make sure to check all of the cases above, with both configurations (copy/paste allowed, disallowed)? I think we need to be clear what works in what circumstances.
The change we want to make here is probably a documentation update then.
craddm
commented
1 month ago @craddm What copy/paste settings are you using?
Both set to not allowed
From memory, last time I deployed a workspace with copy/paste allowed I could put text in the Guacamole clipboard, and then paste that inside the workspace. It did seem a bit tempermental, and I don't think I got copying from the workspace to the clipboard to work.
Didn't try copying between workspaces. We might need to enumerate all of the cases,
- from local machine to guac clipboard
- from guac clipboard to local machine
- from guac clipboard to workspace
- from workspace to guac clipboard
Copy/paste between workspaces means 3 and 4 must work. >=T2 requires 1 and 2 to be false.
1 and 2 always work; 3 and 4 are disabled by setting copy/paste to not allowed.
craddm
commented
1 month ago I actually think I was mistaken and it wasn't working, just that it was pasting things on desktop which obviously then impact the other workspace. So I guess you can argue that transfer between workspaces within an SRE is only possible by using folders that are shared across them, rather than direct copy paste.
I can't see any evidence that the thinclient_drives clipboard is doing anything other than existing
JimMadge
commented
1 month ago I think this is why we need to be really careful when testing and write down what we have done, it is very easy to forget exactly what the configuration was and what happened.
craddm
commented
1 month ago I think this is why we need to be really careful when testing and write down what we have done, it is very easy to forget exactly what the configuration was and what happened.
I don't think that has happened here. The configuration has been consistent throughout. The only confusion is my own misinterpretation of the results of my actions.
JimMadge
commented
1 month ago OK, but we still don't have the table of what works/doesn't work for our different configuration options, which I think is what we need to document for whenever this question comes up (and to decide if there is a bug here).
craddm
commented
1 month ago OK, but we still don't have the table of what works/doesn't work for our different configuration options, which I think is what we need to document for whenever this question comes up (and to decide if there is a bug here).
Do we need a table? The only configuration options are:
Copy and pasting within a workspace is always allowed.
The question was really whether copying from one workspace to another workspace within the same SRE was still possible if copy and paste were set to false, which seems to have been true previously, and isn't now.
JimMadge
commented
1 month ago I think we do need a table because, as this thread has shown, we don't really understand what is possible and how the options affect that.
For the configuration, there are two independent, binary variables so we have four states,
| copy | paste |
|---|---|
| true | true |
| true | false |
| false | true |
| false | false |
and we want to understand the implications of each. What is Guacamole doing in each case?
For our user documentation, we want to know for each configuration
Then, there is also the question of according to the Guacamole docs should copy/paste between workspaces work with copy/paste to/from your local machine forbidden.
Both of those are still unclear to me.
craddm
commented
3 weeks ago For our user documentation, we want to know for each configuration
- copy/paste within a workspace
This is not affected by the Guacamole options, always works
- copy/paste between multiple workspaces within one SRE
This is affected by the Guacamole options, but indirectly. If both copy and paste are allowed, then you can copy/paste between multiple workspaces. Otherwise you can't copy/paste between workspaces. However, this is entirely mediated by access to local machine's clipboard. I think this is separate from why you could copy/paste between workspaces on earlier versions. Previously, I think this was mediated by xrdp, which creates thinclient_drives/.clipboard and previously saved the workspace clipboard there. So you could copy from one workspace to another through this, which was effectively an on-disk clipboard shared within an SRE. That no longer seems to work.
- copy/paste to your local machine
This is affected by the Guacamole options. If allow_copy is true, you can copy from the workspace to the local machine. If allow_paste is true, you can paste from the local machine to the workspace.
Then, there is also the question of according to the Guacamole docs should copy/paste between workspaces work with copy/paste to/from your local machine forbidden.
I don't think a table is necessary because they are just two binary options that don't interact:
allow_copy means you can copy from the workspace to the local clipboard.
allow_paste means you can paste from the local clipboard to the workspace.
| allow_copy | allow_paste | Copy/paste within workspace | Copy/paste between workspaces | Copy to local machine | Paste from local machine |
|---|---|---|---|---|---|
| true | true | yes | yes | yes | yes |
| true | false | yes | no | yes | no |
| false | true | yes | no | no | yes |
| false | false | yes | no | no | no |
There used to be an independent route via thinclient_drives/.clipboard, which is an xrdp thing rather a Guacamole thing. As far as I can see, the xrdp config is set up to allow it to work, but it doesn't. So if there is a bug, it's to do with xrdp, not Guacamole.
JimMadge
commented
3 weeks ago That's great @craddm.
I suppose the technical summary is allow_copy means text copied on the remote machine is put into the Guacamole clipboard, and, allow_paste means text in the Guacamole clipboard can be pasted on the remote machine.
I think the table is useful. It makes it very clear (to me) what the possibilities are and the implications.
I can see most of those states being useful. For example, one lets you paste data into the environment while still preventing exfiltration with copy/paste.
Can we
.clipboard/xrdp problem
:white_check_mark: Checklist
:computer: System information
:no_entry_sign: Describe the problem
Although the security checklist says that it should be possible to copy and paste between workspaces in the same SRE, this does not work when copy and paste are disabled.
:steam_locomotive: Workarounds or solutions