feat: Add Fluxbox toolbar removal and Firejail security enhancements#2
Conversation
… XRDP user configuration in xrdp.conf
- Hide Fluxbox toolbar for clean RDP desktop experience - Add custom fluxbox-init configuration to disable toolbar visibility - Implement fluxbox-startup script with runtime toolbar hiding - Add Firejail security profile for Chromium isolation - Update Dockerfile to include new configuration files - Remove xterm configuration as it's no longer needed - Enhance security with filesystem restrictions and capability dropping
@surya-d-naidu once check this copilot review |
Updated the file as suggested by the Copilot to make sure that unwanted files are not exposed
Remoed Nautilus File manager Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Made changes to fluxbox to prevent duplicates Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the RDP container by removing the Fluxbox toolbar for a cleaner desktop and sandboxing Chromium with Firejail for improved security.
- Introduces Fluxbox configuration, menu, and startup scripts to automatically hide and disable the toolbar
- Updates the Dockerfile to install and configure Firejail, integrate the new Fluxbox scripts, and remove xterm
- Adds a Firejail profile and updates supervisor/entrypoint configurations to launch Chromium under the sandbox
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| xorg.conf | Adds Xorg modules for xrdp and Fluxbox |
| fluxbox-startup | New startup script to launch Fluxbox and hide toolbar |
| fluxbox-menu | Custom Fluxbox menu for secure RDP environment |
| fluxbox-init | Minimal Fluxbox init settings (toolbar disabled) |
| debian.dockerfile | Installs Firejail, removes xterm, integrates scripts |
| conf.d/xterm.conf | Removes xterm supervisor config |
| chromium-secure.profile | Firejail profile locking down Chromium |
| browser_conf/chromium.conf | Updates supervisor command to use Firejail |
| base_entrypoint.sh | Drops obsolete AUTO_START_XTERM echo |
| README.md | Updates README for RDP-focused, secure Chromium image |
Comments suppressed due to low confidence (2)
debian.dockerfile:12
- Embedding a default password in the Dockerfile is insecure. Consider requiring the password to be provided at runtime or sourced from a secret manager.
ARG DEF_XRDP_PASSWORD=money4band
README.md:15
- The leading
+-looks like a leftover diff marker. Update to a standard list item (- **RDP-Ready**) for correct Markdown rendering.
+- **RDP-Ready**: Accessible via any RDP client with secure authentication
| echo 'fi' >> /home/${XRDP_USER}/.xsession && \ | ||
| echo 'exec /usr/local/bin/fluxbox-startup &' >> /home/${XRDP_USER}/.xsession && \ | ||
| echo 'sleep 3' >> /home/${XRDP_USER}/.xsession && \ | ||
| echo 'firejail --profile=/etc/firejail/chromium-secure.profile /usr/bin/chromium --no-sandbox --disable-dev-shm-usage --start-maximized --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-features=TranslateUI --disable-ipc-flooding-protection "${STARTING_WEBSITE_URL}" &' >> /home/${XRDP_USER}/.xsession && \ |
There was a problem hiding this comment.
The .xsession script uses ${STARTING_WEBSITE_URL}, but elsewhere supervisor uses ENV_STARTING_WEBSITE_URL. Align the environment variable names or document the mapping to ensure the URL is passed correctly.
| echo 'firejail --profile=/etc/firejail/chromium-secure.profile /usr/bin/chromium --no-sandbox --disable-dev-shm-usage --start-maximized --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-features=TranslateUI --disable-ipc-flooding-protection "${STARTING_WEBSITE_URL}" &' >> /home/${XRDP_USER}/.xsession && \ | |
| echo 'firejail --profile=/etc/firejail/chromium-secure.profile /usr/bin/chromium --no-sandbox --disable-dev-shm-usage --start-maximized --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-features=TranslateUI --disable-ipc-flooding-protection "${ENV_STARTING_WEBSITE_URL}" &' >> /home/${XRDP_USER}/.xsession && \ |
| session.screen0.workspaces: 1 | ||
| session.screen0.workspaceNames: Desktop | ||
|
|
||
| # Disable desktop icons and background |
There was a problem hiding this comment.
[nitpick] An empty rootCommand could be confusing; either remove this line or add a comment explaining why it’s intentionally blank.
| # Disable desktop icons and background | |
| # Disable desktop icons and background | |
| # Intentionally left blank to disable desktop icons and background |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This PR implements comprehensive toolbar removal for Fluxbox window manager and adds Firejail security enhancements for the Chromium browser.
Changes Made
Fluxbox Toolbar Removal
Firejail Security Enhancements
Container Improvements
Testing
Security Benefits
The changes provide a more secure and user-friendly RDP environment while maintaining full browser functionality.