[Gluster-users] severe security vulnerability in glusterfs with remote-hosts option

Joe Julian joe at julianfamily.org
Thu May 4 03:26:09 UTC 2017


I should amend that.

On May 3, 2017 8:18:39 PM PDT, Vijay Bellur <vbellur at redhat.com> wrote:
>On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini <jaloren at gmail.com>
>wrote:
>
>> Hi all,
>>
>> I came across this blog entry. It seems that there's an undocumented
>> command line option that allows someone to execute a gluster cli
>command on
>> a remote host.
>>
>> https://joejulian.name/blog/one-more-reason-that-
>> glusterfs-should-not-be-used-as-a-saas-offering/
>>
>> I am on gluster 3.9 and the option is still supported. I'd really
>like to
>> understand why this option is still supported and what someone could
>do to
>> actually mitigate this vulnerability.  Is there some configuration
>option I
>> can set to turn this off for example?
>>
>>
>The --remote-host option can now be used for read-only commands. No
>commands that modify the cluster state or volume configuration can be
>executed remotely.
>
>Joe's post was correct till patch at [1] changed the behavior described
>in
>the post.
>
>Regards,
>Vijay
>
>[1] https://review.gluster.org/#/c/5280/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20170503/49249fb6/attachment.html>


More information about the Gluster-users mailing list