[Gluster-users] severe security vulnerability in glusterfs with remote-hosts option

Joseph Lorenzini jaloren at gmail.com
Wed May 3 11:54:58 UTC 2017


Hi all,

I came across this blog entry. It seems that there's an undocumented
command line option that allows someone to execute a gluster cli command on
a remote host.

https://joejulian.name/blog/one-more-reason-that-glusterfs-should-not-be-used-as-a-saas-offering/

I am on gluster 3.9 and the option is still supported. I'd really like to
understand why this option is still supported and what someone could do to
actually mitigate this vulnerability.  Is there some configuration option I
can set to turn this off for example?

Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20170503/9f029b1a/attachment.html>


More information about the Gluster-users mailing list