[Gluster-users] severe security vulnerability in glusterfs with remote-hosts option
Vijay Bellur
vbellur at redhat.com
Thu May 4 03:18:39 UTC 2017
On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini <jaloren at gmail.com> wrote:
> Hi all,
>
> I came across this blog entry. It seems that there's an undocumented
> command line option that allows someone to execute a gluster cli command on
> a remote host.
>
> https://joejulian.name/blog/one-more-reason-that-
> glusterfs-should-not-be-used-as-a-saas-offering/
>
> I am on gluster 3.9 and the option is still supported. I'd really like to
> understand why this option is still supported and what someone could do to
> actually mitigate this vulnerability. Is there some configuration option I
> can set to turn this off for example?
>
>
The --remote-host option can now be used for read-only commands. No
commands that modify the cluster state or volume configuration can be
executed remotely.
Joe's post was correct till patch at [1] changed the behavior described in
the post.
Regards,
Vijay
[1] https://review.gluster.org/#/c/5280/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-users/attachments/20170503/8627d46f/attachment.html>
More information about the Gluster-users
mailing list