Re: [Gluster-users] severe security vulnerability in glusterfs with remote-hosts option
I should amend that. On May 3, 2017 8:18:39 PM PDT, Vijay Bellur wrote: >On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini >wrote: > >> Hi all, >> >> I came across this blog entry. It seems that there's an undocumented >> command line option that allows someone to execute a gluster cli >command on >> a remote host. >> >> https://joejulian.name/blog/one-more-reason-that- >> glusterfs-should-not-be-used-as-a-saas-offering/ >> >> I am on gluster 3.9 and the option is still supported. I'd really >like to >> understand why this option is still supported and what someone could >do to >> actually mitigate this vulnerability. Is there some configuration >option I >> can set to turn this off for example? >> >> >The --remote-host option can now be used for read-only commands. No >commands that modify the cluster state or volume configuration can be >executed remotely. > >Joe's post was correct till patch at [1] changed the behavior described >in >the post. > >Regards, >Vijay > >[1] https://review.gluster.org/#/c/5280/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ Gluster-users mailing list Gluster-users@gluster.org http://lists.gluster.org/mailman/listinfo/gluster-users
Re: [Gluster-users] severe security vulnerability in glusterfs with remote-hosts option
On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini wrote: > Hi all, > > I came across this blog entry. It seems that there's an undocumented > command line option that allows someone to execute a gluster cli command on > a remote host. > > https://joejulian.name/blog/one-more-reason-that- > glusterfs-should-not-be-used-as-a-saas-offering/ > > I am on gluster 3.9 and the option is still supported. I'd really like to > understand why this option is still supported and what someone could do to > actually mitigate this vulnerability. Is there some configuration option I > can set to turn this off for example? > > The --remote-host option can now be used for read-only commands. No commands that modify the cluster state or volume configuration can be executed remotely. Joe's post was correct till patch at [1] changed the behavior described in the post. Regards, Vijay [1] https://review.gluster.org/#/c/5280/ ___ Gluster-users mailing list Gluster-users@gluster.org http://lists.gluster.org/mailman/listinfo/gluster-users
[Gluster-users] severe security vulnerability in glusterfs with remote-hosts option
Hi all, I came across this blog entry. It seems that there's an undocumented command line option that allows someone to execute a gluster cli command on a remote host. https://joejulian.name/blog/one-more-reason-that-glusterfs-should-not-be-used-as-a-saas-offering/ I am on gluster 3.9 and the option is still supported. I'd really like to understand why this option is still supported and what someone could do to actually mitigate this vulnerability. Is there some configuration option I can set to turn this off for example? Thanks, Joe ___ Gluster-users mailing list Gluster-users@gluster.org http://lists.gluster.org/mailman/listinfo/gluster-users
