Gluster users - May 2017 - severe security vulnerability in glusterfs with remote-hosts option

Hi all,

I came across this blog entry. It seems that there's an undocumented
command line option that allows someone to execute a gluster cli command on
a remote host.

https://joejulian.name/blog/one-more-reason-that-glusterfs-should-not-be-used-as-a-saas-offering/

I am on gluster 3.9 and the option is still supported. I'd really like to
understand why this option is still supported and what someone could do to
actually mitigate this vulnerability.  Is there some configuration option I
can set to turn this off for example?

Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170503/9f029b1a/attachment.html>

On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini <jaloren at gmail.com>
wrote:
> Hi all,
>
> I came across this blog entry. It seems that there's an undocumented
> command line option that allows someone to execute a gluster cli command on
> a remote host.
>
> https://joejulian.name/blog/one-more-reason-that-
> glusterfs-should-not-be-used-as-a-saas-offering/
>
> I am on gluster 3.9 and the option is still supported. I'd really like
to
> understand why this option is still supported and what someone could do to
> actually mitigate this vulnerability.  Is there some configuration option I
> can set to turn this off for example?
>
>
The --remote-host option can now be used for read-only commands. No
commands that modify the cluster state or volume configuration can be
executed remotely.

Joe's post was correct till patch at [1] changed the behavior described in
the post.

Regards,
Vijay

[1] https://review.gluster.org/#/c/5280/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.gluster.org/pipermail/gluster-users/attachments/20170503/8627d46f/attachment.html>