Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gstfsd and security #106

Open
nitmir opened this issue May 3, 2016 · 5 comments · May be fixed by #111
Open

gstfsd and security #106

nitmir opened this issue May 3, 2016 · 5 comments · May be fixed by #111

Comments

@nitmir
Copy link
Contributor

nitmir commented May 3, 2016

Hi

Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so:

$ echo '{"action": "password", "passwd": "$6$kgPoiREy$bYmXufC9QXG8ORp1uYuH9wJ1n4CwoWmTsQqf6sikFTMlSBsgrt4mqO8qMzM1jQMboPtAAFQvrSXGHNXul4mBr1", "vname": "test"}' | nc 192.0.2.1 16510
{"return": "success"}

If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.

@nitmir
Copy link
Contributor Author

nitmir commented May 3, 2016

As a hotfix, I came up with the following firewall rules (I am running webvirtcloud with the user webvirt):

iptables  -A INPUT -p tcp ! -s 127.0.0.1 --dport 16510 -j REJECT
ip6tables -A INPUT -p tcp ! -s ::1 --dport 16510 -j REJECT
iptables  -I OUTPUT -m owner ! --uid webvirt -p tcp -d 127.0.0.1 --dport 16510 -j REJECT
ip6tables -I OUTPUT -m owner ! --uid webvirt -p tcp -d ::1 --dport 16510 -j REJECT

@savichev savichev mentioned this issue May 4, 2016
@retspen
Copy link
Owner

retspen commented May 5, 2016

Simple way - Private network for managing or VPN

@zingmars
Copy link

zingmars commented Jun 6, 2018

Still doesn't change the fact that you're binding the daemon to 0.0.0.0 by default which is a really bad idea. Changing it is fairly simple (it's a single line in the script itself), but the defaults are definitely insecure.

@qixinwuchen
Copy link

@nitmir when run "supervisorctl status", I got it:
image
the gstfsd don't show in output, why?

@qixinwuchen
Copy link

in your answer, " gstfsd is launch by supervisor" , I want to know Where to configure gstfsd lauch by supervisor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
4 participants