-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gstfsd and security #106
Comments
As a hotfix, I came up with the following firewall rules (I am running webvirtcloud with the user webvirt):
|
Simple way - Private network for managing or VPN |
Still doesn't change the fact that you're binding the daemon to 0.0.0.0 by default which is a really bad idea. Changing it is fairly simple (it's a single line in the script itself), but the defaults are definitely insecure. |
@nitmir when run "supervisorctl status", I got it: |
in your answer, " gstfsd is launch by supervisor" , I want to know Where to configure gstfsd lauch by supervisor |
Hi
Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so:
If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.
The text was updated successfully, but these errors were encountered: