On Wed, May 3, 2017 at 7:54 AM, Joseph Lorenzini <[email protected]> wrote:
> Hi all, > > I came across this blog entry. It seems that there's an undocumented > command line option that allows someone to execute a gluster cli command on > a remote host. > > https://joejulian.name/blog/one-more-reason-that- > glusterfs-should-not-be-used-as-a-saas-offering/ > > I am on gluster 3.9 and the option is still supported. I'd really like to > understand why this option is still supported and what someone could do to > actually mitigate this vulnerability. Is there some configuration option I > can set to turn this off for example? > > The --remote-host option can now be used for read-only commands. No commands that modify the cluster state or volume configuration can be executed remotely. Joe's post was correct till patch at [1] changed the behavior described in the post. Regards, Vijay [1] https://review.gluster.org/#/c/5280/
_______________________________________________ Gluster-users mailing list [email protected] http://lists.gluster.org/mailman/listinfo/gluster-users
