gstfsd and security

[nitmir]

Hi

Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so:

$ echo '{"action": "password", "passwd": "$6$kgPoiREy$bYmXufC9QXG8ORp1uYuH9wJ1n4CwoWmTsQqf6sikFTMlSBsgrt4mqO8qMzM1jQMboPtAAFQvrSXGHNXul4mBr1", "vname": "test"}' | nc 192.0.2.1 16510
{"return": "success"}

If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.

[nitmir]

As a hotfix, I came up with the following firewall rules (I am running webvirtcloud with the user webvirt):

iptables  -A INPUT -p tcp ! -s 127.0.0.1 --dport 16510 -j REJECT
ip6tables -A INPUT -p tcp ! -s ::1 --dport 16510 -j REJECT
iptables  -I OUTPUT -m owner ! --uid webvirt -p tcp -d 127.0.0.1 --dport 16510 -j REJECT
ip6tables -I OUTPUT -m owner ! --uid webvirt -p tcp -d ::1 --dport 16510 -j REJECT

[retspen]

Simple way - Private network for managing or VPN

[zingmars]

Still doesn't change the fact that you're binding the daemon to 0.0.0.0 by default which is a really bad idea. Changing it is fairly simple (it's a single line in the script itself), but the defaults are definitely insecure.

[qixinwuchen]

@nitmir when run "supervisorctl status", I got it: the gstfsd don't show in output, why?

[qixinwuchen]

in your answer, " gstfsd is launch by supervisor" , I want to know Where to configure gstfsd lauch by supervisor