starred/webvirtcloud
1
0
Fork 0
mirror of https://github.com/retspen/webvirtcloud.git synced 2026-04-25 23:45:56 +03:00
Code Issues 199 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #106] gstfsd and security #70

New issue
Open
opened 2026-02-27 15:57:13 +03:00 by kerem · 5 comments
kerem commented 2026-02-27 15:57:13 +03:00
Owner
Copy link

Originally created by @nitmir on GitHub (May 3, 2016).
Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/106

Hi

Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so:

$ echo '{"action": "password", "passwd": "$6$kgPoiREy$bYmXufC9QXG8ORp1uYuH9wJ1n4CwoWmTsQqf6sikFTMlSBsgrt4mqO8qMzM1jQMboPtAAFQvrSXGHNXul4mBr1", "vname": "test"}' | nc 192.0.2.1 16510
{"return": "success"}

If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.

Originally created by @nitmir on GitHub (May 3, 2016). Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/106 Hi Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so: ``` $ echo '{"action": "password", "passwd": "$6$kgPoiREy$bYmXufC9QXG8ORp1uYuH9wJ1n4CwoWmTsQqf6sikFTMlSBsgrt4mqO8qMzM1jQMboPtAAFQvrSXGHNXul4mBr1", "vname": "test"}' | nc 192.0.2.1 16510 {"return": "success"} ``` If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.
kerem commented 2026-02-27 15:57:14 +03:00
Author
Owner
Copy link

@nitmir commented on GitHub (May 3, 2016):

As a hotfix, I came up with the following firewall rules (I am running webvirtcloud with the user webvirt):

iptables  -A INPUT -p tcp ! -s 127.0.0.1 --dport 16510 -j REJECT
ip6tables -A INPUT -p tcp ! -s ::1 --dport 16510 -j REJECT
iptables  -I OUTPUT -m owner ! --uid webvirt -p tcp -d 127.0.0.1 --dport 16510 -j REJECT
ip6tables -I OUTPUT -m owner ! --uid webvirt -p tcp -d ::1 --dport 16510 -j REJECT
<!-- gh-comment-id:216519334 --> @nitmir commented on GitHub (May 3, 2016): As a hotfix, I came up with the following firewall rules (I am running webvirtcloud with the user webvirt): ``` iptables -A INPUT -p tcp ! -s 127.0.0.1 --dport 16510 -j REJECT ip6tables -A INPUT -p tcp ! -s ::1 --dport 16510 -j REJECT iptables -I OUTPUT -m owner ! --uid webvirt -p tcp -d 127.0.0.1 --dport 16510 -j REJECT ip6tables -I OUTPUT -m owner ! --uid webvirt -p tcp -d ::1 --dport 16510 -j REJECT ```
kerem commented 2026-02-27 15:57:14 +03:00
Author
Owner
Copy link

@retspen commented on GitHub (May 5, 2016):

Simple way - Private network for managing or VPN

<!-- gh-comment-id:217236321 --> @retspen commented on GitHub (May 5, 2016): Simple way - Private network for managing or VPN
kerem commented 2026-02-27 15:57:14 +03:00
Author
Owner
Copy link

@zingmars commented on GitHub (Jun 6, 2018):

Still doesn't change the fact that you're binding the daemon to 0.0.0.0 by default which is a really bad idea. Changing it is fairly simple (it's a single line in the script itself), but the defaults are definitely insecure.

<!-- gh-comment-id:394985055 --> @zingmars commented on GitHub (Jun 6, 2018): Still doesn't change the fact that you're binding the daemon to 0.0.0.0 by default which is a really bad idea. Changing it is fairly simple (it's a single line in the script itself), but the defaults are definitely insecure.
kerem commented 2026-02-27 15:57:14 +03:00
Author
Owner
Copy link

@qixinwuchen commented on GitHub (May 18, 2022):

@nitmir when run "supervisorctl status", I got it:
image
the gstfsd don't show in output, why?

<!-- gh-comment-id:1129792129 --> @qixinwuchen commented on GitHub (May 18, 2022): @nitmir when run "supervisorctl status", I got it: ![image](https://user-images.githubusercontent.com/33652818/169008603-9a61235f-2221-43f8-a96f-f20b15c0eb39.png) the gstfsd don't show in output, why?
kerem commented 2026-02-27 15:57:14 +03:00
Author
Owner
Copy link

@qixinwuchen commented on GitHub (May 18, 2022):

in your answer, " gstfsd is launch by supervisor" , I want to know Where to configure gstfsd lauch by supervisor

<!-- gh-comment-id:1129794166 --> @qixinwuchen commented on GitHub (May 18, 2022): in your answer, " gstfsd is launch by supervisor" , I want to know Where to configure gstfsd lauch by supervisor
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.0
Labels
Clear labels   
bug

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
enhancement
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/webvirtcloud#70
No description provided.