Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1198746

Summary: Volume passwords are visible to remote users
Product: [Community] GlusterFS Reporter: Jeff Darcy <jdarcy>
Component: glusterdAssignee: bugs <bugs>
Status: CLOSED WORKSFORME QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: mainlineCC: atumball, bugs, kaushal, smohan
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-17 10:23:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Darcy 2015-03-04 18:06:04 UTC 
GlusterFS supports a concept of a trusted or privileged mount.  Usually, unless someone has hacked volfiles by hand, users can connect to bricks without any credentials at all.  However, if they do use a matching username and password set when the volume is created, they are allowed to bypass the "root squashing" that is normally done to ensure that uid/gid checks are performed properly.  This feature is used by some internal daemons.

Unfortunately, this password is both stored and transmitted in plaintext (unless TLS is explicitly enabled for the control path as well as data).  The following command run from any host (as root on that host) will suffice to reveal it.

   gluster --remote-host=a_server system getspec a_volume

Note that this behavior only exists with the "remote-host" option; a local (UNIX-domain socket) fetch will get the same volfile but without the username and password.  Fixing __server_getspec (specifically line 766 of glusterd-handshake.c) to provide the username/password only via the UNIX-domain socket, and fixing the internal daemons to use that method, would fix the worst vulnerability.  However, this would still fall short in environments (e.g. converged storage/compute) where users running on the same machine as glusterd might still be able to access the UNIX-domain socket.  We should probably devise more secure mechanism by which to distinguish internal daemons from "outsiders" and possibly to distinguish password holders from others (without storing or transmitting that password in plaintext).
Comment 2 Amar Tumballi 2019-05-17 10:23:52 UTC 
Checked the behavior:

On a server node:

```
[root@server-node ~]# gluster  system getspec demo1 | grep password
    option password 423b5c4c-3457-4b14-ab67-0d4668e35c8f
```

On a separate node, which is not part of the trusted network:

```
[root@fedora28 ~]# gluster --remote-host=192.168.121.1  system getspec demo1 | grep password
```

So, the behavior is proper, and I don't see any security threat due to this command with latest codebase. 

Marking as WORKSFORME with glusterfs-6.x.