10th May 2022

Yesterday, we were alerted to a conversation on Twitter about potential security issues with BeeGFS on systems that don’t use a connAuthFile. If no such file is used to authenticate connections between nodes, it is possible to spoof network messages to BeeGFS servers which can be used to trigger file system operations. The code that is being discussed on Twitter uses that to create a setuid file, which can then later be used to gain root privileges on a connected client.

We are aware of this issue and have always been advising our users to use connAuthFiles wherever possible to prevent unauthenticated nodes from joining BeeGFS clusters. To provide some more protection against setuid based privilege escalations, we also advise to mount BeeGFS with the mount option nosuid unless setuid binaries are explicitly needed, which shouldn’t be the case on the vast majority of systems. Depending on how you choose to mount your BeeGFS, the nosuid option can either be added to the options in /etc/fstab or in beegfs-mounts.conf like this:

/mnt/beegfs /etc/beegfs/beegfs-client.conf beegfs nosuid

We are currently working on laying the groundwork for a more comprehensive approach to node authentication and authorization and until that is ready, we will make some changes in the default configuration to make connAuthFile opt-out and mount with nosuid by default. These changes to the default configuration will slightly increase the complexity of the initial BeeGFS setup, because connAuthFiles will have to be created and shared across the nodes or the configuration will need to explicitly opt out of using connection authentication. There will also be some implications to the use of beegfs-ctl by non-privileged users. Users other than root will no longer be able to use beegfs-ctl, because they will not have the necessary permissions to read the connAuthFile.

Our goal will continue to be to provide a filesystem configuration that is as easy to set up and use as possible while still providing sane and reasonably secure defaults.

Philipp Falk
Head of Engineering, ThinkParQ