{"id":1190,"date":"2022-05-10T11:11:00","date_gmt":"2022-05-10T09:11:00","guid":{"rendered":"https:\/\/www.beegfs.io\/c\/?p=1190"},"modified":"2022-09-19T09:35:59","modified_gmt":"2022-09-19T07:35:59","slug":"the-importance-of-using-connauthfile-in-beegfs","status":"publish","type":"post","link":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/","title":{"rendered":"On the importance of using connAuthFile in BeeGFS"},"content":{"rendered":"

10th May 2022<\/strong><\/p>\n

Yesterday, we were alerted to a conversation on Twitter about potential security issues with BeeGFS on systems that don’t use a connAuthFile. If no such file is used to authenticate connections between nodes, it is possible to spoof network messages to BeeGFS servers which can be used to trigger file system operations. The code that is being discussed on Twitter uses that to create a setuid file, which can then later be used to gain root privileges on a connected client.<\/span><\/p>\n

We are aware of this issue and <\/span>have always been advising<\/span><\/a> our users to use connAuthFiles wherever possible to prevent unauthenticated nodes from joining BeeGFS clusters. To provide some more protection against setuid based privilege escalations, we also advise to mount BeeGFS with the mount option nosuid<\/span> unless setuid binaries are explicitly needed, which shouldn’t be the case on the vast majority of systems. Depending on how you choose to mount your BeeGFS, the nosuid<\/span> option can either be added to the options in \/etc\/fstab or in beegfs-mounts.conf like this:<\/span><\/p>\n

\/mnt\/beegfs \/etc\/beegfs\/beegfs-client.conf beegfs nosuid<\/pre>\n
We are currently working on laying the groundwork for a more comprehensive approach to node authentication and authorization and until that is ready, we will make some changes in the default configuration to make connAuthFile opt-out and mount with nosuid<\/span> by default. These changes to the default configuration will slightly increase the complexity of the initial BeeGFS setup, because connAuthFiles will have to be created and shared across the nodes or the configuration will need to explicitly opt out of using connection authentication. There will also be some implications to the use of beegfs-ctl by non-privileged users. Users other than root will no longer be able to use beegfs-ctl, because they will not have the necessary permissions to read the connAuthFile.<\/span><\/p>\n
Our goal will continue to be to provide a filesystem configuration that is as easy to set up and use as possible while still providing sane and reasonably secure defaults.<\/span><\/p>\n
Philipp Falk
\nHead of Engineering, ThinkParQ<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
10th May 2022 Yesterday, we were alerted to a conversation on Twitter about potential security issues with BeeGFS on systems that don’t use a connAuthFile. If no such file is used to authenticate connections between nodes, it is possible to spoof network messages to BeeGFS servers which can be  Read More<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"image","meta":{"_acf_changed":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1190","post","type-post","status-publish","format-image","hentry","category-blog","post_format-post-format-image"],"acf":[],"yoast_head":"\nOn the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"On the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System\" \/>\n<meta property=\"og:description\" content=\"10th May 2022 Yesterday, we were alerted to a conversation on Twitter about potential security issues with BeeGFS on systems that don’t use a connAuthFile. If no such file is used to authenticate connections between nodes, it is possible to spoof network messages to BeeGFS servers which can be Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/\" \/>\n<meta property=\"og:site_name\" content=\"BeeGFS - The Leading Parallel Cluster File System\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-10T09:11:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-19T07:35:59+00:00\" \/>\n<meta name=\"author\" content=\"Troy Patterson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Troy Patterson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/\"},\"author\":{\"name\":\"Troy Patterson\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/#\\\/schema\\\/person\\\/889fafb6e064ad194bf6b995f2e5147f\"},\"headline\":\"On the importance of using connAuthFile in BeeGFS\",\"datePublished\":\"2022-05-10T09:11:00+00:00\",\"dateModified\":\"2022-09-19T07:35:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/\"},\"wordCount\":342,\"commentCount\":0,\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/\",\"url\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/\",\"name\":\"On the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/#website\"},\"datePublished\":\"2022-05-10T09:11:00+00:00\",\"dateModified\":\"2022-09-19T07:35:59+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/#\\\/schema\\\/person\\\/889fafb6e064ad194bf6b995f2e5147f\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/the-importance-of-using-connauthfile-in-beegfs\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"On the importance of using connAuthFile in BeeGFS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/#website\",\"url\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/\",\"name\":\"BeeGFS - The Leading Parallel Cluster File System\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/#\\\/schema\\\/person\\\/889fafb6e064ad194bf6b995f2e5147f\",\"name\":\"Troy Patterson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g\",\"caption\":\"Troy Patterson\"},\"url\":\"https:\\\/\\\/www.beegfs.io\\\/c\\\/author\\\/tpatterson\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"On the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/","og_locale":"en_US","og_type":"article","og_title":"On the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System","og_description":"10th May 2022 Yesterday, we were alerted to a conversation on Twitter about potential security issues with BeeGFS on systems that don’t use a connAuthFile. If no such file is used to authenticate connections between nodes, it is possible to spoof network messages to BeeGFS servers which can be Read More","og_url":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/","og_site_name":"BeeGFS - The Leading Parallel Cluster File System","article_published_time":"2022-05-10T09:11:00+00:00","article_modified_time":"2022-09-19T07:35:59+00:00","author":"Troy Patterson","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Troy Patterson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/#article","isPartOf":{"@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/"},"author":{"name":"Troy Patterson","@id":"https:\/\/www.beegfs.io\/c\/#\/schema\/person\/889fafb6e064ad194bf6b995f2e5147f"},"headline":"On the importance of using connAuthFile in BeeGFS","datePublished":"2022-05-10T09:11:00+00:00","dateModified":"2022-09-19T07:35:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/"},"wordCount":342,"commentCount":0,"articleSection":["Blog"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/","url":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/","name":"On the importance of using connAuthFile in BeeGFS - BeeGFS - The Leading Parallel Cluster File System","isPartOf":{"@id":"https:\/\/www.beegfs.io\/c\/#website"},"datePublished":"2022-05-10T09:11:00+00:00","dateModified":"2022-09-19T07:35:59+00:00","author":{"@id":"https:\/\/www.beegfs.io\/c\/#\/schema\/person\/889fafb6e064ad194bf6b995f2e5147f"},"breadcrumb":{"@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.beegfs.io\/c\/the-importance-of-using-connauthfile-in-beegfs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.beegfs.io\/c\/"},{"@type":"ListItem","position":2,"name":"On the importance of using connAuthFile in BeeGFS"}]},{"@type":"WebSite","@id":"https:\/\/www.beegfs.io\/c\/#website","url":"https:\/\/www.beegfs.io\/c\/","name":"BeeGFS - The Leading Parallel Cluster File System","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.beegfs.io\/c\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.beegfs.io\/c\/#\/schema\/person\/889fafb6e064ad194bf6b995f2e5147f","name":"Troy Patterson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3aedb776f814472f0e8914ee35ac325890f5c0d2d64f65d2ab44c6377bff6e6a?s=96&d=mm&r=g","caption":"Troy Patterson"},"url":"https:\/\/www.beegfs.io\/c\/author\/tpatterson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/posts\/1190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/comments?post=1190"}],"version-history":[{"count":5,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/posts\/1190\/revisions"}],"predecessor-version":[{"id":1314,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/posts\/1190\/revisions\/1314"}],"wp:attachment":[{"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/media?parent=1190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/categories?post=1190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.beegfs.io\/c\/wp-json\/wp\/v2\/tags?post=1190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}