Rainer? If I wanted to submit a doc patch, where is the repo I would Fork?
-- James -- Sent from my mobile -- ----- Reply message ----- From: "Rainer Gerhards" <[email protected]> To: "rsyslog-users" <[email protected]> Subject: [rsyslog] Insecure configurations using Rsyslog property replacer Date: Thu, Dec 12, 2013 4:34 AM On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni <[email protected] > wrote: > Hello folks, > By googling for example configurations and templates, I've noticed a fairly > common insecure configuration and I would like to get your opinion on this > matter. > > It's a common practice to use property replacers (like %hostname% and > %syslogtag%) to ship logs to specific files. > For instance, $template logFile,"/var/log/%HOSTNAME%.log" and similar. > > By looking at the documentation and all those examples, it's however not > clear that those properties are directly parsed by rsyslogd from the > user-supplied event messages while trying to parse RFC3164-formatted > messages. > > Well.. where else should the stem from ;) > I started looking at the source code and noticed that those properties are > derived in pmrfc3164.c. > A whitelist approach has been used to allow alphanumeric, ".", "_","-" > chars thus preventing common security issues (e.g. directory traversal). > Although it doesn't seem possible to override existent files either, a > remote attacker would still be able to create new files and/or directories. > Eventually, this may allow to reach inodes limit and potentially result in > a denial of service. > > This is not for security, but for RFC rules. The rfc 5424 parser has different rules. > Besides removing property replacers, is there any other workaround (e.g. > limit #events/sender/seconds)? > > The property replacer's SecurePath option is meant to deal with that. I agree it's not easy to find and "elaborately" documented: http://blog.gerhards.net/2013/05/moving-to-github.html Would it be possible to update the documentation (e.g. > http://www.rsyslog.com/doc/property_replacer.html) and include those > considerations? Kind of "use at your own risk" warning. > > A doc patch is happily accepted. Looking forward to it! Rainer > Cheers, > Luca > > -- > > Luca Carettoni <[email protected]> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
