On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James <[email protected]>wrote:
> Rainer? > > If I wanted to submit a doc patch, where is the repo I would Fork? > > https://github.com/rgerhards We didn't take any further steps for moving the "official" repo, as github seems to have not affected contributions and such. Maybe not enough PR done (another 24h thing...). suggestions on how to make this better known are very welcome. Rainer > -- James > -- Sent from my mobile -- > > ----- Reply message ----- > From: "Rainer Gerhards" <[email protected]> > To: "rsyslog-users" <[email protected]> > Subject: [rsyslog] Insecure configurations using Rsyslog property replacer > Date: Thu, Dec 12, 2013 4:34 AM > > On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni < > [email protected] > > wrote: > > > Hello folks, > > By googling for example configurations and templates, I've noticed a > fairly > > common insecure configuration and I would like to get your opinion on > this > > matter. > > > > It's a common practice to use property replacers (like %hostname% and > > %syslogtag%) to ship logs to specific files. > > For instance, $template logFile,"/var/log/%HOSTNAME%.log" and similar. > > > > By looking at the documentation and all those examples, it's however not > > clear that those properties are directly parsed by rsyslogd from the > > user-supplied event messages while trying to parse RFC3164-formatted > > messages. > > > > > Well.. where else should the stem from ;) > > > > I started looking at the source code and noticed that those properties > are > > derived in pmrfc3164.c. > > A whitelist approach has been used to allow alphanumeric, ".", "_","-" > > chars thus preventing common security issues (e.g. directory traversal). > > Although it doesn't seem possible to override existent files either, a > > remote attacker would still be able to create new files and/or > directories. > > Eventually, this may allow to reach inodes limit and potentially result > in > > a denial of service. > > > > > This is not for security, but for RFC rules. The rfc 5424 parser has > different rules. > > > > Besides removing property replacers, is there any other workaround (e.g. > > limit #events/sender/seconds)? > > > > > The property replacer's SecurePath option is meant to deal with that. I > agree it's not easy to find and "elaborately" documented: > > http://blog.gerhards.net/2013/05/moving-to-github.html > > Would it be possible to update the documentation (e.g. > > http://www.rsyslog.com/doc/property_replacer.html) and include those > > considerations? Kind of "use at your own risk" warning. > > > > > A doc patch is happily accepted. Looking forward to it! > > Rainer > > > Cheers, > > Luca > > > > -- > > > > Luca Carettoni <[email protected]> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
