I know I never submitted anything to the github side because I was under the impression that it was being refreshed from the primary git repo and not considered a repo you could submit to. I suspect there are others who thought that as well.
-- James -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Thursday, December 12, 2013 5:18 AM To: rsyslog-users Subject: Re: [rsyslog] Insecure configurations using Rsyslog property replacer On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James <[email protected]>wrote: > Rainer? > > If I wanted to submit a doc patch, where is the repo I would Fork? > > https://github.com/rgerhards We didn't take any further steps for moving the "official" repo, as github seems to have not affected contributions and such. Maybe not enough PR done (another 24h thing...). suggestions on how to make this better known are very welcome. Rainer > -- James > -- Sent from my mobile -- > > ----- Reply message ----- > From: "Rainer Gerhards" <[email protected]> > To: "rsyslog-users" <[email protected]> > Subject: [rsyslog] Insecure configurations using Rsyslog property > replacer > Date: Thu, Dec 12, 2013 4:34 AM > > On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni < > [email protected] > > wrote: > > > Hello folks, > > By googling for example configurations and templates, I've noticed a > fairly > > common insecure configuration and I would like to get your opinion > > on > this > > matter. > > > > It's a common practice to use property replacers (like %hostname% > > and > > %syslogtag%) to ship logs to specific files. > > For instance, $template logFile,"/var/log/%HOSTNAME%.log" and similar. > > > > By looking at the documentation and all those examples, it's however > > not clear that those properties are directly parsed by rsyslogd from > > the user-supplied event messages while trying to parse > > RFC3164-formatted messages. > > > > > Well.. where else should the stem from ;) > > > > I started looking at the source code and noticed that those > > properties > are > > derived in pmrfc3164.c. > > A whitelist approach has been used to allow alphanumeric, ".", "_","-" > > chars thus preventing common security issues (e.g. directory traversal). > > Although it doesn't seem possible to override existent files either, > > a remote attacker would still be able to create new files and/or > directories. > > Eventually, this may allow to reach inodes limit and potentially > > result > in > > a denial of service. > > > > > This is not for security, but for RFC rules. The rfc 5424 parser has > different rules. > > > > Besides removing property replacers, is there any other workaround (e.g. > > limit #events/sender/seconds)? > > > > > The property replacer's SecurePath option is meant to deal with that. > I agree it's not easy to find and "elaborately" documented: > > http://blog.gerhards.net/2013/05/moving-to-github.html > > Would it be possible to update the documentation (e.g. > > http://www.rsyslog.com/doc/property_replacer.html) and include those > > considerations? Kind of "use at your own risk" warning. > > > > > A doc patch is happily accepted. Looking forward to it! > > Rainer > > > Cheers, > > Luca > > > > -- > > > > Luca Carettoni <[email protected]> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > you DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
