So, we can submit pull requests to the github repo now?
2013/12/12 Boylan, James <[email protected]> > I know I never submitted anything to the github side because I was under > the impression that it was being refreshed from the primary git repo and > not considered a repo you could submit to. I suspect there are others who > thought that as well. > > -- James > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Rainer Gerhards > Sent: Thursday, December 12, 2013 5:18 AM > To: rsyslog-users > Subject: Re: [rsyslog] Insecure configurations using Rsyslog property > replacer > > On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James <[email protected] > >wrote: > > > Rainer? > > > > If I wanted to submit a doc patch, where is the repo I would Fork? > > > > https://github.com/rgerhards > > We didn't take any further steps for moving the "official" repo, as github > seems to have not affected contributions and such. Maybe not enough PR done > (another 24h thing...). suggestions on how to make this better known are > very welcome. > > Rainer > > > > -- James > > -- Sent from my mobile -- > > > > ----- Reply message ----- > > From: "Rainer Gerhards" <[email protected]> > > To: "rsyslog-users" <[email protected]> > > Subject: [rsyslog] Insecure configurations using Rsyslog property > > replacer > > Date: Thu, Dec 12, 2013 4:34 AM > > > > On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni < > > [email protected] > > > wrote: > > > > > Hello folks, > > > By googling for example configurations and templates, I've noticed a > > fairly > > > common insecure configuration and I would like to get your opinion > > > on > > this > > > matter. > > > > > > It's a common practice to use property replacers (like %hostname% > > > and > > > %syslogtag%) to ship logs to specific files. > > > For instance, $template logFile,"/var/log/%HOSTNAME%.log" and similar. > > > > > > By looking at the documentation and all those examples, it's however > > > not clear that those properties are directly parsed by rsyslogd from > > > the user-supplied event messages while trying to parse > > > RFC3164-formatted messages. > > > > > > > > Well.. where else should the stem from ;) > > > > > > > I started looking at the source code and noticed that those > > > properties > > are > > > derived in pmrfc3164.c. > > > A whitelist approach has been used to allow alphanumeric, ".", "_","-" > > > chars thus preventing common security issues (e.g. directory > traversal). > > > Although it doesn't seem possible to override existent files either, > > > a remote attacker would still be able to create new files and/or > > directories. > > > Eventually, this may allow to reach inodes limit and potentially > > > result > > in > > > a denial of service. > > > > > > > > This is not for security, but for RFC rules. The rfc 5424 parser has > > different rules. > > > > > > > Besides removing property replacers, is there any other workaround > (e.g. > > > limit #events/sender/seconds)? > > > > > > > > The property replacer's SecurePath option is meant to deal with that. > > I agree it's not easy to find and "elaborately" documented: > > > > http://blog.gerhards.net/2013/05/moving-to-github.html > > > > Would it be possible to update the documentation (e.g. > > > http://www.rsyslog.com/doc/property_replacer.html) and include those > > > considerations? Kind of "use at your own risk" warning. > > > > > > > > A doc patch is happily accepted. Looking forward to it! > > > > Rainer > > > > > Cheers, > > > Luca > > > > > > -- > > > > > > Luca Carettoni <[email protected]> > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
