On Thu, Dec 12, 2013 at 2:02 PM, Radu Gheorghe <[email protected]>wrote:
> So, we can submit pull requests to the github repo now? > > yupp, actually I got one or two in the past. sorry if I failed in stating this clearly enough. I keep both the rsyslog git and the one on github in sync "manuall" (which boils down to a script that dual pushes and as such there is no real effort). When I got started with github -after a discussion like these- I was interested to see if this would bring benefit. My peers at Adiscon were also watching and prepared to move over, but we never saw any real reason to do so. I am still hesitant if I don't see any real benefit. But as you can see, I've moved everything of interest to github. Again, if you could suggest additional ways to communicate - or even better: help promote, I am all ears for this. One final warning: while I use github for quite a bit now, I have not really gotten started with its special features as there was never need. So in the initial phase I may end up having some problems ;) Usually, when I get a pull request, I just pull changes from whereever that git repo is. If there is something special with github, I need to find out how to do it the github way... Rainer > 2013/12/12 Boylan, James <[email protected]> > > > I know I never submitted anything to the github side because I was under > > the impression that it was being refreshed from the primary git repo and > > not considered a repo you could submit to. I suspect there are others who > > thought that as well. > > > > -- James > > > > -----Original Message----- > > From: [email protected] [mailto: > > [email protected]] On Behalf Of Rainer Gerhards > > Sent: Thursday, December 12, 2013 5:18 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] Insecure configurations using Rsyslog property > > replacer > > > > On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James <[email protected] > > >wrote: > > > > > Rainer? > > > > > > If I wanted to submit a doc patch, where is the repo I would Fork? > > > > > > https://github.com/rgerhards > > > > We didn't take any further steps for moving the "official" repo, as > github > > seems to have not affected contributions and such. Maybe not enough PR > done > > (another 24h thing...). suggestions on how to make this better known are > > very welcome. > > > > Rainer > > > > > > > -- James > > > -- Sent from my mobile -- > > > > > > ----- Reply message ----- > > > From: "Rainer Gerhards" <[email protected]> > > > To: "rsyslog-users" <[email protected]> > > > Subject: [rsyslog] Insecure configurations using Rsyslog property > > > replacer > > > Date: Thu, Dec 12, 2013 4:34 AM > > > > > > On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni < > > > [email protected] > > > > wrote: > > > > > > > Hello folks, > > > > By googling for example configurations and templates, I've noticed a > > > fairly > > > > common insecure configuration and I would like to get your opinion > > > > on > > > this > > > > matter. > > > > > > > > It's a common practice to use property replacers (like %hostname% > > > > and > > > > %syslogtag%) to ship logs to specific files. > > > > For instance, $template logFile,"/var/log/%HOSTNAME%.log" and > similar. > > > > > > > > By looking at the documentation and all those examples, it's however > > > > not clear that those properties are directly parsed by rsyslogd from > > > > the user-supplied event messages while trying to parse > > > > RFC3164-formatted messages. > > > > > > > > > > > Well.. where else should the stem from ;) > > > > > > > > > > I started looking at the source code and noticed that those > > > > properties > > > are > > > > derived in pmrfc3164.c. > > > > A whitelist approach has been used to allow alphanumeric, ".", > "_","-" > > > > chars thus preventing common security issues (e.g. directory > > traversal). > > > > Although it doesn't seem possible to override existent files either, > > > > a remote attacker would still be able to create new files and/or > > > directories. > > > > Eventually, this may allow to reach inodes limit and potentially > > > > result > > > in > > > > a denial of service. > > > > > > > > > > > This is not for security, but for RFC rules. The rfc 5424 parser has > > > different rules. > > > > > > > > > > Besides removing property replacers, is there any other workaround > > (e.g. > > > > limit #events/sender/seconds)? > > > > > > > > > > > The property replacer's SecurePath option is meant to deal with that. > > > I agree it's not easy to find and "elaborately" documented: > > > > > > http://blog.gerhards.net/2013/05/moving-to-github.html > > > > > > Would it be possible to update the documentation (e.g. > > > > http://www.rsyslog.com/doc/property_replacer.html) and include those > > > > considerations? Kind of "use at your own risk" warning. > > > > > > > > > > > A doc patch is happily accepted. Looking forward to it! > > > > > > Rainer > > > > > > > Cheers, > > > > Luca > > > > > > > > -- > > > > > > > > Luca Carettoni <[email protected]> > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > > you DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > > THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
