Nothing special? I thought it's easier to just click Merge and move on :) I know it's technically possible to do other stuff, just like patches on the ML are a viable way to contribute. The discussion was about making it dead-easy to contribute. If it takes me 5 minutes to contribute a documentation patch and Rainer 1 to merge it, it's good. If it takes me 20, and 10 to Rainer, that might not happen.
2013/12/12 David Lang <[email protected]> > you can send a pull request from any git repo (at github or anywhere else) > and Rainer can pull it into the adiscon git repos as well as pulling it > into the github repo. There's nothing special about the github pull > requests. > > > David Lang > > On Thu, 12 Dec 2013, Radu Gheorghe wrote: > > Date: Thu, 12 Dec 2013 16:13:57 +0200 >> From: Radu Gheorghe <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> >> Subject: Re: [rsyslog] Insecure configurations using Rsyslog property >> replacer >> >> 2013/12/12 Rainer Gerhards <[email protected]> >> >> On Thu, Dec 12, 2013 at 2:02 PM, Radu Gheorghe <[email protected] >>> >>>> wrote: >>>> >>> >>> So, we can submit pull requests to the github repo now? >>>> >>>> >>>> yupp, actually I got one or two in the past. >>> >>> >> Cool! Now I know what to do when I want to contribute :D >> >> >> >>> sorry if I failed in stating this clearly enough. I keep both the rsyslog >>> git and the one on github in sync "manuall" (which boils down to a script >>> that dual pushes and as such there is no real effort). When I got started >>> with github -after a discussion like these- I was interested to see if >>> this >>> would bring benefit. My peers at Adiscon were also watching and prepared >>> to >>> move over, but we never saw any real reason to do so. I am still hesitant >>> if I don't see any real benefit. But as you can see, I've moved >>> everything >>> of interest to github. >>> >>> >> Again, this is very cool. Though the lack of interest might just be >> the self-fulfilling >> prophecy <http://en.wikipedia.org/wiki/Self-fulfilling_prophecy> in >> action. >> >> I was never aware of the github thing, and I can bet many others are in >> the >> same situation. >> >> For example, all the links to some bleeding-edge stuff you send on the >> list >> are from Adiscon's git, not github. When people are sending patches on the >> ML, we could point them to github. It might be easier&better for many. Now >> I know, and I'll say :) >> >> >> >>> Again, if you could suggest additional ways to communicate - or even >>> better: help promote, I am all ears for this. >>> >>> >> This is exactly what I wanted to say next. You could add something >> rsyslog.com, and/or the footer of any documentation page saying "Do you >> think this page can be improved? Let us know or send a pull request >> at...." >> >> I guess I can send a pull request with that footer, too :D Will do it at >> one point if time permits. Don't count on me on this front, though... >> >> And one more thing about the documentation. Do you think it's a good idea >> to convert the doc pages in RST or whatever displays nicely in GitHub and >> put them in the Wiki? Do you think it would be a complicated thing to do? >> >> I didn't have the time to research the subject yet, but I'm running this >> by >> you because if you think the idea sucks, research is futile :) >> >> Ways to promote? I don't know, tweet blog, I don't have any better ideas. >> I >> suck at this stuff, although I find it interesting. >> >> >> >>> One final warning: while I use github for quite a bit now, I have not >>> really gotten started with its special features as there was never need. >>> So >>> in the initial phase I may end up having some problems ;) Usually, when I >>> get a pull request, I just pull changes from whereever that git repo is. >>> If >>> there is something special with github, I need to find out how to do it >>> the >>> github way... >>> >>> >> I'm no expert, either, but I'm sure that if it takes off and people start >> using it, you'll get suggestions on how to right the wrong :) >> >> >> >>> Rainer >>> >>> >>> 2013/12/12 Boylan, James <[email protected]> >>>> >>>> I know I never submitted anything to the github side because I was >>>>> >>>> under >>> >>>> the impression that it was being refreshed from the primary git repo >>>>> >>>> and >>> >>>> not considered a repo you could submit to. I suspect there are others >>>>> >>>> who >>> >>>> thought that as well. >>>>> >>>>> -- James >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto: >>>>> [email protected]] On Behalf Of Rainer Gerhards >>>>> Sent: Thursday, December 12, 2013 5:18 AM >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] Insecure configurations using Rsyslog property >>>>> replacer >>>>> >>>>> On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James < >>>>> >>>> [email protected] >>> >>>> wrote: >>>>>> >>>>> >>>>> Rainer? >>>>>> >>>>>> If I wanted to submit a doc patch, where is the repo I would Fork? >>>>>> >>>>>> https://github.com/rgerhards >>>>>> >>>>> >>>>> We didn't take any further steps for moving the "official" repo, as >>>>> >>>> github >>>> >>>>> seems to have not affected contributions and such. Maybe not enough PR >>>>> >>>> done >>>> >>>>> (another 24h thing...). suggestions on how to make this better known >>>>> >>>> are >>> >>>> very welcome. >>>>> >>>>> Rainer >>>>> >>>>> >>>>> -- James >>>>>> -- Sent from my mobile -- >>>>>> >>>>>> ----- Reply message ----- >>>>>> From: "Rainer Gerhards" <[email protected]> >>>>>> To: "rsyslog-users" <[email protected]> >>>>>> Subject: [rsyslog] Insecure configurations using Rsyslog property >>>>>> replacer >>>>>> Date: Thu, Dec 12, 2013 4:34 AM >>>>>> >>>>>> On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni < >>>>>> [email protected] >>>>>> >>>>>>> wrote: >>>>>>> >>>>>> >>>>>> Hello folks, >>>>>>> By googling for example configurations and templates, I've noticed >>>>>>> >>>>>> a >>> >>>> fairly >>>>>> >>>>>>> common insecure configuration and I would like to get your opinion >>>>>>> on >>>>>>> >>>>>> this >>>>>> >>>>>>> matter. >>>>>>> >>>>>>> It's a common practice to use property replacers (like %hostname% >>>>>>> and >>>>>>> %syslogtag%) to ship logs to specific files. >>>>>>> For instance, $template logFile,"/var/log/%HOSTNAME%.log" and >>>>>>> >>>>>> similar. >>>> >>>>> >>>>>>> By looking at the documentation and all those examples, it's >>>>>>> >>>>>> however >>> >>>> not clear that those properties are directly parsed by rsyslogd >>>>>>> >>>>>> from >>> >>>> the user-supplied event messages while trying to parse >>>>>>> RFC3164-formatted messages. >>>>>>> >>>>>>> >>>>>>> Well.. where else should the stem from ;) >>>>>> >>>>>> >>>>>> I started looking at the source code and noticed that those >>>>>>> properties >>>>>>> >>>>>> are >>>>>> >>>>>>> derived in pmrfc3164.c. >>>>>>> A whitelist approach has been used to allow alphanumeric, ".", >>>>>>> >>>>>> "_","-" >>>> >>>>> chars thus preventing common security issues (e.g. directory >>>>>>> >>>>>> traversal). >>>>> >>>>>> Although it doesn't seem possible to override existent files >>>>>>> >>>>>> either, >>> >>>> a remote attacker would still be able to create new files and/or >>>>>>> >>>>>> directories. >>>>>> >>>>>>> Eventually, this may allow to reach inodes limit and potentially >>>>>>> result >>>>>>> >>>>>> in >>>>>> >>>>>>> a denial of service. >>>>>>> >>>>>>> >>>>>>> This is not for security, but for RFC rules. The rfc 5424 parser has >>>>>> different rules. >>>>>> >>>>>> >>>>>> Besides removing property replacers, is there any other workaround >>>>>>> >>>>>> (e.g. >>>>> >>>>>> limit #events/sender/seconds)? >>>>>>> >>>>>>> >>>>>>> The property replacer's SecurePath option is meant to deal with >>>>>> that. >>>>>> I agree it's not easy to find and "elaborately" documented: >>>>>> >>>>>> http://blog.gerhards.net/2013/05/moving-to-github.html >>>>>> >>>>>> Would it be possible to update the documentation (e.g. >>>>>> >>>>>>> http://www.rsyslog.com/doc/property_replacer.html) and include >>>>>>> >>>>>> those >>> >>>> considerations? Kind of "use at your own risk" warning. >>>>>>> >>>>>>> >>>>>>> A doc patch is happily accepted. Looking forward to it! >>>>>> >>>>>> Rainer >>>>>> >>>>>> Cheers, >>>>>>> Luca >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Luca Carettoni <[email protected]> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>>>> you DON'T LIKE THAT. >>>>>>> >>>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>>> >>>>> of >>> >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>>>> >>>>> of >>> >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >>>>> >>>> WELL: >>> >>>> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >>>>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>>> >>>> LIKE >>> >>>> THAT. >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> >>>> myriad >>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
