From: Radu Gheorghe <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Insecure configurations using Rsyslog property
replacer
2013/12/12 Rainer Gerhards <[email protected]>
On Thu, Dec 12, 2013 at 2:02 PM, Radu Gheorghe <[email protected]
wrote:
So, we can submit pull requests to the github repo now?
yupp, actually I got one or two in the past.
Cool! Now I know what to do when I want to contribute :D
sorry if I failed in stating this clearly enough. I keep both the rsyslog
git and the one on github in sync "manuall" (which boils down to a script
that dual pushes and as such there is no real effort). When I got started
with github -after a discussion like these- I was interested to see if
this
would bring benefit. My peers at Adiscon were also watching and prepared
to
move over, but we never saw any real reason to do so. I am still hesitant
if I don't see any real benefit. But as you can see, I've moved
everything
of interest to github.
Again, this is very cool. Though the lack of interest might just be
the self-fulfilling
prophecy <http://en.wikipedia.org/wiki/Self-fulfilling_prophecy> in
action.
I was never aware of the github thing, and I can bet many others are in
the
same situation.
For example, all the links to some bleeding-edge stuff you send on the
list
are from Adiscon's git, not github. When people are sending patches on the
ML, we could point them to github. It might be easier&better for many. Now
I know, and I'll say :)
Again, if you could suggest additional ways to communicate - or even
better: help promote, I am all ears for this.
This is exactly what I wanted to say next. You could add something
rsyslog.com, and/or the footer of any documentation page saying "Do you
think this page can be improved? Let us know or send a pull request
at...."
I guess I can send a pull request with that footer, too :D Will do it at
one point if time permits. Don't count on me on this front, though...
And one more thing about the documentation. Do you think it's a good idea
to convert the doc pages in RST or whatever displays nicely in GitHub and
put them in the Wiki? Do you think it would be a complicated thing to do?
I didn't have the time to research the subject yet, but I'm running this
by
you because if you think the idea sucks, research is futile :)
Ways to promote? I don't know, tweet blog, I don't have any better ideas.
I
suck at this stuff, although I find it interesting.
One final warning: while I use github for quite a bit now, I have not
really gotten started with its special features as there was never need.
So
in the initial phase I may end up having some problems ;) Usually, when I
get a pull request, I just pull changes from whereever that git repo is.
If
there is something special with github, I need to find out how to do it
the
github way...
I'm no expert, either, but I'm sure that if it takes off and people start
using it, you'll get suggestions on how to right the wrong :)
Rainer
2013/12/12 Boylan, James <[email protected]>
I know I never submitted anything to the github side because I was
under
the impression that it was being refreshed from the primary git repo
and
not considered a repo you could submit to. I suspect there are others
who
thought that as well.
-- James
-----Original Message-----
From: [email protected] [mailto:
[email protected]] On Behalf Of Rainer Gerhards
Sent: Thursday, December 12, 2013 5:18 AM
To: rsyslog-users
Subject: Re: [rsyslog] Insecure configurations using Rsyslog property
replacer
On Thu, Dec 12, 2013 at 12:10 PM, Boylan, James <
[email protected]
wrote:
Rainer?
If I wanted to submit a doc patch, where is the repo I would Fork?
https://github.com/rgerhards
We didn't take any further steps for moving the "official" repo, as
github
seems to have not affected contributions and such. Maybe not enough PR
done
(another 24h thing...). suggestions on how to make this better known
are
very welcome.
Rainer
-- James
-- Sent from my mobile --
----- Reply message -----
From: "Rainer Gerhards" <[email protected]>
To: "rsyslog-users" <[email protected]>
Subject: [rsyslog] Insecure configurations using Rsyslog property
replacer
Date: Thu, Dec 12, 2013 4:34 AM
On Thu, Dec 12, 2013 at 2:27 AM, Luca Carettoni <
[email protected]
wrote:
Hello folks,
By googling for example configurations and templates, I've noticed
a
fairly
common insecure configuration and I would like to get your opinion
on
this
matter.
It's a common practice to use property replacers (like %hostname%
and
%syslogtag%) to ship logs to specific files.
For instance, $template logFile,"/var/log/%HOSTNAME%.log" and
similar.
By looking at the documentation and all those examples, it's
however
not clear that those properties are directly parsed by rsyslogd
from
the user-supplied event messages while trying to parse
RFC3164-formatted messages.
Well.. where else should the stem from ;)
I started looking at the source code and noticed that those
properties
are
derived in pmrfc3164.c.
A whitelist approach has been used to allow alphanumeric, ".",
"_","-"
chars thus preventing common security issues (e.g. directory
traversal).
Although it doesn't seem possible to override existent files
either,
a remote attacker would still be able to create new files and/or
directories.
Eventually, this may allow to reach inodes limit and potentially
result
in
a denial of service.
This is not for security, but for RFC rules. The rfc 5424 parser has
different rules.
Besides removing property replacers, is there any other workaround
(e.g.
limit #events/sender/seconds)?
The property replacer's SecurePath option is meant to deal with
that.
I agree it's not easy to find and "elaborately" documented:
http://blog.gerhards.net/2013/05/moving-to-github.html
Would it be possible to update the documentation (e.g.
http://www.rsyslog.com/doc/property_replacer.html) and include
those
considerations? Kind of "use at your own risk" warning.
A doc patch is happily accepted. Looking forward to it!
Rainer
Cheers,
Luca
--
Luca Carettoni <[email protected]>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
