Ok, but what about absolute directories? I'm assuming that something as simple as setting program to /etc/passwd will not work by default, but is there anything for users to be aware of? On Tue, Jan 3, 2012 at 9:39 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Martin Holste <mcholste@gmail.com> writes:
This sounds like a significant security hole as well, as we have user input creating files and directories. I can't immediately think of how to do significant damage (assuming most run with non-root accounts) since it won't overwrite existing dirs, but I'm sure someone more crafty could figure out a way to add a .htaccess file to a web directory or something.
syslog-ng will refuse to write to files whose path contains "..", so the worst case is that subdirs can be created (but create_dirs(no) will "help" against that).
-- |8]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq