I'm running a syslog-ng process which is receiving messages from Solaris 6, 7, and 8 machines generated by the native Solaris syslogd, some of which originate from routers and other networking infrastructure. Occasionally I get radically malformed messages, which syslog-ng places in the wrong locations. The file destination writes these messages to $HOST/$PRIORITY, etc., but these varibales consist of this munged data. Unfortunately, this forces me to manually clean out and remove the directory structure the messages created. Any ideas on how to prevent this from happening in the first place? I'm also concerned that a maliciously formed syslog packet could cause syslog-ng to inadvertedly overwrite system files. For example, if the file destination was: /var/log/$HOST/$PROCESS And the expansion was: $HOST = "../../etc" $PROCESS = "passwd"; This system file could be overwritten. Any comments or information on internal syslog-ng checks to reassure me from worrying about this? Thanks, Keith Resar. --
On Wed, Apr 02, 2003 at 03:45:39PM -0500, Keith Resar wrote:
Occasionally I get radically malformed messages, which syslog-ng places in the wrong locations. The file destination writes these messages to $HOST/$PRIORITY, etc., but these varibales consist of this munged data.
Unfortunately, this forces me to manually clean out and remove the directory structure the messages created. Any ideas on how to prevent this from happening in the first place?
http://www.campin.net/syslog-ng/faq.html#bad_filenames covers this. It talks about not trusting input from the network when creating files, as you mention below. What worked for me was to use syslog-ng everywhere, transfer over TCP and set options { use_fqdn(yes); long_hostnames(off); keep_hostname(no); use_dns(yes); }; I'd think about using dnscache's internal DNS caching and/or a local DNS cache with this setup as well. -- Nate Campi http://www.campin.net
participants (2)
-
Keith Resar
-
Nate Campi