[syslog-ng] Escape slashes etc in macro variables ($PROGRAM)

Martin Holste mcholste at gmail.com
Tue Jan 3 16:53:09 CET 2012


Ok, but what about absolute directories?  I'm assuming that something
as simple as setting program to /etc/passwd will not work by default,
but is there anything for users to be aware of?

On Tue, Jan 3, 2012 at 9:39 AM, Gergely Nagy <algernon at balabit.hu> wrote:
> Martin Holste <mcholste at gmail.com> writes:
>
>> This sounds like a significant security hole as well, as we have user
>> input creating files and directories.  I can't immediately think of
>> how to do significant damage (assuming most run with non-root
>> accounts) since it won't overwrite existing dirs, but I'm sure someone
>> more crafty could figure out a way to add a .htaccess file to a web
>> directory or something.
>
> syslog-ng will refuse to write to files whose path contains "..", so the
> worst case is that subdirs can be created (but create_dirs(no) will
> "help" against that).
>
> --
> |8]
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


More information about the syslog-ng mailing list