On Thu, 2 Apr 2009, Rainer Gerhards wrote: > Agreed, but I think a deep copy does not address anything. With the template > system (in theory but not yet in practice), a plugin can not access any > information other than what the users has configured in the template. If the > full object is passed, this can not prevented. In practice, today, plugins > are loaded in-process and as such can access the whole process space. But > there are ideas to create an out-of-process plugin interface for very > security sensitive environments. They would be hurt (or require additional > configuration) but the "full object access" approach.
if you really want to have a output module that's seperate from a security point of view, have a lightweight output module (that can have full access to everything) mediate all communication to the external module (that would only get what is sent to it and is a seperate process) this would give you the security you are thinking of, but still allow in-process modules to have the increased access to data. this isn't the first case where it would have been helpful to have access to more of the properties (the UDP forgery module I sent in was another, but I was able to work-around that by adding data to the message and having the plugin parse it out, inefficiant, but possible) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
