Think about this:if we prevent json parsing,we can never relay. I think tls auth is the solution.
Rainer Sent from phone, thus brief. Miloslav Trmac <[email protected]> hat geschrieben: ----- Original Message ----- > On Wed, 5 Sep 2012, Miloslav Trmac wrote: > > ----- Original Message ----- > >> quick update: I have just committed the ability to pass the JSON > >> object natively to output modules in v7-devel. > > > > One more thing: > > > > The new imuxsock stores "pid", "uid" and "gid" into a "trusted" > > subobject; shouldn't they go into the root object by default, so > > that > > the JSON data can be used for Lumberjack storage directly without > > modification in a template? (This also implies that mmjsonparse would > > have to prevent modification of these values by content of the > > message.) > > the amount of trust in these values is up to the admin. > > remember, they can be forged by a root process, and they are far less > trustworthy once they are sent to a remote machine. As a result, it should > be possible to change them. It should be possible to change them inside rsyslog; the mmjsonparse case I am worried about is an unprivileged process sending > sshd: @cee { "uid": 0, "msg": "spoofed" } Yes, root can always spoof the UID, but it shouldn't be _this_ easy for everyone. Note that putting them into a different namespace is orthogonal to the mmjsonparse protection: > sshd: @cee { "trusted": { "uid": 0 }, "msg": "spoofed" } is just as problematic. > However, since they do start out with much more reason to trust them than > other data in the log that's passed from the logging application, it also > makes sense to tag them as such. It does make sense - but I think that would to happen in the Lumberjack specification, otherwise Fedora have to choose between a) always shipping a configuration that overrides the rsyslog default, and b) deviating from the specification it tries to implement. Mirek _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
