Re: [PATCH pmg-api v2 2/5] config: add log-tracker-base key

["Max R. Carrara" <m.carrara@proxmox.com>]

On Tue Jun 9, 2026 at 10:04 PM CEST, Stoiko Ivanov wrote:
> makes it possible to override the input-base parameter for
> pmg-log-tracker - functionality there was added in:
> 9816d19 ("fix #3657: allow scanning a configurable rotated log series")
>
> the option is restricted to root@pam, as suggested by Thomas, since
> enabling other admin users to open arbitrary files on the system might
> leak information, in case the parser in pmg-log-tracker matches
> something unexpected. To err on the side of caution - restrict it to
> root@pam, as we can always make it more liberal in the future, while
> restricting it later could break some users workflows.
>
> the pattern allows for a input-base with a maximal depth of 6
> directories, which should cover all needs.

Mmh, somewhat arbitrary, no? I don't think we should allow an infinite
amount of directories, but just to play it safe, I think we should
relax this restriction here -- perhaps a depth of 127 or 255?

>
> the default in the config is /var/log/syslog and will be explicitly
> provided to pmg-log-tracker if nothing is set in pmg.conf
>
> exposing the option in pmg.conf enables users to use a different
> log location for the daily work.
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
>  src/PMG/Config.pm | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
> index f48c31dc..fbe2f3cb 100644
> --- a/src/PMG/Config.pm
> +++ b/src/PMG/Config.pm
> @@ -161,6 +161,12 @@ EODESC
>              maxLength => 64 * 1024,
>              default => '',
>          },
> +        'log-tracker-base' => {
> +            description => "Location of rotated mail logs, input-base argument for pmg-log-tracker",
> +            type => 'string',
> +            pattern => '^/([^/\0]+\/){0,6}[^/\0]+$',

This regex here actually gets a lot of things right, but misses one
crucial thing: It does not prevent parent directory references from
occurring inside the pattern. So, in the very unlikely scenario that
somebody is able to inject a maliciously-formed path here, they could
theoretically access arbitrary files on the system, e.g.:

  /var/log/syslog/../../../etc/pmg/pmg-csrf.key

.. would resolve to /etc/pmg/pmg-csrf.key.

Again, this is probably very unlikely to happen -- but we should
sanitize the input here nevertheless.

So, we'll need a validation sub instead of a pattern here in order to be
able to check for parent directory references [validation].

> +            default => '/var/log/syslog',
> +        },
>      };
>  }
>
> @@ -182,6 +188,7 @@ sub options {
>          'dkim-use-domain' => { optional => 1 },
>          'admin-mail-from' => { optional => 1 },
>          'consent-text' => { optional => 1 },
> +        'log-tracker-base' => { optional => 1, root_only => 1 },

If you do decide to rename it to 'root-only', don't forget this spot
here too.

>      };
>  }
>

[validation]: https://git.proxmox.com/?p=pve-storage.git;a=blob;f=src/PVE/Storage/Plugin.pm;h=4f69f9b5db69674335eb3024d61d4a3430bca1ec;hb=refs/heads/master#l331