From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id CEA0F1FF13A for ; Wed, 10 Jun 2026 18:26:43 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AE4E1144EB; Wed, 10 Jun 2026 18:26:43 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 10 Jun 2026 18:26:09 +0200 Message-Id: To: "Stoiko Ivanov" , From: "Max R. Carrara" Subject: Re: [PATCH pmg-api v2 2/5] config: add log-tracker-base key X-Mailer: aerc 0.18.2-0-ge037c095a049 References: <20260609200637.904334-1-s.ivanov@proxmox.com> <20260609200637.904334-3-s.ivanov@proxmox.com> In-Reply-To: <20260609200637.904334-3-s.ivanov@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781108722809 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.081 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: UWVRN4FUL5RXRUY64QZGSLIFQ2SBBAYK X-Message-ID-Hash: UWVRN4FUL5RXRUY64QZGSLIFQ2SBBAYK X-MailFrom: m.carrara@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue Jun 9, 2026 at 10:04 PM CEST, Stoiko Ivanov wrote: > makes it possible to override the input-base parameter for > pmg-log-tracker - functionality there was added in: > 9816d19 ("fix #3657: allow scanning a configurable rotated log series") > > the option is restricted to root@pam, as suggested by Thomas, since > enabling other admin users to open arbitrary files on the system might > leak information, in case the parser in pmg-log-tracker matches > something unexpected. To err on the side of caution - restrict it to > root@pam, as we can always make it more liberal in the future, while > restricting it later could break some users workflows. > > the pattern allows for a input-base with a maximal depth of 6 > directories, which should cover all needs. Mmh, somewhat arbitrary, no? I don't think we should allow an infinite amount of directories, but just to play it safe, I think we should relax this restriction here -- perhaps a depth of 127 or 255? > > the default in the config is /var/log/syslog and will be explicitly > provided to pmg-log-tracker if nothing is set in pmg.conf > > exposing the option in pmg.conf enables users to use a different > log location for the daily work. > > Signed-off-by: Stoiko Ivanov > --- > src/PMG/Config.pm | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm > index f48c31dc..fbe2f3cb 100644 > --- a/src/PMG/Config.pm > +++ b/src/PMG/Config.pm > @@ -161,6 +161,12 @@ EODESC > maxLength =3D> 64 * 1024, > default =3D> '', > }, > + 'log-tracker-base' =3D> { > + description =3D> "Location of rotated mail logs, input-base = argument for pmg-log-tracker", > + type =3D> 'string', > + pattern =3D> '^/([^/\0]+\/){0,6}[^/\0]+$', This regex here actually gets a lot of things right, but misses one crucial thing: It does not prevent parent directory references from occurring inside the pattern. So, in the very unlikely scenario that somebody is able to inject a maliciously-formed path here, they could theoretically access arbitrary files on the system, e.g.: /var/log/syslog/../../../etc/pmg/pmg-csrf.key .. would resolve to /etc/pmg/pmg-csrf.key. Again, this is probably very unlikely to happen -- but we should sanitize the input here nevertheless. So, we'll need a validation sub instead of a pattern here in order to be able to check for parent directory references [validation]. > + default =3D> '/var/log/syslog', > + }, > }; > } > > @@ -182,6 +188,7 @@ sub options { > 'dkim-use-domain' =3D> { optional =3D> 1 }, > 'admin-mail-from' =3D> { optional =3D> 1 }, > 'consent-text' =3D> { optional =3D> 1 }, > + 'log-tracker-base' =3D> { optional =3D> 1, root_only =3D> 1 }, If you do decide to rename it to 'root-only', don't forget this spot here too. > }; > } > [validation]: https://git.proxmox.com/?p=3Dpve-storage.git;a=3Dblob;f=3Dsrc= /PVE/Storage/Plugin.pm;h=3D4f69f9b5db69674335eb3024d61d4a3430bca1ec;hb=3Dre= fs/heads/master#l331