Differential D17086
newsyslog.conf: Restrict included files in default config to [!.]*.conf Authored by woodsb02 on Sep 9 2018, 5:07 AM. Tags None Referenced Files
Details newsyslog.conf: Restrict included files in default config to [!.]*.conf The new default config will only include files from the following
This matches the syslog.conf(5) functionality, and also prevents '.sample' or newsyslog -Nv
Diff Detail
Event TimelineComment Actions This is fine to me, though I could imagine some users getting confused when their config stops working. Don't forget to bump .Dd
Comment Actions This breaks POLA in a big way, if this goes through, it will need a very large warning in the release notes. Comment Actions Hmm. I'm definitely ok rejecting the (hidden) names .sample or .pkgnew, and I think probably rejecting all hidden (dot-prefixed) names would be reasonable. I don't see a good reason to require files be named something.conf, though. If they aren't configuration, outside of internal pkg machinations, they shouldn't be in newsyslog.conf.d/! If we are going to require newsyslog conf files be named foo.conf, there needs to be automation that detects files with other names and at least produces a warning syslog message so admins with such files have a prayer of determining why their logs are not rotating. (This could just be a boot-time rc script.) Comment Actions To clarify my accept: mechanically it is fine. I assumed that the social aspects were already resolved. Comment Actions The proposed change makes newsyslog.conf consistent with syslog.conf I like it. Looking forward to it. Comment Actions I think I like cem's idea to only include files if they do not start with a "." or finish with ".pkgnew", ".sample" or ".bak" (any others?). Can I ask for some globbing assistance please? I can't seem to find a way to match all filenames which do not end with ".sample", ".pkgnew" or ".bak"... Comment Actions If we do this, we should update other utilities that have .d directories or the like. Comment Actions I think there is absolutely no POLA here as this is a configuration, there should be some warning in the release Release note about it and that is all imho. There are too many patterns to consider Comment Actions Given that, should we instead just take *.conf and be done with it? Allow .files to be brought in. Comment Actions The worst part is, these types of files are being executed today as valid newsyslog scripts (would this be causing double rotation?). @mat - as the strongest voice of POLA violations, what about if we proceed with the change as is, and take a few extra steps to notify admins:
You also raised the concern about if admins were using automatic deployment tools to update newsyslog.d files (ansible, salt, puppet, chef, etc). This type of user would be exposed to both of the above. Firstly, the newsyslog.d file would be moved during pkg install, and then later when their deployment tool installs the script back in the old location, they will see commands printed to the console. In my opinion, there is no perfect answer here. The fact seems to be the current system has issues (in that newsyslog is ingesting any .sample, .bak and .orig files and actioning them) and this should be fixed. The best we can hope for is to try and ease this transition for most people through migration tools, and detect/warn the others through console error messages. | ||||||||||||||||||||||||||||||||||||||