diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod
index 0fa12caca9f945b99f1b584df6cb1f9d979b6a44..7f9c2a1ab17c27424460d591b7dc08e064e5dfd8 100644 (file)
--- a/doc/rrdcached.pod
+++ b/doc/rrdcached.pod
B<rrdcached>
[B<-P>E<nbsp>I<permissions>]
[B<-l>E<nbsp>I<address>]
+[B<-s>E<nbsp>I<group>]
[B<-w>E<nbsp>I<timeout>]
[B<-z>E<nbsp>I<delay>]
[B<-f>E<nbsp>I<timeout>]
Tells the daemon to bind to I<address> and accept incoming connections on that
socket. If I<address> begins with C<unix:>, everything following that prefix is
interpreted as the path to a UNIX domain socket. Otherwise the address or node
-name are resolved using getaddrinfo.
+name are resolved using C<getaddrinfo()>.
For network sockets, a port may be specified by using the form
C<B<[>I<address>B<]:>I<port>>. If the address is an IPv4 address or a fully
qualified domain name (i.E<nbsp>e. the address contains at least one dot
(C<.>)), the square brackets can be omitted, resulting in the (simpler)
-C<I<address>B<:>I<port>> pattern. The default port is B<42217/udp>. If you
+C<I<address>B<:>I<port>> pattern. The default port is B<42217/tcp>. If you
specify a network socket, it is mandatory to read the
L</"SECURITY CONSIDERATIONS"> section.
If the B<-l> option is not specified the default address,
C<unix:/tmp/rrdcached.sock>, will be used.
+=item B<-s> I<group_name>|I<gid>
+
+Set the group permissions of a UNIX domain socket. The option accepts either
+a numeric group id or group name. That group will then have both read and write
+permissions (the socket will have file permissions 0750) for the socket and,
+therefore, is able to send commands to the daemon. This
+may be useful in cases where you cannot easily run all RRD processes with the same
+user privileges (e.g. graph generating CGI scripts that typically run in the
+permission context of the web server).
+
+This option affects the I<following> UNIX socket addresses (the following
+B<-l> options) or the default socket (if no B<-l> options have been
+specified), i.e., you may specify different settings for different
+sockets.
+
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+
+=item B<-m> I<mode>
+
+Set the file permissions of a UNIX domain socket. The option accepts an octal
+number representing the bit pattern for the mode (see L<chmod(1)> for
+details).
+
+Please note that not all systems honor this setting. On Linux, read/write
+permissions are required to connect to a UNIX socket. However, many
+BSD-derived systems ignore permissions for UNIX sockets. See L<unix(7)> for
+details.
+
+This option affects the I<following> UNIX socket addresses (the following
+B<-l> options) or the default socket (if no B<-l> options have been
+specified), i.e., you may specify different settings for different
+sockets.
+
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+
=item B<-P> I<command>[,I<command>[,...]]
Specifies the commands accepted via a network socket. This allows
rrdcached -P FLUSH,PENDING $MORE_ARGUMENTS
-The B<-P> option effects the I<following> socket addresses (the following B<-l>
-options). In the following example, only the IPv4 network socket (address
+The B<-P> option affects the I<following> socket addresses (the following B<-l>
+options) or the default socket (if no B<-l> options have been
+specified). In the following example, only the IPv4 network socket (address
C<10.0.0.1>) will be restricted to the C<FLUSH> and C<PENDING> commands:
rrdcached -l unix:/some/path -P FLUSH,PENDING -l 10.0.0.1
=head2 Authentication
-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!
-The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the hosts_access(5) man pages.
-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for
this, using network sockets is probably a bad idea!