![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/doc/rrdcached.1 b/doc/rrdcached.1
index c5c5ed5c593eedbd47a60b4df0d8f8b18b48b267..8c2324e8d9fa2bf90609e37ba13f6ce43a0a1509 100644 (file)
--- a/doc/rrdcached.1
+++ b/doc/rrdcached.1
-.\" Automatically generated by Pod::Man 2.1801 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "RRDCACHED 1"
-.TH RRDCACHED 1 "2009-11-15" "1.4.2" "rrdtool"
+.TH RRDCACHED 1 "2011-03-15" "1.4.7" "rrdtool"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBrrdcached\fR
[\fB\-P\fR\ \fIpermissions\fR]
[\fB\-l\fR\ \fIaddress\fR]
+[\fB\-s\fR\ \fIgroup\fR]
[\fB\-w\fR\ \fItimeout\fR]
[\fB\-z\fR\ \fIdelay\fR]
[\fB\-f\fR\ \fItimeout\fR]
Tells the daemon to bind to \fIaddress\fR and accept incoming connections on that
socket. If \fIaddress\fR begins with \f(CW\*(C`unix:\*(C'\fR, everything following that prefix is
interpreted as the path to a \s-1UNIX\s0 domain socket. Otherwise the address or node
-name are resolved using getaddrinfo.
+name are resolved using \f(CW\*(C`getaddrinfo()\*(C'\fR.
.Sp
For network sockets, a port may be specified by using the form
\&\f(CW\*(C`\f(CB[\f(CW\f(CIaddress\f(CW\f(CB]:\f(CW\f(CIport\f(CW\*(C'\fR. If the address is an IPv4 address or a fully
qualified domain name (i.\ e. the address contains at least one dot
(\f(CW\*(C`.\*(C'\fR)), the square brackets can be omitted, resulting in the (simpler)
-\&\f(CW\*(C`\f(CIaddress\f(CW\f(CB:\f(CW\f(CIport\f(CW\*(C'\fR pattern. The default port is \fB42217/udp\fR. If you
+\&\f(CW\*(C`\f(CIaddress\f(CW\f(CB:\f(CW\f(CIport\f(CW\*(C'\fR pattern. The default port is \fB42217/tcp\fR. If you
specify a network socket, it is mandatory to read the
\&\*(L"\s-1SECURITY\s0 \s-1CONSIDERATIONS\s0\*(R" section.
.Sp
.Sp
If the \fB\-l\fR option is not specified the default address,
\&\f(CW\*(C`unix:/tmp/rrdcached.sock\*(C'\fR, will be used.
+.IP "\fB\-s\fR \fIgroup_name\fR|\fIgid\fR" 4
+.IX Item "-s group_name|gid"
+Set the group permissions of a \s-1UNIX\s0 domain socket. The option accepts either
+a numeric group id or group name. That group will then have both read and write
+permissions (the socket will have file permissions 0750) for the socket and,
+therefore, is able to send commands to the daemon. This
+may be useful in cases where you cannot easily run all \s-1RRD\s0 processes with the same
+user privileges (e.g. graph generating \s-1CGI\s0 scripts that typically run in the
+permission context of the web server).
+.Sp
+This option affects the \fIfollowing\fR \s-1UNIX\s0 socket addresses (the following
+\&\fB\-l\fR options) or the default socket (if no \fB\-l\fR options have been
+specified), i.e., you may specify different settings for different
+sockets.
+.Sp
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+.IP "\fB\-m\fR \fImode\fR" 4
+.IX Item "-m mode"
+Set the file permissions of a \s-1UNIX\s0 domain socket. The option accepts an octal
+number representing the bit pattern for the mode (see \fIchmod\fR\|(1) for
+details).
+.Sp
+Please note that not all systems honor this setting. On Linux, read/write
+permissions are required to connect to a \s-1UNIX\s0 socket. However, many
+BSD-derived systems ignore permissions for \s-1UNIX\s0 sockets. See \fIunix\fR\|(7) for
+details.
+.Sp
+This option affects the \fIfollowing\fR \s-1UNIX\s0 socket addresses (the following
+\&\fB\-l\fR options) or the default socket (if no \fB\-l\fR options have been
+specified), i.e., you may specify different settings for different
+sockets.
+.Sp
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
.IP "\fB\-P\fR \fIcommand\fR[,\fIcommand\fR[,...]]" 4
.IX Item "-P command[,command[,...]]"
Specifies the commands accepted via a network socket. This allows
\& rrdcached \-P FLUSH,PENDING $MORE_ARGUMENTS
.Ve
.Sp
-The \fB\-P\fR option effects the \fIfollowing\fR socket addresses (the following \fB\-l\fR
-options). In the following example, only the IPv4 network socket (address
+The \fB\-P\fR option affects the \fIfollowing\fR socket addresses (the following \fB\-l\fR
+options) or the default socket (if no \fB\-l\fR options have been
+specified). In the following example, only the IPv4 network socket (address
\&\f(CW10.0.0.1\fR) will be restricted to the \f(CW\*(C`FLUSH\*(C'\fR and \f(CW\*(C`PENDING\*(C'\fR commands:
.Sp
.Vb 1
.IX Header "SECURITY CONSIDERATIONS"
.SS "Authentication"
.IX Subsection "Authentication"
-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!
.PP
-The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the \fIhosts_access\fR\|(5) man pages.
.PP
-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated \s-1VLAN\s0 or \s-1VPN\s0 for
this, using network sockets is probably a bad idea!
.SS "Authorization"