![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/doc/rrdcached.html b/doc/rrdcached.html
index 1ad399ac6f643f751ecc133be2c43f43cccf7e02..bd847902c75ba56a0de156bc927547610366d208 100644 (file)
--- a/doc/rrdcached.html
+++ b/doc/rrdcached.html
<p><strong>rrdcached</strong>
[<strong>-P</strong> <em>permissions</em>]
[<strong>-l</strong> <em>address</em>]
+[<strong>-s</strong> <em>group</em>]
[<strong>-w</strong> <em>timeout</em>]
[<strong>-z</strong> <em>delay</em>]
[<strong>-f</strong> <em>timeout</em>]
<p>Tells the daemon to bind to <em>address</em> and accept incoming connections on that
socket. If <em>address</em> begins with <code>unix:</code>, everything following that prefix is
interpreted as the path to a UNIX domain socket. Otherwise the address or node
-name are resolved using getaddrinfo.</p>
+name are resolved using <code>getaddrinfo()</code>.</p>
<p>For network sockets, a port may be specified by using the form
<code>[address]:port</code>. If the address is an IPv4 address or a fully
qualified domain name (i. e. the address contains at least one dot
(<code>.</code>)), the square brackets can be omitted, resulting in the (simpler)
-<code>address:port</code> pattern. The default port is <strong>42217/udp</strong>. If you
+<code>address:port</code> pattern. The default port is <strong>42217/tcp</strong>. If you
specify a network socket, it is mandatory to read the
<a href="#security_considerations">SECURITY CONSIDERATIONS</a> section.</p>
<p>The following formats are accepted. Please note that the address of the UNIX
<p>If the <strong>-l</strong> option is not specified the default address,
<code>unix:/tmp/rrdcached.sock</code>, will be used.</p>
</dd>
+<dt><strong><a name="s_group_name_gid" class="item"><strong>-s</strong> <em>group_name</em>|<em>gid</em></a></strong></dt>
+
+<dd>
+<p>Set the group permissions of a UNIX domain socket. The option accepts either
+a numeric group id or group name. That group will then have both read and write
+permissions (the socket will have file permissions 0750) for the socket and,
+therefore, is able to send commands to the daemon. This
+may be useful in cases where you cannot easily run all RRD processes with the same
+user privileges (e.g. graph generating CGI scripts that typically run in the
+permission context of the web server).</p>
+<p>This option affects the <em>following</em> UNIX socket addresses (the following
+<strong>-l</strong> options) or the default socket (if no <strong>-l</strong> options have been
+specified), i.e., you may specify different settings for different
+sockets.</p>
+<p>The default is not to change ownership or permissions of the socket and, thus,
+use the system default.</p>
+</dd>
+<dt><strong><a name="m_mode" class="item"><strong>-m</strong> <em>mode</em></a></strong></dt>
+
+<dd>
+<p>Set the file permissions of a UNIX domain socket. The option accepts an octal
+number representing the bit pattern for the mode (see <em>chmod(1)</em> for
+details).</p>
+<p>Please note that not all systems honor this setting. On Linux, read/write
+permissions are required to connect to a UNIX socket. However, many
+BSD-derived systems ignore permissions for UNIX sockets. See <em>unix(7)</em> for
+details.</p>
+<p>This option affects the <em>following</em> UNIX socket addresses (the following
+<strong>-l</strong> options) or the default socket (if no <strong>-l</strong> options have been
+specified), i.e., you may specify different settings for different
+sockets.</p>
+<p>The default is not to change ownership or permissions of the socket and, thus,
+use the system default.</p>
+</dd>
<dt><strong><a name="p_command_command" class="item"><strong>-P</strong> <em>command</em>[,<em>command</em>[,...]]</a></strong></dt>
<dd>
For example, to allow the <code>FLUSH</code> and <code>PENDING</code> commands one could specify:</p>
<pre>
rrdcached -P FLUSH,PENDING $MORE_ARGUMENTS</pre>
-<p>The <strong>-P</strong> option effects the <em>following</em> socket addresses (the following <strong>-l</strong>
-options). In the following example, only the IPv4 network socket (address
+<p>The <strong>-P</strong> option affects the <em>following</em> socket addresses (the following <strong>-l</strong>
+options) or the default socket (if no <strong>-l</strong> options have been
+specified). In the following example, only the IPv4 network socket (address
<code>10.0.0.1</code>) will be restricted to the <code>FLUSH</code> and <code>PENDING</code> commands:</p>
<pre>
rrdcached -l unix:/some/path -P FLUSH,PENDING -l 10.0.0.1</pre>
<p>
</p>
<h2><a name="authentication">Authentication</a></h2>
-<p>There is no authentication.</p>
-<p>The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!</p>
-<p>It is highly recommended to install a packet filter or similar mechanism to
+<p>If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!</p>
+<p>If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the <code>hosts_access(5)</code> man pages.</p>
+<p>It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for
this, using network sockets is probably a bad idea!</p>
<p>