summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9d1b369)
raw | patch | inline | side by side (parent: 9d1b369)
author | oetiker <oetiker@a5681a0c-68f1-0310-ab6d-d61299d08faa> | |
Tue, 9 Nov 2010 16:37:18 +0000 (16:37 +0000) | ||
committer | oetiker <oetiker@a5681a0c-68f1-0310-ab6d-d61299d08faa> | |
Tue, 9 Nov 2010 16:37:18 +0000 (16:37 +0000) |
configure.ac | patch | blob | history | |
doc/rrdcached.pod | patch | blob | history | |
src/rrd_daemon.c | patch | blob | history |
diff --git a/configure.ac b/configure.ac
index 04052ad4c3031bdf3c852ca8d8658967bcb93046..9d9914b506597ac5afb4e651e77b4afa56d4e1bf 100644 (file)
--- a/configure.ac
+++ b/configure.ac
AC_ARG_ENABLE(rrdcgi,AS_HELP_STRING([--disable-rrdcgi],[disable building of rrdcgi]),
[],[enable_rrdcgi=yes])
+AC_ARG_ENABLE(libwrap,
+ AS_HELP_STRING([--disable-libwrap],
+ [do not build in support for libwrap (tcp wrapper)]),
+ [have_libwrap=no],[
+ XXX=$LIBS
+ LIBS="$LIBS -lwrap"
+ AC_MSG_CHECKING(for libwrap)
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]])
+ ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed])
+ AC_MSG_RESULT([yes])
+ have_libwrap=yes
+ ],[LIBS=$XXX
+ AC_MSG_RESULT([no])
+ have_libwrap=no
+ ]
+ )
+])
+AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no])
+
+AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no])
+
dnl Check if we run on a system that has fonts
AC_ARG_WITH(rrd-default-font,
[ --with-rrd-default-font=[OPTIONS] set the full path to your default font.],
])
AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no])
-AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no])
CORE_LIBS="$LIBS"
echo " Build librrd MT: $enable_pthread"
echo " Use gettext: $USE_NLS"
echo " With libDBI: $have_libdbi"
+echo " With libwrap: $have_libwrap"
echo
echo " Libraries: $ALL_LIBS"
echo
diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod
index 56a032116167a8b1c1e989e818ff7e30374f0ee1..4c8048cab700f019a3a09a987bbc97094f46975d 100644 (file)
--- a/doc/rrdcached.pod
+++ b/doc/rrdcached.pod
=head2 Authentication
-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!
-The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon. For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the hosts_access(5) man pages.
-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for
this, using network sockets is probably a bad idea!
diff --git a/src/rrd_daemon.c b/src/rrd_daemon.c
index 0dc8e0b33f28c7f38be82cc513e727b26b92366e..0586a8de7efbf82db37bd8a07ee8ef4f97bfd6cb 100644 (file)
--- a/src/rrd_daemon.c
+++ b/src/rrd_daemon.c
#include <libgen.h>
#include <grp.h>
+#ifdef HAVE_LIBWRAP
+#include <tcpd.h>
+#endif /* HAVE_LIBWRAP */
+
#include <glib-2.0/glib.h>
/* }}} */
}
pthread_mutex_lock (&connection_threads_lock);
+#ifdef HAVE_LIBWRAP
+ /* LIBWRAP does not support multiple threads! By putting this code
+ inside pthread_mutex_lock we do not have to worry about request_info
+ getting overwritten by another thread.
+ */
+ struct request_info req;
+ request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL );
+ fromhost(&req);
+ if(!hosts_access(&req)) {
+ RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req));
+ pthread_mutex_unlock (&connection_threads_lock);
+ close_connection(sock);
+ return NULL;
+ }
+#endif /* HAVE_LIBWRAP */
connection_threads_num++;
pthread_mutex_unlock (&connection_threads_lock);