rrdcached: Let -s affect the following sockets only. This way, it's possible

to specify different groups for different sockets. -- Sebastian Harl

git-svn-id: svn://svn.oetiker.ch/rrdtool/trunk/program@2034 a5681a0c-68f1-0310-ab6d-d61299d08faa

diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod
index 22a74e9e1344a6afad6f2b42fb0f40fbc1f91774..e2f7ed8f6af8d4203691da292db82e287cfa4b0e 100644 (file)
--- a/doc/rrdcached.pod
+++ b/doc/rrdcached.pod
@@ -44,7 +44,7 @@ section below.
 Tells the daemon to bind to I<address> and accept incoming connections on that
 socket. If I<address> begins with C<unix:>, everything following that prefix is
 interpreted as the path to a UNIX domain socket. Otherwise the address or node
-name are resolved using getaddrinfo.
+name are resolved using C<getaddrinfo()>.
 
 For network sockets, a port may be specified by using the form
 C<B<[>I<address>B<]:>I<port>>. If the address is an IPv4 address or a fully
@@ -66,15 +66,23 @@ domain socket B<must> start with a slash in the second case!
 If the B<-l> option is not specified the default address,
 C<unix:/tmp/rrdcached.sock>, will be used.
 
-=item B<-s> I<id>
+=item B<-s> I<group_name>|I<gid>
 
 Set the group permissions of the UNIX domain socket. The option accepts either
 a numeric group id or group name. That group will then have both read and write
-permissions to the socket and therefore able to send commands to the daemon. This
+permissions (the socket will have file permissions 0750) for the socket and,
+therefore, is able to send commands to the daemon. This
 may be useful in cases where you cannot easily run all RRD processes with the same
 user privileges (e.g. graph generating CGI scripts that typically run in the
 permission context of the web server).
 
+This option affects the I<following> UNIX socket addresses (the following
+B<-l> options), i.e., you may specify different settings for different
+sockets.
+
+The default is not to change ownership or permissions of the socket and, thus,
+use the system default.
+
 =item B<-P> I<command>[,I<command>[,...]]
 
 Specifies the commands accepted via a network socket. This allows
@@ -86,7 +94,7 @@ For example, to allow the C<FLUSH> and C<PENDING> commands one could specify:
 
   rrdcached -P FLUSH,PENDING $MORE_ARGUMENTS
 
-The B<-P> option effects the I<following> socket addresses (the following B<-l>
+The B<-P> option affects the I<following> socket addresses (the following B<-l>
 options). In the following example, only the IPv4 network socket (address
 C<10.0.0.1>) will be restricted to the C<FLUSH> and C<PENDING> commands:
 

diff --git a/src/rrd_daemon.c b/src/rrd_daemon.c
index d4cfa940e112bf2c6dc638287cc6294736385129..372adee9deea8e24f41160b794fbb34370fcd6b3 100644 (file)
--- a/src/rrd_daemon.c
+++ b/src/rrd_daemon.c
@@ -141,6 +141,8 @@ struct listen_socket_s
   ssize_t wbuf_len;
 
   uint32_t permissions;
+
+  gid_t socket_group;
 };
 typedef struct listen_socket_s listen_socket_t;
 
@@ -221,9 +223,6 @@ static uid_t daemon_uid;
 static listen_socket_t *listen_fds = NULL;
 static size_t listen_fds_num = 0;
 
-static gboolean set_socket_group = FALSE;
-static gid_t socket_group;
-
 enum {
   RUNNING,             /* normal operation */
   FLUSHING,            /* flushing remaining values */
@@ -2331,9 +2330,9 @@ static int open_listen_socket_unix (const listen_socket_t *sock) /* {{{ */
   }
 
   /* tweak the sockets group ownership */
-  if (set_socket_group)
+  if (sock->socket_group != (gid_t)-1)
   {
-    if ( (chown(path, getuid(), socket_group) != 0) ||
+    if ( (chown(path, getuid(), sock->socket_group) != 0) ||
         (chmod(path, (S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IWGRP)) != 0) )
     {
       fprintf(stderr, "rrdcached: failed to set socket group permissions (%s)\n", strerror(errno));
@@ -2760,6 +2759,8 @@ static int read_options (int argc, char **argv) /* {{{ */
   char **permissions = NULL;
   size_t permissions_len = 0;
 
+  gid_t socket_group = (gid_t)-1;
+
   while ((option = getopt(argc, argv, "gl:s:P:f:w:z:t:Bb:p:Fj:h?")) != -1)
   {
     switch (option)
@@ -2816,6 +2817,8 @@ static int read_options (int argc, char **argv) /* {{{ */
         }
         /* }}} Done adding permissions. */
 
+        new->socket_group = socket_group;
+
         if (!rrd_add_ptr((void ***)&config_listen_address_list,
                          &config_listen_address_list_len, new))
         {
@@ -2845,7 +2848,6 @@ static int read_options (int argc, char **argv) /* {{{ */
        if (grp)
        {
          socket_group = grp->gr_gid;
-         set_socket_group = TRUE;
        }
        else
        {