From 1b8f9d75bec60a724fe83b1c28defc13e6637ced Mon Sep 17 00:00:00 2001 From: oetiker Date: Tue, 9 Nov 2010 16:37:18 +0000 Subject: [PATCH] add hosts_access support to rrdcached -- Shaun Reitan mailinglists@unix-scripts.com git-svn-id: svn://svn.oetiker.ch/rrdtool/trunk@2145 a5681a0c-68f1-0310-ab6d-d61299d08faa --- program/configure.ac | 24 +++++++++++++++++++++++- program/doc/rrdcached.pod | 13 +++++++------ program/src/rrd_daemon.c | 19 +++++++++++++++++++ 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/program/configure.ac b/program/configure.ac index 04052ad4..9d9914b5 100644 --- a/program/configure.ac +++ b/program/configure.ac @@ -102,6 +102,28 @@ AC_DEFINE_UNQUOTED(RRDGRAPH_YLEGEND_ANGLE,${RRDGRAPH_YLEGEND_ANGLE:-90.0}, AC_ARG_ENABLE(rrdcgi,AS_HELP_STRING([--disable-rrdcgi],[disable building of rrdcgi]), [],[enable_rrdcgi=yes]) +AC_ARG_ENABLE(libwrap, + AS_HELP_STRING([--disable-libwrap], + [do not build in support for libwrap (tcp wrapper)]), + [have_libwrap=no],[ + XXX=$LIBS + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]]) + ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed]) + AC_MSG_RESULT([yes]) + have_libwrap=yes + ],[LIBS=$XXX + AC_MSG_RESULT([no]) + have_libwrap=no + ] + ) +]) +AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no]) + +AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) + dnl Check if we run on a system that has fonts AC_ARG_WITH(rrd-default-font, [ --with-rrd-default-font=[OPTIONS] set the full path to your default font.], @@ -515,7 +537,6 @@ AC_ARG_ENABLE(libdbi,AS_HELP_STRING([--disable-libdbi],[do not build in support ]) AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no]) -AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) CORE_LIBS="$LIBS" @@ -961,6 +982,7 @@ echo " Build rrdcgi: $enable_rrdcgi" echo " Build librrd MT: $enable_pthread" echo " Use gettext: $USE_NLS" echo " With libDBI: $have_libdbi" +echo " With libwrap: $have_libwrap" echo echo " Libraries: $ALL_LIBS" echo diff --git a/program/doc/rrdcached.pod b/program/doc/rrdcached.pod index 56a03211..4c8048ca 100644 --- a/program/doc/rrdcached.pod +++ b/program/doc/rrdcached.pod @@ -422,14 +422,15 @@ ASCII art rocks. =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon. For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea! diff --git a/program/src/rrd_daemon.c b/program/src/rrd_daemon.c index 0dc8e0b3..0586a8de 100644 --- a/program/src/rrd_daemon.c +++ b/program/src/rrd_daemon.c @@ -109,6 +109,10 @@ #include #include +#ifdef HAVE_LIBWRAP +#include +#endif /* HAVE_LIBWRAP */ + #include /* }}} */ @@ -2636,6 +2640,21 @@ static void *connection_thread_main (void *args) /* {{{ */ } pthread_mutex_lock (&connection_threads_lock); +#ifdef HAVE_LIBWRAP + /* LIBWRAP does not support multiple threads! By putting this code + inside pthread_mutex_lock we do not have to worry about request_info + getting overwritten by another thread. + */ + struct request_info req; + request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL ); + fromhost(&req); + if(!hosts_access(&req)) { + RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req)); + pthread_mutex_unlock (&connection_threads_lock); + close_connection(sock); + return NULL; + } +#endif /* HAVE_LIBWRAP */ connection_threads_num++; pthread_mutex_unlock (&connection_threads_lock); -- 2.30.2