From 22f593b175d8732d141566d1b742ec5d6c0de2d0 Mon Sep 17 00:00:00 2001 From: oetiker Date: Tue, 9 Nov 2010 16:37:18 +0000 Subject: [PATCH] add hosts_access support to rrdcached -- Shaun Reitan mailinglists@unix-scripts.com git-svn-id: svn://svn.oetiker.ch/rrdtool/branches/1.4@2145 a5681a0c-68f1-0310-ab6d-d61299d08faa --- program/configure.ac | 21 +++++++++++++++++++++ program/doc/rrdcached.pod | 13 +++++++------ program/src/rrd_daemon.c | 19 +++++++++++++++++++ 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/program/configure.ac b/program/configure.ac index 808cb95c..fc9d7408 100644 --- a/program/configure.ac +++ b/program/configure.ac @@ -514,6 +514,26 @@ AC_ARG_ENABLE(libdbi,AS_HELP_STRING([--disable-libdbi],[do not build in support ]) AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no]) +AC_ARG_ENABLE(libwrap, + AS_HELP_STRING([--disable-libwrap], + [do not build in support for libwrap (tcp wrapper)]), + [have_libwrap=no],[ + XXX=$LIBS + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]]) + ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed]) + AC_MSG_RESULT([yes]) + have_libwrap=yes + ],[LIBS=$XXX + AC_MSG_RESULT([no]) + have_libwrap=no + ] + ) +]) +AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no]) + AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) @@ -960,6 +980,7 @@ echo " Build rrdcgi: $enable_rrdcgi" echo " Build librrd MT: $enable_pthread" echo " Use gettext: $USE_NLS" echo " With libDBI: $have_libdbi" +echo " With libwrap: $have_libwrap" echo echo " Libraries: $ALL_LIBS" echo diff --git a/program/doc/rrdcached.pod b/program/doc/rrdcached.pod index 13712df3..e6cf910f 100644 --- a/program/doc/rrdcached.pod +++ b/program/doc/rrdcached.pod @@ -399,14 +399,15 @@ ASCII art rocks. =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon. For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea! diff --git a/program/src/rrd_daemon.c b/program/src/rrd_daemon.c index f340eccb..3f78ca7f 100644 --- a/program/src/rrd_daemon.c +++ b/program/src/rrd_daemon.c @@ -109,6 +109,10 @@ #include #include +#ifdef HAVE_LIBWRAP +#include +#endif /* HAVE_LIBWRAP */ + #include /* }}} */ @@ -2204,6 +2208,21 @@ static void *connection_thread_main (void *args) /* {{{ */ } pthread_mutex_lock (&connection_threads_lock); +#ifdef HAVE_LIBWRAP + /* LIBWRAP does not support multiple threads! By putting this code + inside pthread_mutex_lock we do not have to worry about request_info + getting overwritten by another thread. + */ + struct request_info req; + request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL ); + fromhost(&req); + if(!hosts_access(&req)) { + RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req)); + pthread_mutex_unlock (&connection_threads_lock); + close_connection(sock); + return NULL; + } +#endif /* HAVE_LIBWRAP */ connection_threads_num++; pthread_mutex_unlock (&connection_threads_lock); -- 2.30.2