![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
diff --git a/doc/rrdcached.1 b/doc/rrdcached.1
index c3d2e4e6e204106c876c97b3fb4a7f794c219800..b347fe87b2068c860d95bb79abe13e71bcdf9b4c 100644 (file)
--- a/doc/rrdcached.1
+++ b/doc/rrdcached.1
-.\" Automatically generated by Pod::Man 2.1801 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "RRDCACHED 1"
-.TH RRDCACHED 1 "2010-03-22" "1.4.3" "rrdtool"
+.TH RRDCACHED 1 "2013-05-23" "1.4.8" "rrdtool"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\f(CW\*(C`\f(CB[\f(CW\f(CIaddress\f(CW\f(CB]:\f(CW\f(CIport\f(CW\*(C'\fR. If the address is an IPv4 address or a fully
qualified domain name (i.\ e. the address contains at least one dot
(\f(CW\*(C`.\*(C'\fR)), the square brackets can be omitted, resulting in the (simpler)
-\&\f(CW\*(C`\f(CIaddress\f(CW\f(CB:\f(CW\f(CIport\f(CW\*(C'\fR pattern. The default port is \fB42217/udp\fR. If you
+\&\f(CW\*(C`\f(CIaddress\f(CW\f(CB:\f(CW\f(CIport\f(CW\*(C'\fR pattern. The default port is \fB42217/tcp\fR. If you
specify a network socket, it is mandatory to read the
\&\*(L"\s-1SECURITY\s0 \s-1CONSIDERATIONS\s0\*(R" section.
.Sp
permission context of the web server).
.Sp
This option affects the \fIfollowing\fR \s-1UNIX\s0 socket addresses (the following
-\&\fB\-l\fR options), i.e., you may specify different settings for different
+\&\fB\-l\fR options) or the default socket (if no \fB\-l\fR options have been
+specified), i.e., you may specify different settings for different
sockets.
.Sp
The default is not to change ownership or permissions of the socket and, thus,
@@ -218,7 +219,8 @@ BSD-derived systems ignore permissions for \s-1UNIX\s0 sockets. See \fIunix\fR\|
details.
.Sp
This option affects the \fIfollowing\fR \s-1UNIX\s0 socket addresses (the following
-\&\fB\-l\fR options), i.e., you may specify different settings for different
+\&\fB\-l\fR options) or the default socket (if no \fB\-l\fR options have been
+specified), i.e., you may specify different settings for different
sockets.
.Sp
The default is not to change ownership or permissions of the socket and, thus,
.Ve
.Sp
The \fB\-P\fR option affects the \fIfollowing\fR socket addresses (the following \fB\-l\fR
-options). In the following example, only the IPv4 network socket (address
+options) or the default socket (if no \fB\-l\fR options have been
+specified). In the following example, only the IPv4 network socket (address
\&\f(CW10.0.0.1\fR) will be restricted to the \f(CW\*(C`FLUSH\*(C'\fR and \f(CW\*(C`PENDING\*(C'\fR commands:
.Sp
.Vb 1
.IX Header "SECURITY CONSIDERATIONS"
.SS "Authentication"
.IX Subsection "Authentication"
-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!
.PP
-The client/server protocol does not yet have any authentication mechanism. It
-is likely that authentication and encryption will be added in a future version,
-but for the time being it is the administrator's responsibility to secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon (rrdcached). For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the \fIhosts_access\fR\|(5) man pages.
.PP
-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar mechanism to
prevent unauthorized connections. Unless you have a dedicated \s-1VLAN\s0 or \s-1VPN\s0 for
this, using network sockets is probably a bad idea!
.SS "Authorization"