From: oetiker Date: Tue, 9 Nov 2010 16:37:18 +0000 (+0000) Subject: add hosts_access support to rrdcached -- Shaun Reitan mailinglists@unix-scripts.com X-Git-Url: https://git.octo.it/?p=rrdtool.git;a=commitdiff_plain;h=21bf05343fdc263596289485c3d506ed613f2c75 add hosts_access support to rrdcached -- Shaun Reitan mailinglists@unix-scripts.com git-svn-id: svn://svn.oetiker.ch/rrdtool/trunk/program@2145 a5681a0c-68f1-0310-ab6d-d61299d08faa --- diff --git a/configure.ac b/configure.ac index 04052ad..9d9914b 100644 --- a/configure.ac +++ b/configure.ac @@ -102,6 +102,28 @@ AC_DEFINE_UNQUOTED(RRDGRAPH_YLEGEND_ANGLE,${RRDGRAPH_YLEGEND_ANGLE:-90.0}, AC_ARG_ENABLE(rrdcgi,AS_HELP_STRING([--disable-rrdcgi],[disable building of rrdcgi]), [],[enable_rrdcgi=yes]) +AC_ARG_ENABLE(libwrap, + AS_HELP_STRING([--disable-libwrap], + [do not build in support for libwrap (tcp wrapper)]), + [have_libwrap=no],[ + XXX=$LIBS + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]]) + ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed]) + AC_MSG_RESULT([yes]) + have_libwrap=yes + ],[LIBS=$XXX + AC_MSG_RESULT([no]) + have_libwrap=no + ] + ) +]) +AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no]) + +AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) + dnl Check if we run on a system that has fonts AC_ARG_WITH(rrd-default-font, [ --with-rrd-default-font=[OPTIONS] set the full path to your default font.], @@ -515,7 +537,6 @@ AC_ARG_ENABLE(libdbi,AS_HELP_STRING([--disable-libdbi],[do not build in support ]) AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no]) -AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) CORE_LIBS="$LIBS" @@ -961,6 +982,7 @@ echo " Build rrdcgi: $enable_rrdcgi" echo " Build librrd MT: $enable_pthread" echo " Use gettext: $USE_NLS" echo " With libDBI: $have_libdbi" +echo " With libwrap: $have_libwrap" echo echo " Libraries: $ALL_LIBS" echo diff --git a/doc/rrdcached.pod b/doc/rrdcached.pod index 56a0321..4c8048c 100644 --- a/doc/rrdcached.pod +++ b/doc/rrdcached.pod @@ -422,14 +422,15 @@ ASCII art rocks. =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon. For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea! diff --git a/src/rrd_daemon.c b/src/rrd_daemon.c index 0dc8e0b..0586a8d 100644 --- a/src/rrd_daemon.c +++ b/src/rrd_daemon.c @@ -109,6 +109,10 @@ #include #include +#ifdef HAVE_LIBWRAP +#include +#endif /* HAVE_LIBWRAP */ + #include /* }}} */ @@ -2636,6 +2640,21 @@ static void *connection_thread_main (void *args) /* {{{ */ } pthread_mutex_lock (&connection_threads_lock); +#ifdef HAVE_LIBWRAP + /* LIBWRAP does not support multiple threads! By putting this code + inside pthread_mutex_lock we do not have to worry about request_info + getting overwritten by another thread. + */ + struct request_info req; + request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL ); + fromhost(&req); + if(!hosts_access(&req)) { + RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req)); + pthread_mutex_unlock (&connection_threads_lock); + close_connection(sock); + return NULL; + } +#endif /* HAVE_LIBWRAP */ connection_threads_num++; pthread_mutex_unlock (&connection_threads_lock);