Index: src/rrd_daemon.c =================================================================== --- src/rrd_daemon.c (revision 2141) +++ src/rrd_daemon.c (working copy) @@ -109,6 +109,10 @@ #include #include +#ifdef HAVE_LIBWRAP +#include +#endif /* HAVE_LIBWRAP */ + #include /* }}} */ @@ -2636,6 +2640,21 @@ } pthread_mutex_lock (&connection_threads_lock); +#ifdef HAVE_LIBWRAP + /* LIBWRAP does not support multiple threads! By putting this code + inside pthread_mutex_lock we do not have to worry about request_info + getting overwritten by another thread. + */ + struct request_info req; + request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL ); + fromhost(&req); + if(!hosts_access(&req)) { + RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req)); + pthread_mutex_unlock (&connection_threads_lock); + close_connection(sock); + return NULL; + } +#endif /* HAVE_LIBWRAP */ connection_threads_num++; pthread_mutex_unlock (&connection_threads_lock); Index: configure.ac =================================================================== --- configure.ac (revision 2141) +++ configure.ac (working copy) @@ -515,6 +515,26 @@ ]) AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no]) +AC_ARG_ENABLE(libwrap, + AS_HELP_STRING([--disable-libwrap], + [do not build in support for libwrap (tcp wrapper)]), + [have_libwrap=no],[ + XXX=$LIBS + LIBS="$LIBS -lwrap" + AC_MSG_CHECKING(for libwrap) + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]]) + ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed]) + AC_MSG_RESULT([yes]) + have_libwrap=yes + ],[LIBS=$XXX + AC_MSG_RESULT([no]) + have_libwrap=no + ] + ) +]) +AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no]) + AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no]) @@ -961,6 +981,7 @@ echo " Build librrd MT: $enable_pthread" echo " Use gettext: $USE_NLS" echo " With libDBI: $have_libdbi" +echo " With libwrap: $have_libwrap" echo echo " Libraries: $ALL_LIBS" echo Index: doc/rrdcached.pod =================================================================== --- doc/rrdcached.pod (revision 2141) +++ doc/rrdcached.pod (working copy) @@ -422,14 +422,15 @@ =head2 Authentication -There is no authentication. +If your rrdtool installation was built without libwrap there is no form of +authentication for clients connecting to the rrdcache daemon! -The client/server protocol does not yet have any authentication mechanism. It -is likely that authentication and encryption will be added in a future version, -but for the time being it is the administrator's responsibility to secure the -traffic from/to the daemon! +If your rrdtool installation was built with libwrap then you can use +hosts_access to restrict client access to the rrdcache daemon. For more +information on how to use hosts_access to restrict access to the rrdcache +daemon you should read the hosts_access(5) man pages. -It is highly recommended to install a packet filter or similar mechanism to +It is still highly recommended to install a packet filter or similar mechanism to prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for this, using network sockets is probably a bad idea!