[rrd-developers] [PATCH] hosts_access rrdtool patch

Shaun Reitan mailinglists at unix-scripts.com
Wed Nov 3 23:11:55 CET 2010


Here is a complete patch for rrdtool that will add hosts_access support 
to rrdcached.

--
Shaun Retian
Chief Technical Officer
Network Data Center Host, Inc.
http://www.ndchost.com

--------------
Index: src/rrd_daemon.c
===================================================================
--- src/rrd_daemon.c    (revision 2141)
+++ src/rrd_daemon.c    (working copy)
@@ -109,6 +109,10 @@
  #include <libgen.h>
  #include <grp.h>

+#ifdef HAVE_LIBWRAP
+#include <tcpd.h>
+#endif /* HAVE_LIBWRAP */
+
  #include <glib-2.0/glib.h>
  /* }}} */

@@ -2636,6 +2640,21 @@
    }

    pthread_mutex_lock (&connection_threads_lock);
+#ifdef HAVE_LIBWRAP
+  /* LIBWRAP does not support multiple threads! By putting this code
+     inside pthread_mutex_lock we do not have to worry about request_info
+     getting overwritten by another thread.
+  */
+  struct request_info req;
+  request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL );
+  fromhost(&req);
+  if(!hosts_access(&req)) {
+    RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req));
+    pthread_mutex_unlock (&connection_threads_lock);
+    close_connection(sock);
+    return NULL;
+  }
+#endif /* HAVE_LIBWRAP */
    connection_threads_num++;
    pthread_mutex_unlock (&connection_threads_lock);

Index: configure.ac
===================================================================
--- configure.ac        (revision 2141)
+++ configure.ac        (working copy)
@@ -515,6 +515,26 @@
  ])
  AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no])

+AC_ARG_ENABLE(libwrap,
+  AS_HELP_STRING([--disable-libwrap],
+  [do not build in support for libwrap (tcp wrapper)]),
+  [have_libwrap=no],[
+    XXX=$LIBS
+    LIBS="$LIBS -lwrap"
+    AC_MSG_CHECKING(for libwrap)
+    AC_LINK_IFELSE(
+      [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]])
+    ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed])
+       AC_MSG_RESULT([yes])
+       have_libwrap=yes
+    ],[LIBS=$XXX
+       AC_MSG_RESULT([no])
+       have_libwrap=no
+    ]
+  )
+])
+AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no])
+
  AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no])


@@ -961,6 +981,7 @@
  echo "       Build librrd MT: $enable_pthread"
  echo "           Use gettext: $USE_NLS"
  echo "           With libDBI: $have_libdbi"
+echo "          With libwrap: $have_libwrap"
  echo
  echo "             Libraries: $ALL_LIBS"
  echo
Index: doc/rrdcached.pod
===================================================================
--- doc/rrdcached.pod   (revision 2141)
+++ doc/rrdcached.pod   (working copy)
@@ -422,14 +422,15 @@

  =head2 Authentication

-There is no authentication.
+If your rrdtool installation was built without libwrap there is no form of
+authentication for clients connecting to the rrdcache daemon!

-The client/server protocol does not yet have any authentication 
mechanism. It
-is likely that authentication and encryption will be added in a future 
version,
-but for the time being it is the administrator's responsibility to 
secure the
-traffic from/to the daemon!
+If your rrdtool installation was built with libwrap then you can use
+hosts_access to restrict client access to the rrdcache daemon.  For more
+information on how to use hosts_access to restrict access to the rrdcache
+daemon you should read the hosts_access(5) man pages.

-It is highly recommended to install a packet filter or similar mechanism to
+It is still highly recommended to install a packet filter or similar 
mechanism to
  prevent unauthorized connections. Unless you have a dedicated VLAN or 
VPN for
  this, using network sockets is probably a bad idea!

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hosts_access.patch
Url: http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20101103/5b2d16e5/attachment.txt 


More information about the rrd-developers mailing list