[rrd-developers] [PATCH] hosts_access rrdtool patch
Tobias Oetiker
tobi at oetiker.ch
Tue Nov 9 17:37:44 CET 2010
Hi Shaun,
thanks ... your atch will be in the next release ..
cheers
tobi
Wednesday Shaun Reitan wrote:
> Here is a complete patch for rrdtool that will add hosts_access support to
> rrdcached.
>
> --
> Shaun Retian
> Chief Technical Officer
> Network Data Center Host, Inc.
> http://www.ndchost.com
>
> --------------
> Index: src/rrd_daemon.c
> ===================================================================
> --- src/rrd_daemon.c (revision 2141)
> +++ src/rrd_daemon.c (working copy)
> @@ -109,6 +109,10 @@
> #include <libgen.h>
> #include <grp.h>
>
> +#ifdef HAVE_LIBWRAP
> +#include <tcpd.h>
> +#endif /* HAVE_LIBWRAP */
> +
> #include <glib-2.0/glib.h>
> /* }}} */
>
> @@ -2636,6 +2640,21 @@
> }
>
> pthread_mutex_lock (&connection_threads_lock);
> +#ifdef HAVE_LIBWRAP
> + /* LIBWRAP does not support multiple threads! By putting this code
> + inside pthread_mutex_lock we do not have to worry about request_info
> + getting overwritten by another thread.
> + */
> + struct request_info req;
> + request_init(&req, RQ_DAEMON, "rrdcache\0", RQ_FILE, fd, NULL );
> + fromhost(&req);
> + if(!hosts_access(&req)) {
> + RRDD_LOG(LOG_INFO, "refused connection from %s", eval_client(&req));
> + pthread_mutex_unlock (&connection_threads_lock);
> + close_connection(sock);
> + return NULL;
> + }
> +#endif /* HAVE_LIBWRAP */
> connection_threads_num++;
> pthread_mutex_unlock (&connection_threads_lock);
>
> Index: configure.ac
> ===================================================================
> --- configure.ac (revision 2141)
> +++ configure.ac (working copy)
> @@ -515,6 +515,26 @@
> ])
> AM_CONDITIONAL(BUILD_LIBDBI,[test $have_libdbi != no])
>
> +AC_ARG_ENABLE(libwrap,
> + AS_HELP_STRING([--disable-libwrap],
> + [do not build in support for libwrap (tcp wrapper)]),
> + [have_libwrap=no],[
> + XXX=$LIBS
> + LIBS="$LIBS -lwrap"
> + AC_MSG_CHECKING(for libwrap)
> + AC_LINK_IFELSE(
> + [AC_LANG_PROGRAM([[#include "tcpd.h"]], [[hosts_access(NULL)]])
> + ],[AC_DEFINE(HAVE_LIBWRAP,[1],[have got libwrap installed])
> + AC_MSG_RESULT([yes])
> + have_libwrap=yes
> + ],[LIBS=$XXX
> + AC_MSG_RESULT([no])
> + have_libwrap=no
> + ]
> + )
> +])
> +AM_CONDITIONAL(BUILD_LIBWRAP,[test $have_libwrap != no])
> +
> AM_CONDITIONAL(BUILD_RRDCGI,[test $enable_rrdcgi != no])
>
>
> @@ -961,6 +981,7 @@
> echo " Build librrd MT: $enable_pthread"
> echo " Use gettext: $USE_NLS"
> echo " With libDBI: $have_libdbi"
> +echo " With libwrap: $have_libwrap"
> echo
> echo " Libraries: $ALL_LIBS"
> echo
> Index: doc/rrdcached.pod
> ===================================================================
> --- doc/rrdcached.pod (revision 2141)
> +++ doc/rrdcached.pod (working copy)
> @@ -422,14 +422,15 @@
>
> =head2 Authentication
>
> -There is no authentication.
> +If your rrdtool installation was built without libwrap there is no form of
> +authentication for clients connecting to the rrdcache daemon!
>
> -The client/server protocol does not yet have any authentication mechanism. It
> -is likely that authentication and encryption will be added in a future
> version,
> -but for the time being it is the administrator's responsibility to secure the
> -traffic from/to the daemon!
> +If your rrdtool installation was built with libwrap then you can use
> +hosts_access to restrict client access to the rrdcache daemon. For more
> +information on how to use hosts_access to restrict access to the rrdcache
> +daemon you should read the hosts_access(5) man pages.
>
> -It is highly recommended to install a packet filter or similar mechanism to
> +It is still highly recommended to install a packet filter or similar
> mechanism to
> prevent unauthorized connections. Unless you have a dedicated VLAN or VPN for
> this, using network sockets is probably a bad idea!
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list