Hi Tobi, On Wed, Apr 08, 2009 at 07:38:06AM +0200, Tobias Oetiker wrote: > I have been telling people about the daemon feature at recent talks > and the auth question came up often ... the reason fetch is tipping > the scale for me is that with this functionality rrdcached goes > from a 'submit only' server to a 'read/write' server ...
interesting point that ‘write’ without authentication is less of a security concern than ‘read/write’. > and providing something read/write over the network without > authentication is a recepie for trouble in my book. My point of view is that currently, RRDCacheD is simply not suited to be used in the public without protection. If people don't like this, they're free not to use the daemon. If they want to use the daemon, it is (always!) their responsibility to ensure security and currently this means setting up a firewall/packet filter, VPN, tunnel or use only UNIX domain sockets. And if all that doesn't fit their bill they should – in the best of all FOSS traditions – “submit patches!” Please note that I'm not at all against implementing authentication. I'm only arguing that currently it's not available and people have to cope with that one way or another. Keeping out features because of that is not the way to go in my opinion. > I am sure create / delete / tune ... will follow shortly ... Of course they will, and therefore it's a good idea to ‘think big’ from the beginning. The privileges currently implemented (the ‘-L’ option) will not nearly match the demands people will have. We should seriously rethink that concept and come up with something more flexible. For example, make is possible to specify which commands are allowed on the command line: --allow flush,flushall,update or --deny flushall This would make the argument of ‘commands too dangerous for not having authentication’ obsolete once and for all, because everybody can decide for himself which commands are okay to use in the current environment. Last but not least, authentication without encryption creates a wrong sense of security that is much more dangerous than not having any security at all and people knowing about it. So we should think about a ‘STARTTLS’ command (or similar), too. Regards, -octo -- Florian octo Forster Hacker in training GnuPG: 0x91523C3D http://verplant.org/
signature.asc
Description: Digital signature
_______________________________________________ rrd-developers mailing list rrd-developers@lists.oetiker.ch https://lists.oetiker.ch/cgi-bin/listinfo/rrd-developers
