Fix: relayd should listen for viewers on localhost only by default

Having relayd listening by default on 0.0.0.0 (all interfaces) with a
protocol without authentication is an information leak waiting to
happen.

Users should explicitely specify if they want to listen on all
interfaces, using e.g. -L tcp://0.0.0.0:5344 (see lttng-relayd(8)
manpage for details). They should only do so if they use a firewall, or
are within a secured network.

Fixes #746

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@efficios.com>

diff --git a/doc/man/lttng-relayd.8 b/doc/man/lttng-relayd.8
index e75711a6d069ee0f6dffb2fbf5b86efa37d97938..1e1e66407172269d9c83c3fe195b7f36e50da5d2 100644 (file)
--- a/doc/man/lttng-relayd.8
+++ b/doc/man/lttng-relayd.8
@@ -17,12 +17,18 @@ It's tracers help tracking down performance issues and debugging problems
 involving multiple concurrent processes and threads. Tracing across multiple
 systems is also possible.
 
 involving multiple concurrent processes and threads. Tracing across multiple
 systems is also possible.
 

-The relay daemon listens on the network and receives traces streamed by a
-remote consumer. This daemon does not require any particular permissions as
-long as it can write in the output folder and listen on the ports.
-
-Once a trace has been streamed completely, the trace can be processed by any
-tool that can process a local LTTng CTF trace.
+The relay daemon listens by default on all network interfaces to gather
+trace data, but only on localhost for viewer connections. This daemon
+does not require any particular permissions as long as it can write in
+the output folder and listen on the ports. If a user is within a secured
+network and/or has proper firewall settings, lttng-relayd can listen to
+viewer connections from all network interfaces by specifying '-L
+tcp://0.0.0.0:5344'.
+
+Traces can be either viewed "live" (as they are produced) by attaching
+to the live viewer port using LTTng live protocol, or after tracing has
+been stopped. Once a trace has been streamed completely, the trace can
+be processed by any tool that can process a local LTTng CTF trace.

 
 By default, the relayd outputs the traces in :
 ~/lttng-traces/hostname/session-name/domain-name
 
 By default, the relayd outputs the traces in :
 ~/lttng-traces/hostname/session-name/domain-name


@@ -63,7 +69,7 @@ Control port URL (tcp://0.0.0.0:5342 is the default)
 Data port URL (tcp://0.0.0.0:5343 is the default)
 .TP
 .BR "-L, --live-port URL"
 Data port URL (tcp://0.0.0.0:5343 is the default)
 .TP
 .BR "-L, --live-port URL"

-Live view port URL (tcp://0.0.0.0:5344 is the default).
+Live view port URL (tcp://localhost:5344 is the default).

 .TP
 .BR "-o, --output"
 Output base directory. Must use an absolute path (~/lttng-traces is the default)
 .TP
 .BR "-o, --output"
 Output base directory. Must use an absolute path (~/lttng-traces is the default)

diff --git a/src/bin/lttng-relayd/main.c b/src/bin/lttng-relayd/main.c
index d9eadc533a45c0882484f804c81d774dcc1b1adf..ac30351522d159b744d3ee834fbb25cb5c6dd05b 100644 (file)
--- a/src/bin/lttng-relayd/main.c
+++ b/src/bin/lttng-relayd/main.c
@@ -251,8 +251,9 @@ int parse_args(int argc, char **argv)
 
        /* assign default values */
        if (control_uri == NULL) {
 
        /* assign default values */
        if (control_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_CONTROL_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_CONTROL_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_CONTROL_PORT);

                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;


@@ -266,8 +267,9 @@ int parse_args(int argc, char **argv)
                }
        }
        if (data_uri == NULL) {
                }
        }
        if (data_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_DATA_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_DATA_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_DATA_PORT);

                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;


@@ -281,8 +283,9 @@ int parse_args(int argc, char **argv)
                }
        }
        if (live_uri == NULL) {
                }
        }
        if (live_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_VIEWER_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_VIEWER_PORT);

                if (ret < 0) {
                        PERROR("asprintf default viewer control address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default viewer control address");
                        goto exit;

diff --git a/src/bin/lttng-sessiond/jul-thread.c b/src/bin/lttng-sessiond/jul-thread.c
index 9c924ea40ebfe5c4f721ff099b0b327b149500aa..d8748f2a5aad5e3c246a0016af7bd72e0a43bde6 100644 (file)
--- a/src/bin/lttng-sessiond/jul-thread.c
+++ b/src/bin/lttng-sessiond/jul-thread.c
@@ -34,7 +34,8 @@
  * can let the user define a custom one. However, localhost is ALWAYS the
  * default listening address.
  */
  * can let the user define a custom one. However, localhost is ALWAYS the
  * default listening address.
  */

-static const char *default_reg_uri = "tcp://localhost";
+static const char *default_reg_uri =
+       "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS;

 
 /*
  * Update JUL application using the given socket. This is done just after
 
 /*
  * Update JUL application using the given socket. This is done just after

diff --git a/src/common/defaults.h b/src/common/defaults.h
index 716b591d8ee88b20e9498a86ada8ce385f0f2f1c..e81055a265269d455ac366e17f2aa4b91346d187 100644 (file)
--- a/src/common/defaults.h
+++ b/src/common/defaults.h
@@ -202,7 +202,13 @@
  */
 #define DEFAULT_SEM_WAIT_TIMEOUT            30    /* in seconds */
 
  */
 #define DEFAULT_SEM_WAIT_TIMEOUT            30    /* in seconds */
 

-/* Default network ports for trace streaming support */
+/* Default bind addresses for network services. */
+#define DEFAULT_NETWORK_CONTROL_BIND_ADDRESS    "0.0.0.0"
+#define DEFAULT_NETWORK_DATA_BIND_ADDRESS       "0.0.0.0"
+#define DEFAULT_NETWORK_VIEWER_BIND_ADDRESS     "localhost"
+#define DEFAULT_JUL_BIND_ADDRESS                "localhost"
+
+/* Default network ports for trace streaming support. */

 #define DEFAULT_NETWORK_CONTROL_PORT        5342
 #define DEFAULT_NETWORK_DATA_PORT           5343
 #define DEFAULT_NETWORK_VIEWER_PORT         5344
 #define DEFAULT_NETWORK_CONTROL_PORT        5342
 #define DEFAULT_NETWORK_DATA_PORT           5343
 #define DEFAULT_NETWORK_VIEWER_PORT         5344