Fix: relayd should listen for viewers on localhost only by default

Having relayd listening by default on 0.0.0.0 (all interfaces) with a
protocol without authentication is an information leak waiting to
happen.

Users should explicitely specify if they want to listen on all
interfaces, using e.g. -L tcp://0.0.0.0:5344 (see lttng-relayd(8)
manpage for details). They should only do so if they use a firewall, or
are within a secured network.

Fixes #746

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@efficios.com>

diff --git a/doc/man/lttng-relayd.8 b/doc/man/lttng-relayd.8
index e75711a6d069ee0f6dffb2fbf5b86efa37d97938..1e1e66407172269d9c83c3fe195b7f36e50da5d2 100644 (file)
--- a/doc/man/lttng-relayd.8
+++ b/doc/man/lttng-relayd.8
@@ -17,12 +17,18 @@ It's tracers help tracking down performance issues and debugging problems
 involving multiple concurrent processes and threads. Tracing across multiple
 systems is also possible.
 
 involving multiple concurrent processes and threads. Tracing across multiple
 systems is also possible.
 

-The relay daemon listens on the network and receives traces streamed by a
-remote consumer. This daemon does not require any particular permissions as
-long as it can write in the output folder and listen on the ports.
-
-Once a trace has been streamed completely, the trace can be processed by any
-tool that can process a local LTTng CTF trace.
+The relay daemon listens by default on all network interfaces to gather
+trace data, but only on localhost for viewer connections. This daemon
+does not require any particular permissions as long as it can write in
+the output folder and listen on the ports. If a user is within a secured
+network and/or has proper firewall settings, lttng-relayd can listen to
+viewer connections from all network interfaces by specifying '-L
+tcp://0.0.0.0:5344'.
+
+Traces can be either viewed "live" (as they are produced) by attaching
+to the live viewer port using LTTng live protocol, or after tracing has
+been stopped. Once a trace has been streamed completely, the trace can
+be processed by any tool that can process a local LTTng CTF trace.

 
 By default, the relayd outputs the traces in :
 ~/lttng-traces/hostname/session-name/domain-name
 
 By default, the relayd outputs the traces in :
 ~/lttng-traces/hostname/session-name/domain-name


@@ -63,7 +69,7 @@ Control port URL (tcp://0.0.0.0:5342 is the default)
 Data port URL (tcp://0.0.0.0:5343 is the default)
 .TP
 .BR "-L, --live-port URL"
 Data port URL (tcp://0.0.0.0:5343 is the default)
 .TP
 .BR "-L, --live-port URL"

-Live view port URL (tcp://0.0.0.0:5344 is the default).
+Live view port URL (tcp://localhost:5344 is the default).

 .TP
 .BR "-o, --output"
 Output base directory. Must use an absolute path (~/lttng-traces is the default)
 .TP
 .BR "-o, --output"
 Output base directory. Must use an absolute path (~/lttng-traces is the default)

diff --git a/src/bin/lttng-relayd/main.c b/src/bin/lttng-relayd/main.c
index 60b6bf2214e8bee4d0266000a1db592982384940..53eaca2cbf944327b95aa0fced58bb564bb8013f 100644 (file)
--- a/src/bin/lttng-relayd/main.c
+++ b/src/bin/lttng-relayd/main.c
@@ -382,8 +382,9 @@ int set_options(int argc, char **argv)
 
        /* assign default values */
        if (control_uri == NULL) {
 
        /* assign default values */
        if (control_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_CONTROL_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_CONTROL_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_CONTROL_PORT);

                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;


@@ -397,8 +398,9 @@ int set_options(int argc, char **argv)
                }
        }
        if (data_uri == NULL) {
                }
        }
        if (data_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_DATA_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_DATA_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_DATA_PORT);

                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default data address");
                        goto exit;


@@ -412,8 +414,9 @@ int set_options(int argc, char **argv)
                }
        }
        if (live_uri == NULL) {
                }
        }
        if (live_uri == NULL) {

-               ret = asprintf(&default_address, "tcp://0.0.0.0:%d",
-                               DEFAULT_NETWORK_VIEWER_PORT);
+               ret = asprintf(&default_address,
+                       "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS ":%d",
+                       DEFAULT_NETWORK_VIEWER_PORT);

                if (ret < 0) {
                        PERROR("asprintf default viewer control address");
                        goto exit;
                if (ret < 0) {
                        PERROR("asprintf default viewer control address");
                        goto exit;

diff --git a/src/bin/lttng-sessiond/jul-thread.c b/src/bin/lttng-sessiond/jul-thread.c
index 9c924ea40ebfe5c4f721ff099b0b327b149500aa..d8748f2a5aad5e3c246a0016af7bd72e0a43bde6 100644 (file)
--- a/src/bin/lttng-sessiond/jul-thread.c
+++ b/src/bin/lttng-sessiond/jul-thread.c
@@ -34,7 +34,8 @@
  * can let the user define a custom one. However, localhost is ALWAYS the
  * default listening address.
  */
  * can let the user define a custom one. However, localhost is ALWAYS the
  * default listening address.
  */

-static const char *default_reg_uri = "tcp://localhost";
+static const char *default_reg_uri =
+       "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS;

 
 /*
  * Update JUL application using the given socket. This is done just after
 
 /*
  * Update JUL application using the given socket. This is done just after

diff --git a/src/common/defaults.h b/src/common/defaults.h
index 31ea73438b04224eb8ffc4d35efb7d2919f5c4a5..8a798744456f6420fa441ac7a5d5e2effce56d09 100644 (file)
--- a/src/common/defaults.h
+++ b/src/common/defaults.h
@@ -209,7 +209,13 @@
  */
 #define DEFAULT_SEM_WAIT_TIMEOUT            30    /* in seconds */
 
  */
 #define DEFAULT_SEM_WAIT_TIMEOUT            30    /* in seconds */
 

-/* Default network ports for trace streaming support */
+/* Default bind addresses for network services. */
+#define DEFAULT_NETWORK_CONTROL_BIND_ADDRESS    "0.0.0.0"
+#define DEFAULT_NETWORK_DATA_BIND_ADDRESS       "0.0.0.0"
+#define DEFAULT_NETWORK_VIEWER_BIND_ADDRESS     "localhost"
+#define DEFAULT_JUL_BIND_ADDRESS                "localhost"
+
+/* Default network ports for trace streaming support. */

 #define DEFAULT_NETWORK_CONTROL_PORT        5342
 #define DEFAULT_NETWORK_DATA_PORT           5343
 #define DEFAULT_NETWORK_VIEWER_PORT         5344
 #define DEFAULT_NETWORK_CONTROL_PORT        5342
 #define DEFAULT_NETWORK_DATA_PORT           5343
 #define DEFAULT_NETWORK_VIEWER_PORT         5344