From fa91dc52d62347d1c1ce56e995525f2c57adfc13 Mon Sep 17 00:00:00 2001 From: Mathieu Desnoyers Date: Fri, 28 Feb 2014 08:33:49 -0500 Subject: [PATCH] Fix: relayd should listen for viewers on localhost only by default Having relayd listening by default on 0.0.0.0 (all interfaces) with a protocol without authentication is an information leak waiting to happen. Users should explicitely specify if they want to listen on all interfaces, using e.g. -L tcp://0.0.0.0:5344 (see lttng-relayd(8) manpage for details). They should only do so if they use a firewall, or are within a secured network. Fixes #746 Signed-off-by: Mathieu Desnoyers Signed-off-by: David Goulet --- doc/man/lttng-relayd.8 | 20 +++++++++++++------- src/bin/lttng-relayd/main.c | 15 +++++++++------ src/bin/lttng-sessiond/jul-thread.c | 3 ++- src/common/defaults.h | 8 +++++++- 4 files changed, 31 insertions(+), 15 deletions(-) diff --git a/doc/man/lttng-relayd.8 b/doc/man/lttng-relayd.8 index e75711a6d..1e1e66407 100644 --- a/doc/man/lttng-relayd.8 +++ b/doc/man/lttng-relayd.8 @@ -17,12 +17,18 @@ It's tracers help tracking down performance issues and debugging problems involving multiple concurrent processes and threads. Tracing across multiple systems is also possible. -The relay daemon listens on the network and receives traces streamed by a -remote consumer. This daemon does not require any particular permissions as -long as it can write in the output folder and listen on the ports. - -Once a trace has been streamed completely, the trace can be processed by any -tool that can process a local LTTng CTF trace. +The relay daemon listens by default on all network interfaces to gather +trace data, but only on localhost for viewer connections. This daemon +does not require any particular permissions as long as it can write in +the output folder and listen on the ports. If a user is within a secured +network and/or has proper firewall settings, lttng-relayd can listen to +viewer connections from all network interfaces by specifying '-L +tcp://0.0.0.0:5344'. + +Traces can be either viewed "live" (as they are produced) by attaching +to the live viewer port using LTTng live protocol, or after tracing has +been stopped. Once a trace has been streamed completely, the trace can +be processed by any tool that can process a local LTTng CTF trace. By default, the relayd outputs the traces in : ~/lttng-traces/hostname/session-name/domain-name @@ -63,7 +69,7 @@ Control port URL (tcp://0.0.0.0:5342 is the default) Data port URL (tcp://0.0.0.0:5343 is the default) .TP .BR "-L, --live-port URL" -Live view port URL (tcp://0.0.0.0:5344 is the default). +Live view port URL (tcp://localhost:5344 is the default). .TP .BR "-o, --output" Output base directory. Must use an absolute path (~/lttng-traces is the default) diff --git a/src/bin/lttng-relayd/main.c b/src/bin/lttng-relayd/main.c index 60b6bf221..53eaca2cb 100644 --- a/src/bin/lttng-relayd/main.c +++ b/src/bin/lttng-relayd/main.c @@ -382,8 +382,9 @@ int set_options(int argc, char **argv) /* assign default values */ if (control_uri == NULL) { - ret = asprintf(&default_address, "tcp://0.0.0.0:%d", - DEFAULT_NETWORK_CONTROL_PORT); + ret = asprintf(&default_address, + "tcp://" DEFAULT_NETWORK_CONTROL_BIND_ADDRESS ":%d", + DEFAULT_NETWORK_CONTROL_PORT); if (ret < 0) { PERROR("asprintf default data address"); goto exit; @@ -397,8 +398,9 @@ int set_options(int argc, char **argv) } } if (data_uri == NULL) { - ret = asprintf(&default_address, "tcp://0.0.0.0:%d", - DEFAULT_NETWORK_DATA_PORT); + ret = asprintf(&default_address, + "tcp://" DEFAULT_NETWORK_DATA_BIND_ADDRESS ":%d", + DEFAULT_NETWORK_DATA_PORT); if (ret < 0) { PERROR("asprintf default data address"); goto exit; @@ -412,8 +414,9 @@ int set_options(int argc, char **argv) } } if (live_uri == NULL) { - ret = asprintf(&default_address, "tcp://0.0.0.0:%d", - DEFAULT_NETWORK_VIEWER_PORT); + ret = asprintf(&default_address, + "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS ":%d", + DEFAULT_NETWORK_VIEWER_PORT); if (ret < 0) { PERROR("asprintf default viewer control address"); goto exit; diff --git a/src/bin/lttng-sessiond/jul-thread.c b/src/bin/lttng-sessiond/jul-thread.c index 9c924ea40..d8748f2a5 100644 --- a/src/bin/lttng-sessiond/jul-thread.c +++ b/src/bin/lttng-sessiond/jul-thread.c @@ -34,7 +34,8 @@ * can let the user define a custom one. However, localhost is ALWAYS the * default listening address. */ -static const char *default_reg_uri = "tcp://localhost"; +static const char *default_reg_uri = + "tcp://" DEFAULT_NETWORK_VIEWER_BIND_ADDRESS; /* * Update JUL application using the given socket. This is done just after diff --git a/src/common/defaults.h b/src/common/defaults.h index 31ea73438..8a7987444 100644 --- a/src/common/defaults.h +++ b/src/common/defaults.h @@ -209,7 +209,13 @@ */ #define DEFAULT_SEM_WAIT_TIMEOUT 30 /* in seconds */ -/* Default network ports for trace streaming support */ +/* Default bind addresses for network services. */ +#define DEFAULT_NETWORK_CONTROL_BIND_ADDRESS "0.0.0.0" +#define DEFAULT_NETWORK_DATA_BIND_ADDRESS "0.0.0.0" +#define DEFAULT_NETWORK_VIEWER_BIND_ADDRESS "localhost" +#define DEFAULT_JUL_BIND_ADDRESS "localhost" + +/* Default network ports for trace streaming support. */ #define DEFAULT_NETWORK_CONTROL_PORT 5342 #define DEFAULT_NETWORK_DATA_PORT 5343 #define DEFAULT_NETWORK_VIEWER_PORT 5344 -- 2.34.1