Opened 15 years ago

Closed 15 years ago

#529 closed feature-request (Fixed)

Add authentication to core

Reported by: pipatron@… Owned by: andar
Priority: major Milestone: 1.2.0
Component: Unknown Version: 1.0.0
Keywords: daemon deluged security Cc:

Description

deluged seem to allow connections from anyone on localhost; this is obviously not secure if there are more than one user on a system. For example:

  1. Create a torrent with a file called ".profile", upload to any tracker.
  2. Connect to the deluge daemon that another user is running.
  3. Change the download folder to the user $HOME, and add the torrent.
  4. The .profile can contain anything, and will be executed when the user logs in next time, for example: alias sudo=/home/hacker/sudo_and_log_password

It can also be a security risk even in a single-user setting, if other servers are running (as unprivileged users) on the same system that are less secure and can be hacked (http, ftp, etc).

Some sort of authentication is needed.

Change History (3)

comment:1 Changed 15 years ago by andar

  • Milestone set to 1.2.0
  • Summary changed from deluged lack authentication; unusable on a multi-user system to Add authentication to core

Yes, this is planned eventually.. I have already started work on some of the necessary changes in the core to support this, but it likely won't see fruition until at least 1.2.0 or even possibly 1.3.0.

comment:2 Changed 15 years ago by anonymous

Another problem with this is that different users can't maintain separate download lists etc., as if someone else has already started deluged, you just see and add to their torrents instead of your own. It should be possible for each user to start their own deluged and then connect to it, regardless of whether someone else has already started their own instance, and the daemons only allow connections from the user that spawned that instance of deluged.

comment:3 Changed 15 years ago by andar

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.