Opened 16 years ago

Closed 15 years ago

#529 closed feature-request (Fixed)

Add authentication to core

Reported by: pipatron@gmail.com Owned by: andar
Priority: major Milestone: 1.2.0
Component: Unknown Version: 1.0.0
Keywords: daemon deluged security Cc:

Description

deluged seem to allow connections from anyone on localhost; this is obviously not secure if there are more than one user on a system. For example:

  1. Create a torrent with a file called ".profile", upload to any tracker.
  2. Connect to the deluge daemon that another user is running.
  3. Change the download folder to the user $HOME, and add the torrent.
  4. The .profile can contain anything, and will be executed when the user logs in next time, for example: alias sudo=/home/hacker/sudo_and_log_password

It can also be a security risk even in a single-user setting, if other servers are running (as unprivileged users) on the same system that are less secure and can be hacked (http, ftp, etc).

Some sort of authentication is needed.

Change History (3)

comment:1 by andar, 16 years ago

Milestone: 1.2.0
Summary: deluged lack authentication; unusable on a multi-user systemAdd authentication to core

Yes, this is planned eventually.. I have already started work on some of the necessary changes in the core to support this, but it likely won't see fruition until at least 1.2.0 or even possibly 1.3.0.

comment:2 by anonymous, 16 years ago

Another problem with this is that different users can't maintain separate download lists etc., as if someone else has already started deluged, you just see and add to their torrents instead of your own. It should be possible for each user to start their own deluged and then connect to it, regardless of whether someone else has already started their own instance, and the daemons only allow connections from the user that spawned that instance of deluged.

comment:3 by andar, 15 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.