Opened 16 years ago
Closed 16 years ago
#529 closed feature-request (Fixed)
Add authentication to core
Reported by: | pipatron@gmail.com | Owned by: | andar |
---|---|---|---|
Priority: | major | Milestone: | 1.2.0 |
Component: | Unknown | Version: | 1.0.0 |
Keywords: | daemon deluged security | Cc: |
Description
deluged seem to allow connections from anyone on localhost; this is obviously not secure if there are more than one user on a system. For example:
- Create a torrent with a file called ".profile", upload to any tracker.
- Connect to the deluge daemon that another user is running.
- Change the download folder to the user $HOME, and add the torrent.
- The .profile can contain anything, and will be executed when the user logs in next time, for example:
alias sudo=/home/hacker/sudo_and_log_password
It can also be a security risk even in a single-user setting, if other servers are running (as unprivileged users) on the same system that are less secure and can be hacked (http, ftp, etc).
Some sort of authentication is needed.
Change History (3)
comment:1 by , 16 years ago
Milestone: | → 1.2.0 |
---|---|
Summary: | deluged lack authentication; unusable on a multi-user system → Add authentication to core |
comment:2 by , 16 years ago
Another problem with this is that different users can't maintain separate download lists etc., as if someone else has already started deluged, you just see and add to their torrents instead of your own. It should be possible for each user to start their own deluged and then connect to it, regardless of whether someone else has already started their own instance, and the daemons only allow connections from the user that spawned that instance of deluged.
comment:3 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Yes, this is planned eventually.. I have already started work on some of the necessary changes in the core to support this, but it likely won't see fruition until at least 1.2.0 or even possibly 1.3.0.