qBittorrent icon indicating copy to clipboard operation
qBittorrent copied to clipboard

Published 20 hours ago verified publisher icon qbittorrent

disable root user execution and WebUi unless default password is changed.

Open boos opened this issue 1 year ago • 4 comments

Suggestion

Prevent the possibility of executing the tool with root privileges unless an option is specifically included/configured, e.g. -root Prevent the possibility of opening up the WebUi if the default password is not changed.

Use case

I recently opened up the WebUI interface to the public by mistake through UPnP and within minutes, I got hacked due to the default password. The hack was in the download of a crypto miner and finished there but I am sure that if the user was root, I would be totally trojanized with a kernel module or so.

Extra info/examples/attachments

No response

boos avatar Jun 23 '24 17:06 boos

There is no default password since v4.6.1. As said in announce:

The most important change has to do with WebUI. It affects users that haven't set their own credentials and are use the default ones. Those will not be accepted now and qBittorrent will generate a random password and output it in the console for you to use. Then you can login and configure a password.

glassez avatar Jun 23 '24 18:06 glassez

Good about the webui, i should have an older version.

On root, it looks like a good idea, there is no reason to run it as root. Might be I create the pull request myself.

boos avatar Jun 23 '24 18:06 boos

On root, it looks like a good idea, there is no reason to run it as root. Might be I create the pull request myself.

It looks doubtful, IMO. If someone wants to run qBittorrent as root, they will do so with or without -root option.

glassez avatar Jun 23 '24 18:06 glassez

Sure, but doing an extra step will prevent to do so by mistake, like for example I did yesterday. The malware installed did not succede on priviledge escalation but if it was running it with root it would have trojaned the machine.

On Sun, Jun 23, 2024, 20:48 Vladimir Golovnev @.***> wrote:

On root, it looks like a good idea, there is no reason to run it as root. Might be I create the pull request myself.

It looks doubtful, IMO. If someone wants to run qBittorrent as root, they will do so with or without -root option.

— Reply to this email directly, view it on GitHub https://github.com/qbittorrent/qBittorrent/issues/20985#issuecomment-2185267752, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBRHVWWLWHU2JWJCIWV3DZI4J6DAVCNFSM6AAAAABJYRAFX2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBVGI3DONZVGI . You are receiving this because you authored the thread.Message ID: @.***>

boos avatar Jun 23 '24 19:06 boos

ANNOUNCEMENT!

For anybody coming across this "Feature Request" & would like/love to see a potential implementation in the future! Here are some options available to you:

  1. Please select/click the 👍 &/orreactions in the original/opening post of this ticket.

  2. Please feel free (If you have the "skillset") to create a "Pull Request" implementing what's being requested in this ticket. (new/existing contributors/developers are always welcome)

DO:

  • Provide constructive feedback.
  • Display how other projects implemented same/similar etc.

DO NOT:

  • Add a "Bump", "me too", "2nd/3rd" etc. or "criticizing" comment(s). (These will be disregarded/hidden as "spam/abuse/off-topic" etc. as they don't provide anything constructive.)

xavier2k6 avatar May 25 '25 13:05 xavier2k6