Consider allowing all torrent downloads to be restricted to a folder

[jr64]

From a security point of view, it would be very nice to be able to restrict all torrent downloads to be within a folder, e.g. /var/data

Expected Behavior

There should be a configuration option where you can set a parent folder. Users can then only download to this folder and subfolders within it.

Current Behavior

You can download to any directory on the machine.

Context

Right now, you can download torrents to any directory the user rtorrent is running as has access to. This allows all users of flood to create or overwrite arbitrarily named files in arbitrary folders which is a security nightmare. It depends on the actual setup, but there are many ways this could be abused to get full access on the server. Here are some examples:

• create a cronjob in /etc/cron.d that spawns a shell
• add any ssh key to /home/$USER/.ssh/authorized_keys and login over ssh
• overwrite /home/$USER/.bashrc to execute commands on the next login of the user
• overwrite code of flood itself which will execute the next time it is restarted

At the very least, the README should contain a warning that any user of flood can most likely also get full access to the server. This might not be immediately obvious to some.

[noraj]

For flood (same as ruTorrent) create users specially for that. Create a flood user that have access to only his own directory.

So those are impossible:

• create a cronjob in /etc/cron.d that spawns a shell
  • because the directory is drwxr-xr-x 2 root root
• add any ssh key to /home/$USER/.ssh/authorized_keys and login over ssh
  • can't write in other homes because of the same reason
• overwrite /home/$USER/.bashrc to execute commands on the next login of the user
  • can't write in other homes because of the same reason
• overwrite code of flood itself which will execute the next time it is restarted
  • can't access to the folder is you properly set the permissions

See an example for ruTorrent that could simply be adapted to flood: https://rawsec.ml/en/archlinux-install-rtorrent-rutorrent/ or for a SFTP user https://rawsec.ml/en/archlinux-setup-sftp-user-deluge/

Run flood as a service account (see here) and create accounts for flood users that are only used for flood usage (use only chrooted env for SFTP, no shell, etc...).

This issue is related to a lack of security documentation, see #561

[jr64]

Yes, of course it CAN be configured to be secure. What you are describing is pretty much how I run my install except that I put everything in docker. What I am saying is that many users do not think about security enough to implement all these extra steps.

Restricting downloads to a single directory provides a reasonably secure default environment for less experienced users that just go with the default configuration.

Additionally, it provides defense-in-depth: no matter how well you configure your environment, there is always the chance that you forgot something. If you can't access other directories, the attack surface is much smaller. Simply being able to browse / on the server is a relevant infoleak in my opinion. You can roughly guess which processes are running via /proc or see what other software is installed by browsing /bin and the likes.

I also think that the restriction would not be much work to implement: just add a check if the download directory is inside the configured directory and don't allow listing directories outside of it.

[noraj]

@jr64 Better security seems never bad for me 😃