how to block access to rutorrent data files in apache

[peshua19]

in the latest versions of rutorrent, we have a plugin called loginmgr. This plugin is very much needed but it has some serious security issues on a multi user system. Basically, this plugin is used to log into torrent sites in order to allow RSS and EXTSEARCH to work on sites which cookies do not. The biggest problem with this is that, in order to be able to log in to these sites in a meaninful way, rutorrent must store the username and password for these sites. What makes matters worse, is these passwords are stored in plain text, so any user who knows how rutorrent works can simply browse to http://yoursite.com/share/users/settings/ and view the datafiles right in the browser.

The simple solution to this is to block access to these files with a .htaccess file in apache.
all you have to do is save the following as .htaccess and save it in rutorrent/share/

Code:
<Files ~ "\.dat$">
Order allow,deny
Deny from all
</Files>


NOTE: It's important to know that if you have "AllowOverride None" set, .htaccess files will not work. If you use a vhost, be sure to enable AllowOverride ALL


This will prevent users from viewing thse files at all.

Another method would be to use authentication for each user per share directory but honestly, this is more cumbersome and simply blocking access to the .dat files is easier.

It's also important that if you allow users ftp access, that you chroot these users

 

[randac56]

TX peshu..... this will make it even more secure & better