Disable web client in default install

Bug #542194 reported by Jesse R. Taylor on 2010-03-19
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Transmission
Fix Released
Unknown
transmission (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: transmission

The default install of the Transmission client has the "Web Client" feature enabled by default, which leaves an open listening server. I don't think that this should be enabled by default, so that users don't have server processes running without their knowledge, for security reasons. Is there any way to disable this by default?

visibility: private → public

Indeed, I can confirm that the webui is started by default. It is
listening only on the 127.0.0.1 so it's not critical but it means that
other users on the computer have access to your files so it should be
fixed.
 status confirmed
 importance medium

Changed in transmission (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
tags: added: regression-potential
removed: bittorrent client configuration transmission web
Changed in transmission (Ubuntu):
milestone: none → ubuntu-10.04-beta-2
Charles Kerr (charlesk) wrote :

Here are two one-liners to change the default: one line to turn it off by default in libtransmission, and one line to override that in the daemon, which of course requires it in order to operate.

http://transmission.pastebay.com/90665

Charles Kerr (charlesk) wrote :

Jesse: thanks for suggesting this before beta 2. :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package transmission - 1.92-0ubuntu1

---------------
transmission (1.92-0ubuntu1) lucid; urgency=low

  [ Krzysztof Klimonda ]
  * New upstream release (LP: #538034), rebased on debian testing.
    Remaining changes:
    - debian/control:
      + Added replaces & provides clutch (now included as part of transmission).
        Can be removed in lucid+1
      + Added liblaunchpad-integration-dev and lsb-release to Build-Depends
    - debian/rules:
      + create a po template during package build.
    - debian/patches/01_lpi.patch:
      + integrate transmission with launchpad
    - debian/patches/20_add_x-ubuntu-gettext-domain.diff:
      + add x-ubuntu-gettext-domain to .desktop file.
    - debian/transmission-daemon.default:
      - remove --auth from OPTIONS
    - debian/control, debian/rules:
      + build transmission gtk+ client with both gconf and libcanberra support.
    - debian/patches/dont_build_libevent.patch:
      + disable libevent in configure.ac and Makefile.am because we use autotools
        to regenerate build files.
    - lucid/debian/patches/updateminiupnpcstrings_double_escape_slash.patch:
      + Deleted as the bug is fixed upstream
  * Fixes bugs:
    - Fix directory selection error in GTK+ 2.19 (LP: #518692)
    - Transmission "Set Location" - dialog doesn't disappear (LP: #529037)
    - The "Torrent Options" dialog's Torrent Priority row gets too much
      vertical stretch (LP: #527299)
    - "Open Folder" behavior can be confusing for single-file torrents
      (LP: #505861)
  * Refreshed 99_autoreconf.patch

  [ Chris Coulson ]
  * debian/patches/disable_web_ui.patch:
    - Disable the web UI by default again (LP: #542194)
 -- Krzysztof Klimonda <email address hidden> Wed, 03 Mar 2010 02:55:26 +0100

Changed in transmission (Ubuntu):
status: Confirmed → Fix Released
Changed in transmission:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.