duplicity-team team mailing list archive

Thread
Date

[Bug 504423] Re: duplicity shows sensitive data in process listing

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <edgar.soldin@xxxxxx>
Date: Fri, 08 Jan 2010 11:58:09 -0000
Reply-to: Bug 504423 <504423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

i just checked on suse linux 11 and it seems that 'e' parameter for 'ps' shows only the environment vars of your own processes.
It showed nothing when logged in as a different user and duplicity was running as the first user.

..ede

-- 
duplicity shows sensitive data in process listing
https://bugs.launchpad.net/bugs/504423
You received this bug notification because you are a member of
duplicity-team, which is a direct subscriber.

Status in duplicity - Bandwidth Efficient Encrypted Backup: New

Bug description:
If credentials are given in the command line url parameter these show up in 'ps'

e.g.

/usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key FD3846C2 --gpg-options= --exclude-globbing-filelist /root/.duply/bkp/exclude /backup/ ftp://<user>:<PASSWORT>@<backupserver>/backup

suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to keep FTP_PASSWORD for ftp backend only and backward compatibility. The fact that FTP_BACKEND can be used with nearly all backend is afaik not documented. Even so duply 1.5.1.4+ will use it until this bug is resolved.

for the future a config file based auth as mentioned in
http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
could make sense.

.. ede

Follow ups

Re: [Bug 504423] Re: duplicity shows sensitive data in process listing
From: Peter Schuller, 2010-01-08

References

[Bug 504423] [NEW] duplicity shows sensitive data in process listing
From: edso, 2010-01-07