duplicity-team team mailing list archive

Thread
Date

[Bug 504423] Re: duplicity shows sensitive data in process listing

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <504423@xxxxxxxxxxxxxxxxxx>
Date: Sat, 02 Jul 2011 13:02:06 -0000
Reply-to: Bug 504423 <504423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

just some update:

some revisions ago the manpage was updated and now tells users to prefer
FTP_PASSWORD over password in url, because it is supported by most
backends and inherently safer than the inurl variant.

the suggestions above are still pending (generic vars and config file).

ede/duply.net

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423

Title:
  duplicity shows sensitive data in process listing

Status in Duplicity - Bandwidth Efficient Encrypted Backup:
  In Progress

Bug description:
  If credentials are given in the command line url parameter these show
  up in 'ps'

  e.g.

  /usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
  FD3846C2 --gpg-options= --exclude-globbing-filelist
  /root/.duply/bkp/exclude /backup/
  ftp://<user>:<PASSWORT>@<backupserver>/backup

  suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
  keep FTP_PASSWORD for ftp backend only and backward compatibility. The
  fact that FTP_PASSWORD can be used with nearly all backend is afaik
  not documented. Even so duply 1.5.1.4+ will use it until this bug is
  resolved.

  for the future a config file based auth as mentioned in
  http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
  could make sense.

  .. ede

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions

References

[Bug 504423] [NEW] duplicity shows sensitive data in process listing
From: edso, 2010-01-07