duplicity-team team mailing list archive

Thread
Date

[Bug 504423] Re: duplicity shows sensitive data in process listing

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Eugene Crosser <504423@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Jun 2012 09:43:15 -0000
Reply-to: Bug 504423 <504423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

It is generally considered more secure to keep passwords in the files,
and never put them in the command line or environment variables because
they are publicly exposed in many flavors of UNIX. .netrc seems to be
the most appropriate way.

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423

Title:
  duplicity shows sensitive data in process listing

Status in Duplicity - Bandwidth Efficient Encrypted Backup:
  Confirmed

Bug description:
  If credentials are given in the command line url parameter these show
  up in 'ps'

  e.g.

  /usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
  FD3846C2 --gpg-options= --exclude-globbing-filelist
  /root/.duply/bkp/exclude /backup/
  ftp://<user>:<PASSWORT>@<backupserver>/backup

  suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
  keep FTP_PASSWORD for ftp backend only and backward compatibility. The
  fact that FTP_PASSWORD can be used with nearly all backend is afaik
  not documented. Even so duply 1.5.1.4+ will use it until this bug is
  resolved.

  for the future a config file based auth as mentioned in
  http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
  could make sense.

  .. ede

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions

References

[Bug 504423] [NEW] duplicity shows sensitive data in process listing
From: edso, 2010-01-07