duplicity-team team mailing list archive

Thread
Date

[Bug 504423] Re: duplicity shows sensitive data in process listing

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: Eugene Crosser <504423@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Jun 2012 11:33:51 -0000
Reply-to: Bug 504423 <504423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Right now, duplicity (0.6.19) insists on asking the password if it was
not specified in the URL or FTP_PASSWORD environment variable, even if
lftp (which I use) is happy with the data present in .netrc.

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423

Title:
  duplicity shows sensitive data in process listing

Status in Duplicity - Bandwidth Efficient Encrypted Backup:
  Confirmed

Bug description:
  If credentials are given in the command line url parameter these show
  up in 'ps'

  e.g.

  /usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
  FD3846C2 --gpg-options= --exclude-globbing-filelist
  /root/.duply/bkp/exclude /backup/
  ftp://<user>:<PASSWORT>@<backupserver>/backup

  suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
  keep FTP_PASSWORD for ftp backend only and backward compatibility. The
  fact that FTP_PASSWORD can be used with nearly all backend is afaik
  not documented. Even so duply 1.5.1.4+ will use it until this bug is
  resolved.

  for the future a config file based auth as mentioned in
  http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
  could make sense.

  .. ede

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions

Follow ups

Re: [Bug 504423] Re: duplicity shows sensitive data in process listing
From: edso, 2012-06-08

References

[Bug 504423] [NEW] duplicity shows sensitive data in process listing
From: edso, 2010-01-07