← Back to team overview

duplicity-team team mailing list archive

  1. duplicity-team team
  2. Mailing list archive
  3. Message #01424

[Bug 504423] Re: duplicity shows sensitive data in process listing

  Thread PreviousDate PreviousThread Next 
edso:
I have .netrc, and when I run lftp directrly it works without asking the password.

When I unset FTP_PASSWORD and run duplicty, duplicity asks for the
password.

When I set FTP_PASSWORD="" and run duplicity, duplicity does not ask for
the password, but lftp does! This is because lftp "forgets" all about
.netrc at the moment when it's given the "user" command. Which is
included in the batch that is given by duplicity to lftp in the -c
option. I also noticed that if the username is not included in the
duplicity url, the username given to lftp is the literal string "None"
which looks rather wrong.

I could suggest, when username is not specified in the duplicity URL, to
*not* include the "user" command into the batch. This should make lftp
magically work if you have correct .netrc.

-- 
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423

Title:
  duplicity shows sensitive data in process listing

Status in Duplicity - Bandwidth Efficient Encrypted Backup:
  Confirmed

Bug description:
  If credentials are given in the command line url parameter these show
  up in 'ps'

  e.g.

  /usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
  FD3846C2 --gpg-options= --exclude-globbing-filelist
  /root/.duply/bkp/exclude /backup/
  ftp://<user>:<PASSWORT>@<backupserver>/backup

  suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
  keep FTP_PASSWORD for ftp backend only and backward compatibility. The
  fact that FTP_PASSWORD can be used with nearly all backend is afaik
  not documented. Even so duply 1.5.1.4+ will use it until this bug is
  resolved.

  for the future a config file based auth as mentioned in
  http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
  could make sense.

  .. ede

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions

References

  Thread PreviousDate PreviousThread Next