duplicity-team team mailing list archive
-
duplicity-team team
-
Mailing list archive
-
Message #01425
[Bug 504423] Re: duplicity shows sensitive data in process listing
if your willing to test it:
- locate duplicity/backends/ftpsbackend.py of your duplcity installation
- open with editor
- locate line ca. 83
os.write(self.tempfile, "user %s %s\n" % (self.parsed_url.username,
self.password))
- edit and add one line in front of it and indent the original line by 4
spaces
if self.parsed_url.username:
os.write(self.tempfile, "user %s %s\n" % (self.parsed_url.username, self.password))
does it work?.. ede/duply.net
--
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423
Title:
duplicity shows sensitive data in process listing
Status in Duplicity - Bandwidth Efficient Encrypted Backup:
Confirmed
Bug description:
If credentials are given in the command line url parameter these show
up in 'ps'
e.g.
/usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
FD3846C2 --gpg-options= --exclude-globbing-filelist
/root/.duply/bkp/exclude /backup/
ftp://<user>:<PASSWORT>@<backupserver>/backup
suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
keep FTP_PASSWORD for ftp backend only and backward compatibility. The
fact that FTP_PASSWORD can be used with nearly all backend is afaik
not documented. Even so duply 1.5.1.4+ will use it until this bug is
resolved.
for the future a config file based auth as mentioned in
http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
could make sense.
.. ede
To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions
References