duplicity-team team mailing list archive

Thread
Date

Re: [Bug 504423] Re: duplicity shows sensitive data in process listing

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <504423@xxxxxxxxxxxxxxxxxx>
Date: Sat, 17 Nov 2012 22:18:48 -0000
Reply-to: Bug 504423 <504423@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On 17.11.2012 22:47, Eugene Crosser wrote:
> Change as in comment #18 makes it work without asking the password.
> (Must use the URL in the form "ftps://host/path" and have the entry in .netrc for that host).
>

uploaded a branch
https://code.launchpad.net/~ed.so/duplicity/lftp.netrc
will probably end up in the next release..

thanks ede/duply.net

--
You received this bug notification because you are a member of
duplicity-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/504423

Title:
duplicity shows sensitive data in process listing

Status in Duplicity - Bandwidth Efficient Encrypted Backup:
Confirmed

Bug description:
If credentials are given in the command line url parameter these show
up in 'ps'

e.g.

/usr/bin/duplicity --verbosity 4 --encrypt-key FD3846C2 --sign-key
FD3846C2 --gpg-options= --exclude-globbing-filelist
/root/.duply/bkp/exclude /backup/
ftp://<user>:<PASSWORT>@<backupserver>/backup

suggestion is to introduce env vars URL_PASSWORD/URL_USERNAME and to
keep FTP_PASSWORD for ftp backend only and backward compatibility. The
fact that FTP_PASSWORD can be used with nearly all backend is afaik
not documented. Even so duply 1.5.1.4+ will use it until this bug is
resolved.

for the future a config file based auth as mentioned in
http://lists.gnu.org/archive/html/duplicity-talk/2010-01/msg00032.html
could make sense.

.. ede

To manage notifications about this bug go to:
https://bugs.launchpad.net/duplicity/+bug/504423/+subscriptions

References

[Bug 504423] [NEW] duplicity shows sensitive data in process listing
From: edso, 2010-01-07
[Bug 504423] Re: duplicity shows sensitive data in process listing
From: Eugene Crosser, 2012-11-17