duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] duply shows sensitive data in process listing / ftp

From: edgar . soldin
Subject: Re: [Duplicity-talk] duply shows sensitive data in process listing / ftp passwords are not escaped, duplicity crashes
Date: Thu, 28 Jan 2010 17:51:04 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 
this is filed as bug under
https://bugs.launchpad.net/duplicity/+bug/504423
generally a possibility to read credentials from a file or file descriptor should be introduced. This is the only way not to rely on the security for environment vars of the operating system. Obviously there are operating systems that don't see env vars as private data (see ticket). 

.. ede

On 28.01.2010 17:41, Evan Jeffrey wrote:

If you memset the argv area, it changes the parameters displayed by ps,
at least. I don't know if that information is available anywhere else.
In any case, it isn't really a great solution. There is still a window
of availability, and it isn't exactly hard to exploit if duplicity is
invoked from cron at a known time.

Evan


Kenneth Loafman wrote:

address@hidden wrote:

But what about the others? .. ede


All of the protocols except S3 should take the password from the
environment variable FTP_PASSWORD, however, if the user specifies it in
the URL, I don't know a way to obscure it from ps and friends.

...Ken

------------------------------------------------------------------------

_______________________________________________
Duplicity-talk mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/duplicity-talk




_______________________________________________
Duplicity-talk mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/duplicity-talk
reply via email to
[Prev in Thread] Current Thread [Next in Thread]