[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-tracker] [bug #22298] do not pass passwords in the environmen

From: Tom
Subject: [Duplicity-tracker] [bug #22298] do not pass passwords in the environment
Date: Tue, 12 Feb 2008 22:32:20 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en; rv: Gecko/20080207 Epiphany/2.20 Firefox/


                 Summary: do not pass passwords in the environment
                 Project: duplicity
            Submitted by: tomonnongnu
            Submitted on: Tuesday 02/12/2008 at 22:32
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any



Duplicity permits passwords to be passed in the environment, as in:

export PASSPHRASE=SomeLongGeneratedHardToCrackKey
export FTP_PASSWORD=WhateverPasswordYouSetUp

Traditionally, the environment of a process is publicly visible in UNIX.
Current versions of Linux appear to make this information inaccessible, but it
is generally not secure to put sensitive information in the environment.  If
passwords need to be passed to a program in plain text, they should either be
piped, passed via a terminal (e.g., expect), or passed via a file.  It would
be best if any program handling passwords did not even have the option of
passing them in via the environment.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]