[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] duply shows sensitive data in process listing

From: edgar . soldin
Subject: Re: [Duplicity-talk] duply shows sensitive data in process listing
Date: Wed, 06 Jan 2010 11:29:43 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091204 Thunderbird/3.0

cool hack, but still not 100 percent secure. I opt for URL_PASSWORD/URL_USERNAME (keeping FTP_PASSWORD for backward compatibility, but ftp only as documented) as a short term solution.

Regarding using configuration file I'd suggest a configuration per backend url so that different targets are possible. E.g.

duplicity /path1 ftp://myserver.de/backup1
duplicity /path2 ftp://myserver.de/backup2
duplicity /path3 sftp://myotherserver.de/backup3


# for all ftp://myserver.de/*

# special settings for this backup


easier to implement would sure be a --profile .duplicity/mybackup.conf option.

.. niceness ede

On 06.01.2010 03:51, Scott Hannahs wrote:
can't the application immediately copy the argv list to a temporary array and 
overwrite the command line arguments.  This way they do not show up in the 
process status command unless one gets a process status in the few milliseconds 
between launch and command line processing begins.


On Jan 5, 2010, at 2:52 PM, Kenneth Loafman wrote:

Yes to both.  I'm thinking something like URL_PASSWORD/URL_USERNAME
could be used, but we'd be better off doing away with environment vars
anyway, and use something like a .duplicity_rc file for the defaults and


address@hidden wrote:
I will modify duply accordingly. Still:

a) Wouldn't it make sense to do the same for the username?
b) Also, shouldn't the FTP_PASSWORD be made deprecated and a env var
called URL_PASSWORD or BACKEND_PASSWORD be introduced if the variable
works for all backends?

.. ede

On 04.01.2010 13:17, Kenneth Loafman wrote:
address@hidden wrote:
But what about the others? .. ede

All of the protocols except S3 should take the password from the
environment variable FTP_PASSWORD, however, if the user specifies it in
the URL, I don't know a way to obscure it from ps and friends.

Duplicity-talk mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]