[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Duplicity-tracker] [bug #22298] do not pass passwords in the environmen
From: |
Tom |
Subject: |
[Duplicity-tracker] [bug #22298] do not pass passwords in the environment |
Date: |
Tue, 12 Feb 2008 22:32:20 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.12) Gecko/20080207 Epiphany/2.20 Firefox/2.0.0.12 |
URL:
<http://savannah.nongnu.org/bugs/?22298>
Summary: do not pass passwords in the environment
Project: duplicity
Submitted by: tomonnongnu
Submitted on: Tuesday 02/12/2008 at 22:32
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Duplicity permits passwords to be passed in the environment, as in:
export PASSPHRASE=SomeLongGeneratedHardToCrackKey
export FTP_PASSWORD=WhateverPasswordYouSetUp
Traditionally, the environment of a process is publicly visible in UNIX.
Current versions of Linux appear to make this information inaccessible, but it
is generally not secure to put sensitive information in the environment. If
passwords need to be passed to a program in plain text, they should either be
piped, passed via a terminal (e.g., expect), or passed via a file. It would
be best if any program handling passwords did not even have the option of
passing them in via the environment.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?22298>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [Duplicity-tracker] [bug #22298] do not pass passwords in the environment,
Tom <=