[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] duply shows sensitive data in process listing

From: Scott Hannahs
Subject: Re: [Duplicity-talk] duply shows sensitive data in process listing
Date: Tue, 5 Jan 2010 21:51:54 -0500

can't the application immediately copy the argv list to a temporary array and 
overwrite the command line arguments.  This way they do not show up in the 
process status command unless one gets a process status in the few milliseconds 
between launch and command line processing begins.


On Jan 5, 2010, at 2:52 PM, Kenneth Loafman wrote:

> Yes to both.  I'm thinking something like URL_PASSWORD/URL_USERNAME
> could be used, but we'd be better off doing away with environment vars
> anyway, and use something like a .duplicity_rc file for the defaults and
> credentials.
> ...Ken
> address@hidden wrote:
>> I will modify duply accordingly. Still:
>> a) Wouldn't it make sense to do the same for the username?
>> b) Also, shouldn't the FTP_PASSWORD be made deprecated and a env var
>> called URL_PASSWORD or BACKEND_PASSWORD be introduced if the variable
>> works for all backends?
>> .. ede
>> On 04.01.2010 13:17, Kenneth Loafman wrote:
>>> address@hidden wrote:
>>>> But what about the others? .. ede
>>> All of the protocols except S3 should take the password from the
>>> environment variable FTP_PASSWORD, however, if the user specifies it in
>>> the URL, I don't know a way to obscure it from ps and friends.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]