[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] duply shows sensitive data in process listing / ftp

From: Evan Jeffrey
Subject: Re: [Duplicity-talk] duply shows sensitive data in process listing / ftp passwords are not escaped, duplicity crashes
Date: Thu, 28 Jan 2010 17:41:25 +0100
User-agent: Thunderbird (X11/20090817)

If you memset the argv area, it changes the parameters displayed by ps, at least. I don't know if that information is available anywhere else. In any case, it isn't really a great solution. There is still a window of availability, and it isn't exactly hard to exploit if duplicity is invoked from cron at a known time.


Kenneth Loafman wrote:
address@hidden wrote:
But what about the others? .. ede

All of the protocols except S3 should take the password from the
environment variable FTP_PASSWORD, however, if the user specifies it in
the URL, I don't know a way to obscure it from ps and friends.



Duplicity-talk mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]