diff options
| author | intrigeri <intrigeri@boum.org> | 2005-08-20 15:37:57 +0000 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2005-08-20 15:37:57 +0000 |
| commit | 6b6154879b591c79750b329f3ecce9a074de5cb3 (patch) | |
| tree | 31d53c48c1d172bb423d7ce9f4420a2a730fb133 | |
| parent | bfe530dc59b9cec4a0cbdfdaafb5addb0e4484b2 (diff) | |
| download | backupninja-6b6154879b591c79750b329f3ecce9a074de5cb3.tar.gz backupninja-6b6154879b591c79750b329f3ecce9a074de5cb3.tar.bz2 | |
Security fix: duplicity handler used to put the gpg passphase on the command line.
| -rw-r--r-- | etc/backup.d/example.dup | 3 | ||||
| -rw-r--r-- | handlers/dup | 10 |
2 files changed, 7 insertions, 6 deletions
diff --git a/etc/backup.d/example.dup b/etc/backup.d/example.dup index 37ca92e..cd64dd5 100644 --- a/etc/backup.d/example.dup +++ b/etc/backup.d/example.dup @@ -15,7 +15,8 @@ nicelevel = 19 [gpg] # passphrase needed to unlock the GnuPG key -password = "a_very_complicated_passphrase" +# NB: do not quote it, and it should not contain any quote +password = a_very_complicated_passphrase # default is no, for backward compatibility with backupninja <= 0.5. # when set to yes, encryptkey option must be set below. diff --git a/handlers/dup b/handlers/dup index 22f915f..176ac3e 100644 --- a/handlers/dup +++ b/handlers/dup @@ -131,17 +131,17 @@ execstr=${execstr//\\*/\\\\\\*} debug "duplicity $execstr --exclude '**' / $execstr_serverpart" if [ ! $test ]; then + export PASSPHRASE=$password output=`nice -n $nicelevel \ su -c \ - "export PASSPHRASE=$password \ - && duplicity $execstr --exclude '**' / $execstr_serverpart 2>&1"` + "duplicity $execstr --exclude '**' / $execstr_serverpart 2>&1"` code=$? - if [ "$code" == "0" ]; then + if [ $code -eq 0 ]; then debug $output info "Duplicity finished successfully." else - warning $output - warning "Duplicity failed." + debug $output + fatal "Duplicity failed." fi fi |