vorta icon indicating copy to clipboard operation
vorta copied to clipboard

Published 20 hours ago verified publisher icon borgbase

Use pipe to pass password to borg

Open steelman opened this issue 4 years ago • 9 comments

Depending on system configuration environment variables of a process may be readable for other processess. Password passed through a pipe is not visible to other processes.

steelman avatar Jun 01 '21 11:06 steelman

Which problem will this solve? We actually want to pass this password to Borg only.

It also adds a good bit of complexity to the code. So there would need to be a strong reason to make this change.

m3nu avatar Jun 01 '21 14:06 m3nu

In Linux the environment (and a command line) of every process is available in its directory under /proc. Passing password via an environment variable (as well as via a command line option) exposes the password. That is why e.g. GnuPG uses the fd interface and why I taught borg this trick. Of course /proc/PID/environ isn't world-readable, but still in default configuration it is available for reading for other processes of the same user.

steelman avatar Jun 01 '21 15:06 steelman

BTW. I have tested this patch only on Linux. I expect it to work properly on macos, but I've got no proof. Please make sure it works fine before merging.

steelman avatar Jun 01 '21 15:06 steelman

I see the issue, appreciate the contribution and understand the security concern, even if it's minor. Concrete reservations I have:

  • Adds a good chunk of new code that new contributors will need to understand before making any changes. The current mechanism is easier to understand.
  • Support for BORG_PASSPHRASE_FD was only added in Borg 1.1.8. We generally support >=1.1.0, so this will also need a version check for older Borg versions and both methods implemented.
  • Will this FD trick work on macOS and Windows reliably?
  • All tests are failing after this change. AttributeError: 'BorgListRepoThread' object has no attribute 'pipe_read'

m3nu avatar Jun 01 '21 15:06 m3nu

Adds a good chunk of new code that new contributors will need to understand before making any changes. The current mechanism is easier to understand.

That is a matter of judgement and of course it is up to you to decide.

Support for BORG_PASSPHRASE_FD was only added in Borg 1.1.8. We generally support >=1.1.0, so this will also need a version check for older Borg versions and both methods implemented.

Fair point. I'll see, what I can do.

Will this FD trick work on macOS and Windows reliably?

As I wrote above, I expect it to work on macOS. I can check Windows. I'll write some short testing code and put it here.

All tests are failing

Fixed, pushed.

steelman avatar Jun 01 '21 15:06 steelman

Are you still working on this @steelman?

real-yfprojects avatar Mar 20 '22 09:03 real-yfprojects

I agree that this needs thorough platform testing.

About minimum borg requirement being borg 1.1.8:

There was a major bugfix in 1.1.11 that fixed a hashtable issue, see also the advisory at top of the change log.

Thus, nobody should use anything older than 1.1.11 nowadays (only exception being patched/fixed versions like e.g. 1.1.9 in debian or ubuntu).

ThomasWaldmann avatar Mar 04 '23 12:03 ThomasWaldmann

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Jul 19 '23 06:07 stale[bot]

I'll revisit it.

steelman avatar Aug 13 '23 19:08 steelman