[Desktop-packages] [Bug 1814238] Re: deja-dup saves passphrase in /tmp

Fri, 01 Feb 2019 20:20:59 -0800 

OK... there is at least one sequence that does this.

When you:
1. restore files to their original location and
2. some files in the backup are outside your $HOME and
3. you have no deja-dup cache files for the backup location (like on a fresh 
install)

In that case:
1. We write the encryption passphrase and/or network connection password to a 
file like /tmp/deja-dup-XXXXXX so that we can run duplicity as root using 
pkexec with those settings. (normally we pass those via environment variables, 
but pkexec strips those)
2. That file is only read/writable for the current user (mode 0600).
3. It is deleted when the restore is finished.

So, while not ideal, this doesn't strike me as a critical bug. Still
though, we should consider ways to not do that.

** Changed in: deja-dup
   Importance: Undecided => Medium

** Changed in: deja-dup
       Status: New => Triaged

** Changed in: deja-dup (Ubuntu)
   Importance: Critical => Undecided

** Changed in: deja-dup (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to deja-dup in Ubuntu.
https://bugs.launchpad.net/bugs/1814238

Title:
  deja-dup saves passphrase in /tmp

Status in Déjà Dup:
  Triaged
Status in deja-dup package in Ubuntu:
  New

Bug description:
  I have unchecked the "save passphrase" option in deja-dup, but still I
  have found the file /tmp/deja-dup-HXGLWZ that contains my passphrase
  in the clear.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: deja-dup 37.1-2fakesync1
  ProcVersionSignature: Ubuntu 4.15.0-43.46-generic 4.15.18
  Uname: Linux 4.15.0-43-generic x86_64
  NonfreeKernelModules: openafs
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Feb  1 10:59:06 2019
  SourcePackage: deja-dup
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/deja-dup/+bug/1814238/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to