Ubuntu
sbackup package

Display password in cleartext

Bug #113864 reported by Alessandro Tanasi
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbackup (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: sbackup

A good feature is don't display password in text but fill of ****

Revision history for this message
Christopher Barrington-Leigh (cpbl) wrote :

This is a significant security issue: when the target directory is on a remote site via ssh, not only is the remote password stored in plain text in the config file (maybe that's okay), it is emailed (to root, which is then under standard ubuntu installation forwarded on to some major user) upon every successful backup. This email could be forwarded on to someone's non-local email address, or seen by other users, etc --- not conventionally accceptable!

this should be an easy fix: replace the password with **** in all email notifications.

Changed in sbackup:
status: Unconfirmed → Confirmed
Revision history for this message
Oumar Aziz OUATTARA (wattazoum) wrote :

Hi, Christopher.

Just to let you know, the problem here is that sbackup is using GnomeVfs and gnome VFS uses URIs like this ( ssh://usr:pass@host/dir ) . So the only way we have to hide password is to hide it a logger ( that sbackup doesn't have for now - I am working on the next version that should have one ) . So if there is some erors that we didn't expected and didn't think of logging then , then, the Exception will pass the logger and then the URI will be in clear .

So the fix isn't easy at all ( if we keep using GnomeVFS ) .

Revision history for this message
Oumar Aziz OUATTARA (wattazoum) wrote :

Hum , One other thing , you're speaking about email that sbackup send . I don't remember it having this future yet . If it's an home made solution then IMHO it should be there that you should conceale the password .

Revision history for this message
Aigars Mahinovs (aigarius) wrote :

I think Christopher means the error/warning/info messages that sbackupd.py or upgrade-backups.py print sometimes. Some of these messages contain full URLs of the files or folders in question and that would include the password for remote configurations.

Revision history for this message
Oumar Aziz OUATTARA (wattazoum) wrote : Re: [Bug 113864] Re: Display password in cleartext

Those ones are handleable as we can process the message, but stack
traces when there is a crash won't be.
Anyway I don't think I'll work on that one, since the problem will not
happened in the next version (using Fuse) . If there is a hurry,
Aigars might be able to release a fix . ( basically it about getting
the right regex to match those URIs and conceal the password . It
shouldn't be very difficult ) .

Revision history for this message
Jean-Peer Lorenz (peer.loz) wrote :

This should be fixed in sbackup series 0.11.4 and newer. Please feel free to re-open the issue if you want to comment or if the issue is still valid. Thanks.

Changed in sbackup (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.