deja-dup saves passphrase in /tmp

Bug #1814238 reported by Götz Waschk on 2019-02-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Déjà Dup
Medium
Unassigned
deja-dup (Ubuntu)
High
Unassigned
Nominated for Bionic by Vej

Bug Description

I have unchecked the "save passphrase" option in deja-dup, but still I have found the file /tmp/deja-dup-HXGLWZ that contains my passphrase in the clear.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: deja-dup 37.1-2fakesync1
ProcVersionSignature: Ubuntu 4.15.0-43.46-generic 4.15.18
Uname: Linux 4.15.0-43-generic x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Feb 1 10:59:06 2019
SourcePackage: deja-dup
UpgradeStatus: No upgrade log present (probably fresh install)

Götz Waschk (goetz-waschk) wrote :
Michael Terry (mterry) wrote :

Thanks for the report! We should definitely fix this!

But I'm having trouble reproducing it. I tried backing up and restoring, didn't see any /tmp files. I also wasn't sure whether you mean the encryption passphrase or the password for a network server. So I did both. Still didn't see any /tmp files.

(This was all with 37.1-2fakesync1ubuntu0.1 on Ubuntu 18.04.)

Can you explain what the steps are for you to get to the point where we are storing the passphrase in /tmp in plaintext? Also, is the file you see world-readable? (Just trying to get a sense of the severity)

Changed in deja-dup (Ubuntu):
importance: Undecided → Critical
status: New → Incomplete
Michael Terry (mterry) wrote :

OK... there is at least one sequence that does this.

When you:
1. restore files to their original location and
2. some files in the backup are outside your $HOME and
3. you have no deja-dup cache files for the backup location (like on a fresh install)

In that case:
1. We write the encryption passphrase and/or network connection password to a file like /tmp/deja-dup-XXXXXX so that we can run duplicity as root using pkexec with those settings. (normally we pass those via environment variables, but pkexec strips those)
2. That file is only read/writable for the current user (mode 0600).
3. It is deleted when the restore is finished.

So, while not ideal, this doesn't strike me as a critical bug. Still though, we should consider ways to not do that.

Changed in deja-dup:
importance: Undecided → Medium
status: New → Triaged
Changed in deja-dup (Ubuntu):
importance: Critical → Undecided
status: Incomplete → New
Changed in deja-dup (Ubuntu):
importance: Undecided → High
Vej (vej) on 2019-02-04
Changed in deja-dup (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers