deja-dup saves passphrase in /tmp

Bug #1814238 reported by Götz Waschk
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Déjà Dup
Fix Released
Medium
Unassigned
deja-dup (Ubuntu)
Fix Released
High
Unassigned
Nominated for Bionic by Vej

Bug Description

I have unchecked the "save passphrase" option in deja-dup, but still I have found the file /tmp/deja-dup-HXGLWZ that contains my passphrase in the clear.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: deja-dup 37.1-2fakesync1
ProcVersionSignature: Ubuntu 4.15.0-43.46-generic 4.15.18
Uname: Linux 4.15.0-43-generic x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Feb 1 10:59:06 2019
SourcePackage: deja-dup
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Götz Waschk (goetz-waschk) wrote :
Revision history for this message
Michael Terry (mterry) wrote :

Thanks for the report! We should definitely fix this!

But I'm having trouble reproducing it. I tried backing up and restoring, didn't see any /tmp files. I also wasn't sure whether you mean the encryption passphrase or the password for a network server. So I did both. Still didn't see any /tmp files.

(This was all with 37.1-2fakesync1ubuntu0.1 on Ubuntu 18.04.)

Can you explain what the steps are for you to get to the point where we are storing the passphrase in /tmp in plaintext? Also, is the file you see world-readable? (Just trying to get a sense of the severity)

Changed in deja-dup (Ubuntu):
importance: Undecided → Critical
status: New → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

OK... there is at least one sequence that does this.

When you:
1. restore files to their original location and
2. some files in the backup are outside your $HOME and
3. you have no deja-dup cache files for the backup location (like on a fresh install)

In that case:
1. We write the encryption passphrase and/or network connection password to a file like /tmp/deja-dup-XXXXXX so that we can run duplicity as root using pkexec with those settings. (normally we pass those via environment variables, but pkexec strips those)
2. That file is only read/writable for the current user (mode 0600).
3. It is deleted when the restore is finished.

So, while not ideal, this doesn't strike me as a critical bug. Still though, we should consider ways to not do that.

Changed in deja-dup:
importance: Undecided → Medium
status: New → Triaged
Changed in deja-dup (Ubuntu):
importance: Critical → Undecided
status: Incomplete → New
Changed in deja-dup (Ubuntu):
importance: Undecided → High
Vej (vej)
Changed in deja-dup (Ubuntu):
status: New → Triaged
Michael Terry (mterry)
Changed in deja-dup:
status: Triaged → Fix Committed
Changed in deja-dup (Ubuntu):
status: Triaged → Fix Committed
Michael Terry (mterry)
Changed in deja-dup:
status: Fix Committed → Fix Released
Michael Terry (mterry)
Changed in deja-dup (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.