#2191 Issue closed: BORG_PASSPHRASE expands variables inside passphrase¶
Labels: enhancement, documentation, fixed / solved / done
gaia opened issue at 2019-07-21 17:56:¶
-
Relax-and-Recover 2.4 / Git (installed via apt)
-
Debian 10
-
BareMetal
-
x86_64
-
UEFI + GRUB
-
Root on mdadm, NVME disk attached, rear on USB flash drive:
-
BORG_PASSPHRASE will expand the variable if it contains for example $1 inside the passphrase.
-
Workaround: change the passphrase
export BORG_PASSPHRASE="S3cr37_P4$1w0rD" will pass a different
password to borg, so the backup can't be opened until you do rear dump
to see what it the variable was expanded to.
either warn users against having $ in the passphrase, or use proper shell escaping so that the variable does not expand.
gozora commented at 2019-07-21 18:31:¶
Hello @gaia,
I'd say that such behavior is somehow expected in bash.
As far as I know, ReaR does not contain any code that deals with
BORG_PASSPHRASE as such, since BORG_PASSPHRASE is environment
variable of Borg, so we really can't do any "proper shell escaping".
Change in quoting is all that is necessary here, hence
export BORG_PASSPHRASE='S3cr37_P4$1w0rD' should do the trick.
Documentation related to Borg as ReaR back-end indeed contains double
quotes when mentioning BORG_PASSPHRASE, so I'll open PR to fix this,
and maybe include some meaningful comments like for
SSH_ROOT_PASSWORD in
default.conf.
Thanks for reporting!
V.
jsmeix commented at 2019-08-07 12:17:¶
In general regarding how to deal with possibly secret values in ReaR
see #2155 and #2156
In the latter see in particular my code comments and added documentation
in
https://github.com/rear/rear/pull/2156/files
regarding how to keep secret values secret in ReaR.
[Export of Github issue for rear/rear.]