From: intrigeri <intrigeri@boum.org>
Date: Sat, 20 Aug 2005 15:37:57 +0000 (+0000)
Subject: Security fix: duplicity handler used to put the gpg passphase on the command line.
X-Git-Tag: backupninja-0.8~6
X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fbackupninja.git;a=commitdiff_plain;h=6b6154879b591c79750b329f3ecce9a074de5cb3

Security fix: duplicity handler used to put the gpg passphase on the command line.
---

diff --git a/etc/backup.d/example.dup b/etc/backup.d/example.dup
index 37ca92e..cd64dd5 100644
--- a/etc/backup.d/example.dup
+++ b/etc/backup.d/example.dup
@@ -15,7 +15,8 @@ nicelevel = 19
 [gpg]
 
 # passphrase needed to unlock the GnuPG key
-password = "a_very_complicated_passphrase"
+# NB: do not quote it, and it should not contain any quote
+password = a_very_complicated_passphrase
 
 # default is no, for backward compatibility with backupninja <= 0.5.
 # when set to yes, encryptkey option must be set below.
diff --git a/handlers/dup b/handlers/dup
index 22f915f..176ac3e 100644
--- a/handlers/dup
+++ b/handlers/dup
@@ -131,17 +131,17 @@ execstr=${execstr//\\*/\\\\\\*}
 
 debug "duplicity $execstr --exclude '**' / $execstr_serverpart"
 if [ ! $test ]; then
+        export PASSPHRASE=$password
 	output=`nice -n $nicelevel \
                   su -c \
-                    "export PASSPHRASE=$password \
-                     && duplicity $execstr --exclude '**' / $execstr_serverpart 2>&1"`
+                    "duplicity $execstr --exclude '**' / $execstr_serverpart 2>&1"`
 	code=$?
-	if [ "$code" == "0" ]; then
+	if [ $code -eq 0 ]; then
 		debug $output
 		info "Duplicity finished successfully."
 	else
-		warning $output
-		warning "Duplicity failed."
+		debug $output
+		fatal "Duplicity failed."
 	fi
 fi