Borg: Add create-and-prune command or repl mode

Created on 29 May 2016  路  7Comments  路  Source: borgbackup/borg

I'm currently using a small script to create my backups that has two statements.

borg create ...
borg prune ...

Both commands require the password to be entered. I'm currently entering those passwords manually. It would be great if only one password was required. I could use an environment variable but I don't like the idea of storing my password in the shell environment while doing the 'create' part.
I suggest adding a single command that does create and prune.
Alternatively you could add a repl mode where you run borg commands line by line (create, prune). Then one could even pipe the commands to borg.

picture wienczny

All 7 comments

If you do not enter it manually, but have it in the BORG_PASSPHRASE env var, it won't ask.

ThomasWaldmann picture ThomasWaldmann on 29 May 2016

Yes I could use the BORG_PASSPHRASE environment variable, but I don't like that idea because of cat /proc/<pid>/environ. Try that on any process below the shell that exports BORG_PASSPHRASE (like borg). You can read the password. Using /proc//mem is not that easy.
As the password is required to decode the repo key and derive some key material for block map etc. It can be discarded after these values are present.

wienczny picture wienczny on 29 May 2016

because of cat /proc//environ

For exactly this reason the environ file has 0400 access rights.

As the password is required to decode the repo key and derive some key material for block map etc. It can be discarded after these values are present.

I don't follow?

enkore picture enkore on 29 May 2016
👍1

This does not prevent root or any user with CAP_DAC_OVERRIDE from reading it. The environment may not be as secure on other UNIX like OS.
The environment is passed down to any spawned process that does not know about the secrets. This may leak the keys.

wienczny picture wienczny on 29 May 2016

This does not prevent root or any user with CAP_DAC_OVERRIDE from reading it. The environment may not be as secure on other UNIX like OS.

Ok, but someone with root/DAC_OVERRIDE can per definition read anything anyway. He could even attach a (python) debugger to your processes and just print the variables. Or just read the script/file where the password is stored.

In this scenario there is hardly a way to do this safely. Even passing it over an open and inherited file descriptor (like gpg(1) supports it) wouldn't be safe.

The environment is passed down to any spawned process that does not know about the secrets. This may leak the keys.

Fair point.

RemoteRepository.init "env = dict(os.environ)" should be fixed.

The environment may not be as secure on other UNIX like OS.

Also a fair point that needs investigation.

enkore picture enkore on 29 May 2016
👍1

I think this ticket should be closed and every single point found valuable should be taken to its own ticket:

  • create-and-prune in 1 command: nope
  • repl / "borg shell": maybe, create own ticket and make clear what you mean
  • not passing BORG_PASSPHRASE or other secrets to subprocesses not needing them: own ticket
ThomasWaldmann picture ThomasWaldmann on 30 May 2016
👍1

1103 #1104 #1105

enkore picture enkore on 30 May 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ThomasWaldmann picture ThomasWaldmann  路  6Comments
rugk picture rugk  路  4Comments
ypid picture ypid  路  6Comments
rugk picture rugk  路  5Comments
auanasgheps picture auanasgheps  路  5Comments