Use pipe to pass password to borg

[steelman]

Depending on system configuration environment variables of a process
may be readable for other processess. Password passed through a pipe
is not visible to other processes.

[m3nu]

Which problem will this solve? We actually want to pass this password to Borg only.

It also adds a good bit of complexity to the code. So there would need to be a strong reason to make this change.

[steelman]

In Linux the environment (and a command line) of every process is available in its directory under /proc. Passing password via an environment variable (as well as via a command line option) exposes the password. That is why e.g. GnuPG uses the fd interface and why I taught borg this trick. Of course /proc/PID/environ isn't world-readable, but still in default configuration it is available for reading for other processes of the same user.

[steelman]

BTW. I have tested this patch only on Linux. I expect it to work properly on macos, but I've got no proof. Please make sure it works fine before merging.

[m3nu]

I see the issue, appreciate the contribution and understand the security concern, even if it's minor. Concrete reservations I have:

• Adds a good chunk of new code that new contributors will need to understand before making any changes. The current mechanism is easier to understand.
• Support for BORG_PASSPHRASE_FD was only added in Borg 1.1.8. We generally support >=1.1.0, so this will also need a version check for older Borg versions and both methods implemented.
• Will this FD trick work on macOS and Windows reliably?
• All tests are failing after this change. AttributeError: 'BorgListRepoThread' object has no attribute 'pipe_read'

[steelman]

Adds a good chunk of new code that new contributors will need to understand before making any changes. The current mechanism is easier to understand.

That is a matter of judgement and of course it is up to you to decide.

Support for BORG_PASSPHRASE_FD was only added in Borg 1.1.8. We generally support >=1.1.0, so this will also need a version check for older Borg versions and both methods implemented.

Fair point. I'll see, what I can do.

Will this FD trick work on macOS and Windows reliably?

As I wrote above, I expect it to work on macOS. I can check Windows. I'll write some short testing code and put it here.

All tests are failing

Fixed, pushed.

[real-yfprojects]

Are you still working on this @steelman?

[ThomasWaldmann]

I agree that this needs thorough platform testing.

About minimum borg requirement being borg 1.1.8:

There was a major bugfix in 1.1.11 that fixed a hashtable issue, see also the advisory at top of the change log.

Thus, nobody should use anything older than 1.1.11 nowadays (only exception being patched/fixed versions like e.g. 1.1.9 in debian or ubuntu).

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[steelman]

I'll revisit it.