Hi there, Thanks for your feedback!
> Bear in mind, putting a password in an environment variable can be seen by > other users on the same system with "ps auxwwe". Sure. But in my scenario, the control host is considered a „safe“ developer machine, while the target host is considered the „unsafe“ environment. I use this command on my laptop to deploy to lots of cloud machines – there’s noone other than me on my laptop (hopefully ;-)), but instead, I’d like to keep the target machine configurations as secure as possible (no passwordless sudo, no root login). > The environment variables of a process when it was started are available via > /proc/<pid>/environ file. So while other users on that system can't see the > environ, every other process running as your target user could. > > Worse, however, your "echo" process puts the password in arguments, and any > local user can see program name and args for all running processes. That's a > no-no. Hm, I’m not sure I understand the implications. The whole password handling happens on the machine where I execute rsync (it’s done in "--rsh" not in "--rsync-path“) – which in my scenario is a developer’s laptop. So it’s not the target users that can see the environment but only my own account on my own developer machine. Plus, I don’t understand what you mean with „putting the password in arguments“. The environment variable expansion happens on my control machine exactly at the time when rsync tries to establish a connection to the target machine by running the shell code from --rsh inside a shell. This will create a subshell for echo and cat where the environment variable is read and written to stdout. stdout is then piped through ssh to the remote machine where "sudo -S" reads it on its stdin. It is never in any argument list. Please correct me if I’m wrong here. Best, Mark
smime.p7s
Description: S/MIME cryptographic signature
-- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html