Allow command execution for config password

I want to encrypt my config. I am using passwordstore for various passwords.
I would like to be able to pass an option to rclone so that when it needs to decrypt the config, it would run the commands.

IE: --password-cmd="pass rclone/config"

This is similar to how borg backup allows me to store the password for a repo in passwordstore, which works quite nicely.

this is a good topic,

here is what i do.
rclone can get its password from an environment variable.
RCLONE_CONFIG_PASS=password

i script rclone using python.
with python, as with any programming language, i can pass that environment variables to a script that runs rclone.
in that way, the password is not visible in the script.

in that way, the password is not stored in the

That is a good suggestion from @asdffdsa - does that work for you @permezel ?

I do not wish to have the password in the environment. It then persists in the ENV for a long as Rclone runs, which may be hours or days. A simple "ps -E" would then display it. I never wish to see/print/display/store-in-command-history/... the password. It is not known to me, and is only produced when needed.

well, i understand your concern but there is an easy fix for that.

let's say i used python to execute this script, passing that environment variable.
RCLONE_CONFIG_PASS=password

and this is the script

start rclone sync source dest
set RCLONE_CONFIG_PASS=random.string

in this case, the script would:

  1. start rclone in a new command windows/process and immediately continue to execute the script.
  2. set RCLONE_CONFIG_PASS to random string.

that evil environment variable will be set correctly for perhaps one second.

i am not familiar with ps and command history tho.

This won't hide the password since whatever environment variables are set for a process can always be seen at /proc/<PID>/environ as long as the process is running

my point is that the variable is only valid for for a few microseconds.
as per my script, the second line of code set the variable to a random value.

after the second line of code is run, /proc//environ is not a problem, as it would return a value of a random string

does that make sense?

The rclone process will still have the environment variable set to the older value. You cannot modify the environment variables of a running process.

well, that is kinda of scary, that any process can see the environment of another process.

perhaps if you can explain how borg does it, it might be something to add to rclone?

another option is see that you can do that is to script gdb, here is the pseudo code.

(gdb) attach process_id
(gdb) call putenv ("DISPLAY=your.new:value")
(gdb) detach

Rubbish. This is not a solution.

From the Borg docs:

BORG_PASSCOMMAND

When set, use the standard output of the command (trailing newlines are stripped) to answer the passphrase question for encrypted repositories. It is used when a passphrase is needed to access an encrypted repo as well as when a new passphrase should be initially set when initializing an encrypted repo. Note that the command is executed without a shell. So variables, like $HOME will work, but ~ won’t. If BORG_PASSPHRASE is also set, it takes precedence. See also BORG_NEW_PASSPHRASE.

BORG_PASSPHRASE_FD

When set, specifies a file descriptor to read a passphrase from. Programs starting borg may choose to open an anonymous pipe and use it to pass a passphrase. This is safer than passing via BORG_PASSPHRASE, because on some systems (e.g. Linux) environment can be examined by other processes. If BORG_PASSPHRASE or BORG_PASSCOMMAND are also set, they take precedence.

It is pretty obvious how to implement these.

i am blocking myself from this post, do not need the abuse!

I think password-cmd flag is not a bad idea and it would be quite easy to implement.

@permezel can you make an issue on GitHub about it?

I'll see what I need to do to accomplish that...

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.