Duplicati file permissions on Linux reveals sftp passwords to all

[sylerner]

• [x ] I have searched open and closed issues for duplicates.

---

Environment info

• Duplicati version: 2.0.3.3_beta_2018-04-02
• Operating system: Linux
• Backend: sftp

Description

By default, on most Linux systems, file permissions include everyone having read access to everyone's files. I.g., the default umask on many distributions (including openSUSE) is 0022, allow group and others all permissions except write.

This is a particular problem with .config/Duplicati/Duplicati-server.sqlite, since it contains - in clear text - my sftp password - which is also my login password on the target system.

The permissions for .config/Duplicati/ and for all duplicati files should explicitly be set by installation and/or all duplicati programs execution to deny read, write and execute/browse permissions to group and other, only allowing the owner access to the directories and files.

Steps to reproduce

1. Run DB Browser for SQLite (sqlitebrowser)
2. Open /home/someone_else/.config/Duplicati/Duplicati-server.sqlite
3. Click Browse Data
4. Select Option table
5. View passphrase record

• Actual result:
  Anyone can open anyone's Duplicati-server.sqlite file and view stored passwords - with passphrase record in clear text. They and also modify any records desired, changing options or corrupting the database.
• Expected result:
  Unable to open anyone's duplicati files except their own. Duplicati installation and/or program execution should explicitly set directly and file permissions to protect files from other users.

Screenshots

Debug log

[sylerner]

The clear text password in the above screenshot has been whited out.

[piegamesde]

I'm using sftp and this bothered me too. When using an ssh keyfile for login, you can easily avoid this problem.

[sylerner]

First issue: If a user is not aware of the issue, they wouldn't know to move to using a ssh keyfile.

Second issue: My target is a Synology NAS. There is no way to set up the use of ssh keyfiles via their GUI. While I can log in to the NAS to set up a keyfile, Synology's security mechanisms will interfere with this when rebooted.

In any case, a user sophisticated enough to set up a ssh keyfile login would - once aware of the issue - just manually change the access permissions for duplicati's directories and files. The goal of this request is for users to not need to be informed of this in order that they then manually fix this. A default installation/average use of duplicati should protect users from being vulnerable to a major security breach.

[verhoek]

This should be fixed, not only because of sftp passwords, but more generally because of sensitive data these sqlite files contain. On Windows it's probably the same as described above.

Edit: Apparently on Windows the database is encrypted though with a default password.

[digulla]

Why isn't the database encrypted on Linux?

[drwtsn32x]

@digulla comment in Program.cs:543 --

//We do not encrypt on Linux as most distros use a SQLite library without encryption support,
//Linux users can use an encrypted home folder, or install a SQLite library with encryption support

[digulla]

Thanks for clearing that up.

[warwickmm]

Closing this in favor of #2024, which discusses utilizing the system keychain if available.