Use '2>>/dev/$SECRET_OUTPUT_DEV'

In default.conf use '2>>/dev/$SECRET_OUTPUT_DEV' see #3006 and #2967
rear · Aug 2, 2023 · dc43e7d · dc43e7d
1 parent f042182
commit dc43e7d
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/usr/share/rear/conf/default.conf b/usr/share/rear/conf/default.conf
@@ -12,9 +12,9 @@
 #
 # Some variables are for secret values (like passwords or encryption keys)
 # which are set to a default value in a confidential way via
-#   { VAR='secret_value' ; } 2>/dev/null
+#   { VAR='secret_value' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 # The STDERR output must be discarded via a compound group command
-#   { confidential_command ; } 2>/dev/null
+#   { confidential_command ; } 2>>/dev/$SECRET_OUTPUT_DEV
 # even for a single command to discard STDERR also for 'set -x'.
 # Otherwise the confidential command and its arguments would be shown
 # in the ReaR log file when usr/sbin/rear is run in debugscript mode.
@@ -43,7 +43,7 @@
 #    cf. https://en.wikipedia.org/wiki/MD5#Security
 # 2. Copy the entire openssl output line between single quotes
 #    in a confidential variable assignment command like
-#      { PASSWORD='$6$96u44a5mgLn9fNBy$pyNnCvw...' ; } 2>/dev/null
+#      { PASSWORD='$6$96u44a5mgLn9fNBy$pyNnCvw...' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 #
 # Several variables are set to a default value via
 #   VAR="${VAR:-default value}"
@@ -748,7 +748,7 @@ OPAL_PBA_UNLOCK_MODE="transient"
 # PBA debug password as a salted hash (empty for not using the debug shell facility).
 # If the debug password is entered when the PBA asks for a password to unlock disks,
 # an interactive emergency shell will be started, which can be used to debug the PBA system.
-{ OPAL_PBA_DEBUG_PASSWORD='' ; } 2>/dev/null
+{ OPAL_PBA_DEBUG_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 #
 # When not empty, OPAL_PBA_DEBUG_DEVICE_COUNT overrides the number of TCG Opal 2-compliant self-encrypting disks
 # installed. To test the PBA system on a machine without any Opal 2-compliant disk, set OPAL_PBA_DEBUG_DEVICE_COUNT=1.
@@ -783,7 +783,7 @@ OPAL_PBA_TKNOFFSET=0
 #      https://www.freedesktop.org/software/systemd/man/systemd-stub.html
 #      https://www.freedesktop.org/software/systemd/man/systemd-creds.html
 #      https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html
-{ OPAL_PBA_TKNKEY='tpm:opalauthtoken:7' ; } 2>/dev/null
+{ OPAL_PBA_TKNKEY='tpm:opalauthtoken:7' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 #
 # Poor man's alternative for AT <-> PBA binding, additionaly encrypts Opal password using PBA image hash as a key
 # Optional, may be used independently of TKNKEY type
@@ -871,7 +871,7 @@ OUTPUT_PREFIX_PXE=""
 # Example: OUTPUT_LFTP_OPTIONS=("set ftp:ssl-force true" "set ftp:ssl-protect-data true")
 OUTPUT_LFTP_OPTIONS=()
 OUTPUT_LFTP_USERNAME=${OUTPUT_LFTP_USERNAME:-}
-{ OUTPUT_LFTP_PASSWORD=${OUTPUT_LFTP_PASSWORD:-} ; } 2>/dev/null
+{ OUTPUT_LFTP_PASSWORD=${OUTPUT_LFTP_PASSWORD:-} ; } 2>>/dev/$SECRET_OUTPUT_DEV
 
 ####
 # OUTPUT=RAMDISK
@@ -1441,8 +1441,8 @@ BACKUP_PROG_CRYPT_ENABLED="false"
 # cf. the reasoning about SSH_UNPROTECTED_PRIVATE_KEYS below
 # and see https://github.com/rear/rear/issues/2155
 # Therefore BACKUP_PROG_CRYPT_KEY must be manually set before running "rear recover".
-# In local.conf set it confidentially via { BACKUP_PROG_CRYPT_KEY='secret_key' ; } 2>/dev/null
-{ BACKUP_PROG_CRYPT_KEY="${BACKUP_PROG_CRYPT_KEY:-}" ; } 2>/dev/null
+# In local.conf set it confidentially via { BACKUP_PROG_CRYPT_KEY='secret_key' ; } 2>>/dev/$SECRET_OUTPUT_DEV
+{ BACKUP_PROG_CRYPT_KEY="${BACKUP_PROG_CRYPT_KEY:-}" ; } 2>>/dev/$SECRET_OUTPUT_DEV
 # The command for backup encryption during "rear mkbackup" will be basically
 #    tar ... | BACKUP_PROG_CRYPT_OPTIONS BACKUP_PROG_CRYPT_KEY
 # for details see the backup/NETFS/default/500_make_backup.sh script:
@@ -1921,7 +1921,7 @@ CLONE_ALL_USERS_GROUPS="true"
 # A terminal login password as a salted hash.
 # If empty, a root login into the ReaR recovery system via the system console or a serial terminal
 # is possible without being asked for a password.
-{ TTY_ROOT_PASSWORD='' ; } 2>/dev/null
+{ TTY_ROOT_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 
 ####
 # SSH_FILES
@@ -1991,7 +1991,7 @@ SSH_FILES='avoid_sensitive_files'
 # To avoid a plain text password in the etc/rear/local.conf config file
 # generate a MD5 hashed password with the openssl command.
 # SSH_ROOT_PASSWORD is ignored when SSH_FILES is set to a 'false' value.
-{ SSH_ROOT_PASSWORD='' ; } 2>/dev/null
+{ SSH_ROOT_PASSWORD='' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 #
 # SSH_UNPROTECTED_PRIVATE_KEYS="yes" makes ReaR also include SSH keys without a passphrase
 # in the ReaR rescue/recovery system at the price of having the rescue system/medium
@@ -2269,7 +2269,7 @@ GALAXY11_Q_ARGUMENTFILE=
 # CommVault login credentials for restore
 # Remember to adequately protect the rescue media if you include credentials in it
 GALAXY11_USER=${GALAXY11_USER:-}
-{ GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} ; } 2>/dev/null
+{ GALAXY11_PASSWORD=${GALAXY11_PASSWORD:-} ; } 2>>/dev/$SECRET_OUTPUT_DEV
 
 ##
 # BACKUP=TSM stuff
@@ -2954,7 +2954,7 @@ PROGS_ZYPPER=()
 # As fallback "rear recover" sets 'root' as root password in the target system.
 # If SSH_ROOT_PASSWORD is specified it is used as root password in the target system
 # unless ZYPPER_ROOT_PASSWORD is specified which is used with highest priority:
-{ ZYPPER_ROOT_PASSWORD='root' ; } 2>/dev/null
+{ ZYPPER_ROOT_PASSWORD='root' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 # ZYPPER_NETWORK_SETUP_COMMANDS specifies the initial network setup in the target system for BACKUP=ZYPPER:
 # This initial network setup is only meant to make the target system
 # accessible from remote in a very basic way (e.g. for 'ssh').
@@ -2988,7 +2988,7 @@ COPY_AS_IS_YUM=( '/etc/yum*' '/etc/logrotate.d/yum*' '/usr/bin/python*' '/bin/py
 COPY_AS_IS_EXCLUDE_YUM=()
 REQUIRED_PROGS_YUM=( yum rpm rpm2cpio rpmdb rpmquery rpmverify chpasswd )
 PROGS_YUM=()
-{ YUM_ROOT_PASSWORD='root' ; } 2>/dev/null
+{ YUM_ROOT_PASSWORD='root' ; } 2>>/dev/$SECRET_OUTPUT_DEV
 YUM_NETWORK_SETUP_COMMANDS=()
 YUM_EXCLUDE_PKGS=("")
 ##