BORG_PASSPHRASE expands variables inside passphrase

[gaia]

• Relax-and-Recover 2.4 / Git (installed via apt)

• Debian 10

• BareMetal

• x86_64

• UEFI + GRUB

• Root on mdadm, NVME disk attached, rear on USB flash drive:

• BORG_PASSPHRASE will expand the variable if it contains for example $1 inside the passphrase.

• Workaround: change the passphrase

export BORG_PASSPHRASE="S3cr37_P4$1w0rD" will pass a different password to borg, so the backup can't be opened until you do rear dump to see what it the variable was expanded to.

either warn users against having $ in the passphrase, or use proper shell escaping so that the variable does not expand.

[gozora]

Hello @gaia,

I'd say that such behavior is somehow expected in bash.
As far as I know, ReaR does not contain any code that deals with BORG_PASSPHRASE as such, since BORG_PASSPHRASE is environment variable of Borg, so we really can't do any "proper shell escaping".
Change in quoting is all that is necessary here, hence export BORG_PASSPHRASE='S3cr37_P4$1w0rD' should do the trick.
Documentation related to Borg as ReaR back-end indeed contains double quotes when mentioning BORG_PASSPHRASE, so I'll open PR to fix this, and maybe include some meaningful comments like for SSH_ROOT_PASSWORD in default.conf.

Thanks for reporting!

V.

[jsmeix]

In general regarding how to deal with possibly secret values in ReaR
see #2155 and #2156

In the latter see in particular my code comments and added documentation in
https://github.com/rear/rear/pull/2156/files
regarding how to keep secret values secret in ReaR.