From 44cb03ebe73f5229e71de850e3ba959779ce9501 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Wed, 13 Oct 2021 16:25:31 -0400 Subject: [PATCH] pass ssh args in a correct safe way (With rebasing by Andrew. I still want to send the password over stdout so it doesn't appear in the process list of the host or the target). --- kaya | 13 +++++++------ kaya-client | 12 +++++------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/kaya b/kaya index a0b9f24..b0b9b55 100755 --- a/kaya +++ b/kaya @@ -58,7 +58,7 @@ function get_params() { ;; --) shift - backup_options="$*" + backup_options=("$@") break ;; -*) @@ -114,12 +114,13 @@ function start_backup() { echo "kaya: Starting backup of ${hostname}" echo + local password + password="$(head -n1 "${password_file}")" + # make the backup over a forwarded port - cat << EOF | ssh -R "${remote_port}:localhost:${local_port}" "${remote_user}@${hostname}" kaya-client -$remote_port -$hostname -$(cat "${password_file}") -$backup_options + cat << EOF | ssh -R "${remote_port}:localhost:${local_port}" "${remote_user}@${hostname}" kaya-client \ + "${remote_port@Q}" "${hostname@Q}" "${backup_options[@]@Q}" +${password} EOF } diff --git a/kaya-client b/kaya-client index 4bad064..7622d84 100755 --- a/kaya-client +++ b/kaya-client @@ -23,15 +23,13 @@ shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR - -# settings come in on stdin -read -r port -read -r hostname read -r password -read -r options + +port="$1" +hostname="$2" +shift 2 username="${hostname}" backupdir="${hostname}" -RESTIC_REPOSITORY="rest:http://${username}:${password}@localhost:${port}/${backupdir}/" RESTIC_PASSWORD="${password}" restic backup ${options} - +RESTIC_REPOSITORY="rest:http://${username}:${password}@localhost:${port}/${backupdir}/" RESTIC_PASSWORD="${password}" restic backup "$@" -- 2.25.1