From 7a0b4428e36a0e1fd1b8835927383a97a9dc57e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Sat, 16 Sep 2017 10:17:36 -0400
Subject: [PATCH 1/2] add explanation of restic automation
every time i look at restic, i block on this and figured it may be useful for others
---
doc/conf.py | 6 +++++-
doc/faq.rst | 20 ++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/doc/conf.py b/doc/conf.py
index 577b2da00..3f7c66158 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -19,7 +19,7 @@ import os
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
-extensions = []
+extensions = ['sphinx.ext.extlinks']
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
@@ -104,3 +104,7 @@ html_static_path = ['_static']
# Output file base name for HTML help builder.
htmlhelp_basename = 'resticdoc'
+
+extlinks = {
+ 'issue': ('https://github.com/restic/restic/issues/%s', '#'),
+}
diff --git a/doc/faq.rst b/doc/faq.rst
index 185bfd978..4bf2f477f 100644
--- a/doc/faq.rst
+++ b/doc/faq.rst
@@ -26,3 +26,23 @@ The message means that there is more data stored in the repo than
strictly necessary. With high probability this is duplicate data. In
order to clean it up, the command ``restic prune`` can be used. The
cause of this bug is not yet known.
+
+How can I specify encryption passwords automatically?
+-----------------------------------------------------
+
+When you run ``restict create``, you need to enter the passphrase on
+the console. This is not very convenient for automated backups, so you
+can also provide the password through the ``--password-file`` option
+or ``RESTIC_PASSWORD`` environment. A discussion is in progress over
+implementing unattended backups happens in :issue:`533`.
+
+.. important:: Be careful how you set the environment; using the env
+ command, a `system()` call or using inline shell
+ scripts (e.g. `RESTIC_PASSWORD=password borg ...`)
+ might expose the credentials in the process list
+ directly and they will be readable to all users on a
+ system. Using export in a shell script file should be
+ safe, however, as the environment of a process is
+ `accessible only to that user`_.
+
+.. _accessible only to that user: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009
From bcd1e45ba7a133df612fc8f380781eb81e956097 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 18 Sep 2017 08:55:18 -0400
Subject: [PATCH 2/2] fix typo, add note about file permissions
---
doc/faq.rst | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/doc/faq.rst b/doc/faq.rst
index 4bf2f477f..b0e8495aa 100644
--- a/doc/faq.rst
+++ b/doc/faq.rst
@@ -30,7 +30,7 @@ cause of this bug is not yet known.
How can I specify encryption passwords automatically?
-----------------------------------------------------
-When you run ``restict create``, you need to enter the passphrase on
+When you run ``restic backup``, you need to enter the passphrase on
the console. This is not very convenient for automated backups, so you
can also provide the password through the ``--password-file`` option
or ``RESTIC_PASSWORD`` environment. A discussion is in progress over
@@ -43,6 +43,9 @@ implementing unattended backups happens in :issue:`533`.
directly and they will be readable to all users on a
system. Using export in a shell script file should be
safe, however, as the environment of a process is
- `accessible only to that user`_.
+ `accessible only to that user`_. Please make sure that
+ the permissions on the files where the password is
+ eventually stored are safe (e.g. `0600` and owned by
+ root).
.. _accessible only to that user: https://security.stackexchange.com/questions/14000/environment-variable-accessibility-in-linux/14009#14009