[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

subversion reveals passwords

From: Hadmut Danisch <hadmut_at_danisch.de>
Date: Sun, 06 Apr 2008 14:38:59 +0200

Hi,

a known but still insecure fact is that subversion store passwords
for repository accounts in plaintext in local files (when used with linux).

I've been discussing that fact in the users mailing list. A common argument
is that the user is expected to know about this issue and that it is
possible
to turn off that storage of passwords in the config files.

However, from my experience you cannot expect users to read and know every
single detail of using subversion. Most users just know the basics or
are just following
instructions given on a web page. But even if you aware of this
behavior, it happens
accidently to use a machine where the config files have not yet been
modified and where
subversion stores passwords in a local file. It is more error prone if
you want subversion to
store passwords for some repositories, while not for others.

Storing passwords in local files can be harmful if, e.g. the repository
is protected with
LDAP and the same passwords for common company authentication. In reality,
subversion stores these passwords onto hard discs and thus compromises
company
security.

In the Manual, I found that assumption that users are expected to trust
the operating
system to keep files confidential. This is dramatically wrong, e.g. the
operating system is
not in place anymore if e.g. the hard disk is replaced.

Passwords must not be stored on hard disk in plaintext under any
circumstances without
user confirmation in any single case.

The need to modify configuration files proved to not be reliable in reality.

I therefore propose to modify the way subversion treats passwords:

- Drop that option from the config file. It should not be possible
anymore to drive subversion
  into a mode where it writes passwords to disk without explicit user
confirmation.

- Allow a new command line option for those cases, where the users wants
the password
  to be stored. Require that option to be explicitely given for every
single password to be
  stored. Issue a warning message.

regards
Hadmut

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-06 14:39:35 CEST

This is an archived mail posted to the Subversion Dev mailing list.