On 13 Jan 2003, Karl Fogel wrote:
> Justin Erenkrantz <email@example.com> writes:
> > My point is thus: stop storing the auth in the WC, rather it should be
> > somewhere in ~/.subversion/. This fixes this real complaint. The arg
> > switches and the rest of this thread is merely trying to workaround
> > the real problem. If the auth cache isn't in your WC, I'm not sure
> > that the security concerns are as valid.
> Yeah. That would be easier to do if we could distinguish between two
> different repositories on the same machine.
> > Hey, this is a great place for the repository UUID. =) -- justin
> How would people feel about solving this security problem by putting
> all auth data in ~/.subversion? (And into the registry on Windows?
> How secure/maintainable is that?)
Just for completeness, the security concerns are just as valid. On a
multi-user system, the password should not be stored on the disk by
default, especially not in plain text. One of my development machines is
hosted by my ISP, it is a shared box, and I use it to test RedHat specific
bugs. I don't know the guy who has root on that box, and historically, I
haven't cared, because that machine doesn't store any sensitive
information. I get e-mail there (from mailing lists), and I compile code
on the machine. With subversion's default settings, I will have to take
steps on every installation of subversion to ensure that my passwords are
not stored on the box. Compare that to CVS, which only stores passwords
on the box when I use :pserver: to login. Now, look at simple usage
scenarios. Other than PHP, the only places I ever use :pserver:, is for
public cvs archives, which have their own psswords. For PHP, I created a
password specifically for PHP.
I realize that most people would like to have an auth cache by default,
but it is a security hole regardless of where you put the passwords on the
box. You need to make sure that the user knows what they are doing before
you write their password to the box. CVS makes it obvious by making you
"login" before it writes your password to the HD. SVN just writes the
password by default.
I have no problem moving the auth cache out of the wc, I think that is a
requirement, but the default needs to be not saving the password to the
box. If people don't want to type their password on every operation, then
they either shouldn't use the WebDav transport, or we should implement
client certs (which is also on my short list of things to do).
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Tue Jan 14 18:36:32 2003