[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] default to --no-auth-cache

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2003-01-14 18:10:25 CET

<rbb@rkbloom.net> writes:
> I realize that most people would like to have an auth cache by default,
> but it is a security hole regardless of where you put the passwords on the
> box. You need to make sure that the user knows what they are doing before
> you write their password to the box. CVS makes it obvious by making you
> "login" before it writes your password to the HD. SVN just writes the
> password by default.
>
> I have no problem moving the auth cache out of the wc, I think that is a
> requirement, but the default needs to be not saving the password to the
> box. If people don't want to type their password on every operation, then
> they either shouldn't use the WebDav transport, or we should implement
> client certs (which is also on my short list of things to do).

I think the security/convenience tradeoff starts to swing the other
way at this point.

Getting them out of the WC is necessary. People expect (from CVS)
that a WC does not contain their passwords.

But having it in ~/.subversion/, in a location readable only by that
user and by root, is fine. Remember, we're talking about http basic
auth passwords here -- anyone who has root on the client box could
just sniff the network to get them too.

So I think storing them in ~/.subversion/ rather than the WC is a good
trade for us to make.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 14 18:56:18 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.