Recall: OS X Leopard just plain breaks the API that implements "--non-
interactive" around access to the keychain. The original description
was that this, therefore, breaks --non-interactive.
However, it turns out that operations that use --non-interactive plus
--username plus --password do succeed (never have to go to the
keychain for creds anyway). Small yay.
However however, this also means that such operations end up caching
the creds into svn.simple/ in the classic way.
It seems to me that this makes it a security bug. My reasoning:
someone on OS X, having read the documentation, expects credentials to
be stored in the very secure keychain. Through this bug, however,
they are stored in the much less secure svn.simple/. If this poor
user trusted our promise to do the safe thing (even verified it under
Tiger), they do not expect their creds to be stored in the file
system. This may seduce them into relaxing the file system
protections in some way, exposing their password.
My question for this list: does this constitute a security bug for
Subversion?
On the basis of the reasoning above, I marked my bug at Apple as a
security issue. They have just notified me that they don't consider
this a security issue. They didn't give me detailed reasoning on that
decision, but I do admit that the chain that leads to a breach
contains components other than those supplied by Apple, and even some
user configuration acts. I am considering bumping the Subversion bug
up to reflect the "security" concern.
-==-
Jack Repenning
Chief Technology Officer
CollabNet, Inc.
8000 Marina Boulevard, Suite 600
Brisbane, California 94005
office: +1 650.228.2562
mobile: +1 408.835.8090
raindance: +1 877.326.2337, x844.7461
aim: jackrepenning
skype: jrepenning
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-01-04 07:03:01 CET