Hadmut Danisch wrote:
> Hi,
>
> a known but still insecure fact is that subversion store passwords
> for repository accounts in plaintext in local files (when used with linux).
>
> I've been discussing that fact in the users mailing list. A common argument
> is that the user is expected to know about this issue and that it is
> possible
> to turn off that storage of passwords in the config files.
>
> However, from my experience you cannot expect users to read and know every
> single detail of using subversion. Most users just know the basics or
> are just following
> instructions given on a web page. But even if you aware of this
> behavior, it happens
> accidently to use a machine where the config files have not yet been
> modified and where
> subversion stores passwords in a local file. It is more error prone if
> you want subversion to
> store passwords for some repositories, while not for others.
>
> Storing passwords in local files can be harmful if, e.g. the repository
> is protected with
> LDAP and the same passwords for common company authentication. In reality,
> subversion stores these passwords onto hard discs and thus compromises
> company
> security.
>
> In the Manual, I found that assumption that users are expected to trust
> the operating
> system to keep files confidential. This is dramatically wrong, e.g. the
> operating system is
> not in place anymore if e.g. the hard disk is replaced.
>
> Passwords must not be stored on hard disk in plaintext under any
> circumstances without
> user confirmation in any single case.
>
> The need to modify configuration files proved to not be reliable in reality.
>
> I therefore propose to modify the way subversion treats passwords:
>
> - Drop that option from the config file. It should not be possible
> anymore to drive subversion
> into a mode where it writes passwords to disk without explicit user
> confirmation.
>
> - Allow a new command line option for those cases, where the users wants
> the password
> to be stored. Require that option to be explicitely given for every
> single password to be
> stored. Issue a warning message.
I for one add my name to the petition to get the default at least
changed. True, the user must trust the OS to protect data, but if the
hard drive itself is removed, all that is for naught.
Considering the possible implications, I think it would be best to have
this feature set to disabled by default rather than what it is now.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-08 00:59:46 CEST