[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Feature proposal: SVN_USERNAME and SVN_PASSWORD environment variables

From: Branko Čibej <brane_at_wandisco.com>
Date: Wed, 17 Apr 2013 07:14:53 +0200

On 17.04.2013 02:49, Daniel Shahaf wrote:
> Greg Stein wrote on Tue, Apr 16, 2013 at 19:01:23 -0400:
>> Pulled from an accidental moderation rejection:
>> ---------- Forwarded message ----------
>>> From: Charles Duffy <charles_at_dyfis.net>
>>> To: dev_at_subversion.apache.org
>>> Cc:
>>> Date: Tue, 16 Apr 2013 10:09:22 -0500
>>> Subject: Feature proposal: SVN_USERNAME and SVN_PASSWORD environment variables
>>> Howdy --
>>> At present, the easiest way to pass credentials into Subversion is on the command line, which is supported across all bundled tools.
>>> Unfortunately, on UNIX, this is extremely insecure: The contents of programs' argv array is visible to all users (as in ps). While a program can overwrite its argv array, there is necessarily a window between startup and the point when this operation occurs.
>>> A moderate improvement would be to allow credentials to be passed in through the environment; on Unixlike systems following best-practices, this protects them from being read by other non-root users on the same system. (Some security-hardened systems have stronger controls available than merely "same user", allowing a similar level of control to that exercised over ptrace).
>>> A larger improvement would be to allow a file descriptor to be specified which _only_ reads password data in an unambiguous form. This is what GnuPG does with its --passphrase-fd option, and is an improvement over reusing stdin in contexts where passwords are being provided automatically as there is no need to track stdout for reprompting, alternate requests, etc.
>>> My interest is in having something which can be safely used from shell scripts in a reasonably secure manner, and with a level of implementation difficulty compatible with my available schedule. Counterproposals, objections, or alternate mechanisms would be greatly appreciated.
> Additional options:
> - allow specifying a filename which contains the password. (This can be
> done today, via --config-dir, if you know the realm.)

This is the only option (in addition to what we already have) that I'd
consider supporting. I find reading credentials from the environment
flaky at best; but reading from a file should work fairly well with scripts.

The --config-dir option is IMO problematic for this since you'd have to
use the SVN command-line to initialize the credentials store -- the
format is such that I'd not recommend editing the auth store manually.

The most likely candidates are a couple new command-line flags, e.g.,
--username-file and --password-file.

-- Brane

Branko Čibej
Director of Subversion | WANdisco | www.wandisco.com
Received on 2013-04-17 07:15:35 CEST

This is an archived mail posted to the Subversion Dev mailing list.