[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: The --password and clumsy users issue

From: Gabriela Gibson <gabriela.gibson_at_gmail.com>
Date: Fri, 4 Jul 2014 08:09:28 +0100

What if we leave the current --password as is (for convenience) and just
add an optional, secondary password mechanism for those admins who want to
be doubly sure?

On Fri, Jul 4, 2014 at 7:00 AM, Ben Reser <ben_at_reser.org> wrote:

> On 7/3/14 9:10 PM, Martin Furter wrote:
> > 3) Allow the password to be supplied over stdin using the special value
> "-".
> >
> > Nobody will see the password. The only leak is that a password has been
> > supplied using stdin. An attacker will have to convince the calling
> application
> > to run something different than svn which logs the password to a file.
> A lot of tools have options to provide passwords via a file. That's
> certainly
> a better option for people who want to do automation and are concerned
> with the
> leakage via the command line.
> Just adding "-" as a special value for the existing --password option
> doesn't
> necessarily help people doing automation since you're going to have to do
> something to send that password over stdin, which might end up leaked via
> the
> same mechanism (though usually things like echo are shell internals and
> don't
> spawn processes).
> I'd rather add a --password-file option and that can take the "-" special
> value
> for STDIN if people want and that other values just read the password form
> the
> path provided.
> The question then becomes is it better to just leave --password with
> documentation and maybe some sort of redaction or should we just remove it
> entirely.
> Yes it would take some minor effort for anyone upgrading that depends on
> --password now, including our own test suite, but it ought to be rather
> trivial
> to write the password to a file with proper permissions and just start
> passing
> the name of the file on the command line.
> To that end how about:
> "--password-file ARG : specify a password stored in file ARG (secure
> provided
> proper permissions are set on the file, interactive users may prefer the
> interactive password prompts when credentials are needed)"
> Deprecate --password in 1.9 but leave it with the following help text:
> "(deprecated, insecure use --password-file instead)"
> Remove --password support entirely in 1.10 and emit an error telling users
> to
> use --password-file.

Visit my Coding Diary: http://gabriela-gibson.blogspot.com/
Received on 2014-07-04 09:09:57 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.