Re: The --password and clumsy users issue
From: Julian Foad <julianfoad_at_btopenworld.com>
Date: Mon, 21 Jul 2014 12:27:27 +0100
Markus Schaber wrote:
> Julian Foad wrote:
>> "specify a password ARG (insecure: on many systems,
>> other users can read the command-line arguments)"
> I fully agree with your concerns about vague warnings. But in my eyes,
> it is also important to point out the alternatives, so that the users
> have an easy way to use them.
and GBG wrote (to me):
> It still leaves a question --- why? And ppl might think, oh, not in linux,
> I should be safe (remembering that svn is cross platform).
> How about something like: (insecure on any OS that hosts other users) ?
We want to say, very briefly (the command-line help isn't the place for a full explanation):
- that using this option might be insecure;
- enough of a clue about how/why so user can make an informed choice or know what questions to ask if they want to look for more information.
In the interests of getting something in place, I have just committed the following help text in r1612230:
--password ARG : specify a password ARG (caution: on many operating
systems, other users will be able to see this)
(I used "caution:" as I think "insecure" is too context-dependent and judgemental.)
Improvements are welcome, of course.
* write a fuller explanation in The Book
* add a '--password-file' option
* (maybe) blank out the --password argument after reading it, when possible
I don't plan to work on The Book, or on blanking; contributions are welcome.
I looked at committing a password-file option. A version based on Markus Schaber's recent patches is attached. (It's his patch, minus the password-env-var option, plus a test suite fix.)
Looking at how the 'rsync' program describes its '--password-file' option:$ man rsync
This option allows you to provide a password in a file for accessing
an rsync daemon. The file must not be world readable. It should
contain just the password as the first line of the file (all other
lines are ignored).
Two things we might want to do, that rsync does:
1. Read only the first line of the file, up to but not including a newline. "Not including the newline" is the important part here, I think: the patch, as is, assumes that any newline in the file is part of the password, which in a typical case then fails to work.
(The first thing I tried was "echo my-password > foo; svn --password-file=foo ...".)
2. It says the file must not be world-readable. That seems a sensible
precaution. I think we should do that too, on operating systems
where that makes sense.
This is an archived mail posted to the Subversion Dev mailing list.