On Wed, 2005-09-14 at 17:51 +0200, Alexander Kitaev wrote:
> I am not of aware of your environment and its contraints, but I would say
> that using root (!) shell by multiple (!) users is already a huge security
> flaw. Whatever you do in such environment will not make you safe from the
> secutiry point of view. So comparing to the other hazards you get in such
> configuration, storing passwords its not the most serious one. Also, as far
> as I understand, that even being encrypted password or private-key could be
> used by someone else to make commits or remote logins, without knowing the
> exact value of the password of course.
I would hope that the knowledge of the super-user password was
restricted to as few people as possible and that use of the root shell
was limited to the smallest number of tasks possible. The issue is not
what a root user may be doing it is that an application is wilfully
breaking security regimes. Relying on non-malicious root privilege and
file permissions when everything else about SSH and PGP is all about not
leaving security holes seems wrongly founded. Indeed against the whole
philosophy of SSH and PGP.
Sorry but I think your argument about passwords and passphrases is a
weak one. Everyone is trying desparately to increase security and yet
here is Subversion and JavaSVN opening it up. Sorry but I am shocked by
this approach to security.
--
Russel.
====================================================
Dr Russel Winder +44 20 7585 2200
41 Buckmaster Road +44 7770 465 077
London SW11 1EN, UK russel@russel.org.uk
Received on Thu Sep 15 02:02:29 2005