[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN Security

From: Timo Wendt <twendt_at_online.de>
Date: 2006-04-13 17:10:35 CEST

Hi,

I have evaluated Subversion for the last few days. The features are
really great. My problem with it are the security things in some
areas. There are a lot of nice features when you connect to the
repository remotely. From 1.3.1 you don't even need Apache anymore to
use the features from authz. But to my idea Subversion lacks a lot of
security when it comes to local access to the repository via
file:///. All I can to is hook scripts for commits and such things.
But what if I like no access. Of course I did change the permissions
of the repository dirs., but thats about it. The book always states
that umask is important. Umask is something the Admin cannot force.
Every user can change his umask if he wants to. I want to place
config files in the repository that are confidential. I cannot rely
on users having to set there umask correctly.

I also did a hotcopy of the repository. All my permissions are lost
after that. The copy is again a matter of the umask.

Another thing that bothers me is the auth cache and it even on per
default. Saving clear text passwords on disk is bad. In my case the
file was even world readable even thogh the book states it is only
readable by the owner. I understand that this feature is nice for
usage, but is there no way of shutting it off completely apart from
changing the source code, which I did? As long as this feature is
available, users will use it. Users always find nice ways to make
their work easiest.

Don't misunderstand me, this product is really great, but please also
understand my point of view.

Greeting,

Timo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 13 17:13:33 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.