[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Password stored in clear text!

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-08-22 03:26:11 CEST

----- Original Message -----
From: "Garrett Rooney" <rooneg@electricjellyfish.net>
To: "Nico Kadel-Garcia" <nkadel@comcast.net>
Cc: "Stephen Adler" <adler@stephenadler.com>; <users@subversion.tigris.org>
Sent: Monday, August 21, 2006 7:50 PM
Subject: Re: Password stored in clear text!

> On 8/21/06, Nico Kadel-Garcia <nkadel@comcast.net> wrote:
>> Garrett Rooney wrote:
>> > On 8/21/06, Stephen Adler <adler@stephenadler.com> wrote:
>> >> Guys,
>> >>
>> >> in .subversion/auth/svn.simple/d03da0c1495ff5b9551c9e3487f24f94, my
>> >> password to
>> >> my account is stored in clear text! Is this secure?
>> >
>> > It's stored with permissions such that you're the only user who can
>> > read it.
>> Unless you have it on a laptop someone else has physical access to. Or
>> you
>> backup your home directory. Or you share home directories via NFS.
>> Or......
>> The legion of ways to nab stored clear-text passwords is pretty large.
>> It's
>> something that bugs the tar out of me.
> Then you can use one of the numerous options that don't cache the
> password. Problem solved.

Well, yes. But you have to say that. Your statement that "It's stored with
permissions such that you're the only user who can read it" is blatantly
incorrect. Moreover, since more users are using LDAP or even NIS based
single-sign-on systems to manage their user accounts for Subversion, it's
leaving a gaping security hole that is a serious risk to using Subversion by
any means other than local file access, or ssh+svnserve. Plain-text
passwords are an old and serious security problem: they shouldn't be

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 22 03:27:16 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.