Re: Security flaw: subversion stores passwords by default / Proposal

Paul Koning wrote:
> So how does this avoid the security issue? The substantive change is
> that you've flipped the default to "don't store". But if it is
> stored, it's still stored on disk, in cleartext.
>

It does not store it if you don't want it.

You are still hanging on the idea that svn must authenticate automatically.

This is not always what the user wants, as the many complains about that
password thing show.

Even if you are pretty much aware of that issue and the config options,
it is
still an awful trap.

I was checking out configuration files from a svn respository
into /etc of several freshly installed computers.

On one of the computers I just forgot to change the svn config options
to not store
the password and accidently wrote the password on the disk.

Although I immediately realized this, it raises the problem how to clean
the disk again, since simply removing a file does not really help. You
need to
install wipe tools etc.

You should not put a password onto disk without making sure that the
user is
aware of this and really wants it that way.

> (Cleartext or equivalent. Absent an API where the kernel has a
> persistent copy of the user password and can use that to decrypt files
> -- which Linux doesn't have as far as I know -- even a scrambled
> on-disk copy is functionally equivalent to cleartext.)
>
> I believe the current credentials cache is already per-repository, so
> that part of your proposal is covered. Browse around
> $HOME/.subversion/auth/svn.simple, you'll see it.
>
>
Again, you still miss the problem.

regards
Hadmut

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 22:44:02 CET