Re: Re: Security flaw: subversion stores passwords by default / Proposal

From: Paul Koning <Paul_Koning_at_dell.com>
Date: Thu, 20 Mar 2008 17:31:39 -0400

So how does this avoid the security issue? The substantive change is
that you've flipped the default to "don't store". But if it is
stored, it's still stored on disk, in cleartext.

(Cleartext or equivalent. Absent an API where the kernel has a
persistent copy of the user password and can use that to decrypt files
-- which Linux doesn't have as far as I know -- even a scrambled
on-disk copy is functionally equivalent to cleartext.)

I believe the current credentials cache is already per-repository, so
that part of your proposal is covered. Browse around
$HOME/.subversion/auth/svn.simple, you'll see it.

paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-21 08:23:25 CET

This message: [ Message body ]
Next message: Cristea Bogdan: "python subversion binding"
Previous message: Ryan Schmidt: "Re: Check out repository with encoded characters"
In reply to: Hadmut Danisch: "Re: Security flaw: subversion stores passwords by default / Proposal"
Next in thread: Hadmut Danisch: "Re: Security flaw: subversion stores passwords by default / Proposal"
Reply: Hadmut Danisch: "Re: Security flaw: subversion stores passwords by default / Proposal"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]