[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Re: Security flaw: subversion stores passwords by default / Proposal

From: Paul Koning <Paul_Koning_at_dell.com>
Date: Thu, 20 Mar 2008 17:31:39 -0400

So how does this avoid the security issue? The substantive change is
that you've flipped the default to "don't store". But if it is
stored, it's still stored on disk, in cleartext.

(Cleartext or equivalent. Absent an API where the kernel has a
persistent copy of the user password and can use that to decrypt files
-- which Linux doesn't have as far as I know -- even a scrambled
on-disk copy is functionally equivalent to cleartext.)

I believe the current credentials cache is already per-repository, so
that part of your proposal is covered. Browse around
$HOME/.subversion/auth/svn.simple, you'll see it.

        paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-21 08:23:25 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.