[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw: subversion stores passwords by default

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Fri, 21 Mar 2008 12:29:17 -0500

Daniel Danger Bentley wrote:
>>> The Subversion client needs to provide the plain text password to the
>>> Apache server during authentication. Suggest a way for this to be
>>> accomplished without storing the plain text password on the client's
>>> disk.
>> In the high security area where I am currently maintaining a protected
>> SVN respository, the users are required to reenter the password any time.
>> Even beyond that requirement, there's another problem:
>> Some files need to be checked out from SVN with root permissions, but
>> with user/password of the person who is root at that very moment. While
>> several people share access to the root accounts, nobody should be able
>> to check in changes under the name of a different person (or be able to
>> read the password from the file system).
> I don't know much about subversion (just joined), but this caught my eye:
> Why are multiple people sharing an account? If you don't trust your users,
> then why do you trust them to share an account?

People with root permissions aren't users, they are machine
administrators and you have to balance the ability to keep things
running against the number of people who have complete access. Aside
from the issue of sharing user accounts or working directories being a
bad idea, there will always be some number of machine administrators
that can read any file, and copies of the files are likely to end up in
backups that some other set of people can access. You should, of
course, trust people you put in these positions, but that doesn't mean
you should hand them plain-text copies of passwords that are very likely
to be used for other purposes as well. Most other programs recognize
this and make at least some effort to obscure the passwords so a casual
glance at the file won't expose them. I'd look at it like locking a
door with a glass panel. It is still worth doing even if you know it
won't stop a determined thief.

   Les Mikesell
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-21 18:29:44 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.