[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn Farm

From: Stefan Sperling <stsp_at_elego.de>
Date: Thu, 14 Oct 2010 20:28:37 +0200

On Thu, Oct 14, 2010 at 10:56:35AM -0700, David Brodbeck wrote:
> On Sat, Oct 9, 2010 at 6:39 AM, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
> > Second, many working environments in the UNIX world rely on NFS based
> > home directoies, to share working environments and configurations
> > across a variety of machines. In such environments, *any* host that
> > can be leveraged to local root access can "su" or "suco" to become the
> > target user, and access their entire home directory.
> >
> > Think I'm kidding? Walk into any university environment: plug in a
> > live Linux CD. Run an "nmap" scan for hosts running NFS. Run
> > "showmount" to detect what NFS shares are published to everyone. Go
> > ahead and mount the shares. Look in them for home directoriies. Look
> > in them, using your local root privileges, for Subversion passphrases.
> > (Look for CVS passphrases and un-passphrase-protected SSH keys while
> > you're at it.)
>
> This is why running public-facing NFS servers using auth_sys and
> no_root_squash is a BAD idea. If this is happening at your site, you
> have much more serious things to worry about than subversion passwords
> being stolen. For example, in your scenario it would be trivial to
> create an suid-root shell binary, which a local user could then run
> and gain root privileges.

Exactly. Bad NFS configuration isn't Subversion's fault.
Neither are NFS implementations that have insecure default settings,
like not mapping 'root' to 'nobody' by default.

There are problems with plaintext passwords, no doubt.
But the above scenario description is hyped up and misses the point.
If you cannot trust root on a UNIX box, don't save anything of value
on that box.

As of 1.6, Subversion asks the user before saving passwords in
plaintext. 1.6 also added support for using GNOME Keyring and KDE Wallet
as password stores.

It looks like there will be support for using PGP to encrypt passwords soon.
Maybe even in 1.7. Some code for this has already entered the repository:
http://svn.apache.org/viewvc?view=revision&revision=1005036

Stefan
Received on 2010-10-14 20:29:28 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.