On 17.04.2013 02:49, Daniel Shahaf wrote: > Greg Stein wrote on Tue, Apr 16, 2013 at 19:01:23 -0400: >> Pulled from an accidental moderation rejection: >> >> ---------- Forwarded message ---------- >>> From: Charles Duffy <char...@dyfis.net> >>> To: dev@subversion.apache.org >>> Cc: >>> Date: Tue, 16 Apr 2013 10:09:22 -0500 >>> Subject: Feature proposal: SVN_USERNAME and SVN_PASSWORD environment >>> variables >>> Howdy -- >>> >>> At present, the easiest way to pass credentials into Subversion is on the >>> command line, which is supported across all bundled tools. >>> >>> Unfortunately, on UNIX, this is extremely insecure: The contents of >>> programs' argv array is visible to all users (as in ps). While a program >>> can overwrite its argv array, there is necessarily a window between startup >>> and the point when this operation occurs. >>> >>> A moderate improvement would be to allow credentials to be passed in >>> through the environment; on Unixlike systems following best-practices, this >>> protects them from being read by other non-root users on the same system. >>> (Some security-hardened systems have stronger controls available than >>> merely "same user", allowing a similar level of control to that exercised >>> over ptrace). >>> >>> A larger improvement would be to allow a file descriptor to be specified >>> which _only_ reads password data in an unambiguous form. This is what GnuPG >>> does with its --passphrase-fd option, and is an improvement over reusing >>> stdin in contexts where passwords are being provided automatically as there >>> is no need to track stdout for reprompting, alternate requests, etc. >>> >>> My interest is in having something which can be safely used from shell >>> scripts in a reasonably secure manner, and with a level of implementation >>> difficulty compatible with my available schedule. Counterproposals, >>> objections, or alternate mechanisms would be greatly appreciated. >>> > Additional options: > > - allow specifying a filename which contains the password. (This can be > done today, via --config-dir, if you know the realm.)
This is the only option (in addition to what we already have) that I'd consider supporting. I find reading credentials from the environment flaky at best; but reading from a file should work fairly well with scripts. The --config-dir option is IMO problematic for this since you'd have to use the SVN command-line to initialize the credentials store -- the format is such that I'd not recommend editing the auth store manually. The most likely candidates are a couple new command-line flags, e.g., --username-file and --password-file. -- Brane -- Branko Čibej Director of Subversion | WANdisco | www.wandisco.com
