Re: using svn cli with --non-interactive (in scripts) securely,without exposing password

[Yasuhito FUTATSUKI <fu...@yf.bsdclub.org>]

In article <CA...@mail.gmail.com>
coolthecold@gmail.com writes:
 
> As I see it, at the end of the day, cleartext password / token /
> ssh-key would be saved anyway, if you need to have it to work in an
> automated way.
> Most convenient for me would be having:
> a) --pasword-file=... command option
> b) SVN_PASSWORD environment variable
>
> both of them should not be hard to implement and both provide access
> to current and/or root user, compared to current implementation, when
> running "ps aux" to reveal --password=... param executed by any user
> (this param could be at least googled fast and majority of people
> won't go deep into crafting simple auth file themselves).

Environment variables passed by a parent can be seen by others, too.
Some implementation of ps(1) utility has an option to display it.
Also, procfs on Linux provide /proc/$pid/environ.

I don't think there is a safe way that a process kicked by cron can
get credentials but other processes which have same privilage can't
get them.

Cheers,
-- 
Yasuhito FUTATSUKI <fu...@yf.bsdclub.org>