You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2011/07/26 14:11:06 UTC
svn commit: r1151069 - /subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Author: stsp
Date: Tue Jul 26 12:11:05 2011
New Revision: 1151069
URL: http://svn.apache.org/viewvc?rev=1151069&view=rev
Log:
* subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this
auth cache provider operates, including security considerations.
Modified:
subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original)
+++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 2011
@@ -23,6 +23,36 @@
/* ==================================================================== */
+/* This auth provider stores a plaintext password in memory managed by
+ * a running gpg-agent. In contrast to other password store providers
+ * it does not save the password to disk.
+ *
+ * Prompting is performed by the gpg-agent using a "pinentry" program
+ * which needs to be installed separately. There are several pinentry
+ * implementations with different front-ends (e.g. qt, gtk, ncurses).
+ *
+ * The gpg-agent will let the password time out after a while,
+ * or immediately when it receives the SIGHUP signal.
+ * When the password has timed out it will automatically prompt the
+ * user for the password again. This is transparent to Subversion.
+ *
+ * SECURITY CONSIDERATIONS:
+ *
+ * Communication to the agent happens over a UNIX socket, which is located
+ * in a directory which only the user running Subversion can access.
+ * However, any program the user runs could access this socket and get
+ * the Subversion password if the program knows the "cache ID" Subversion
+ * uses for the password.
+ * The cache ID is very easy to obtain for programs running as the same user.
+ * Subversion uses the MD5 of the realmstring as cache ID, and these checksums
+ * are also used as filenames within ~/.subversion/auth/svn.simple.
+ * Unlike GNOME Keyring or KDE Wallet, the user is not prompted for
+ * permission if another program attempts to access the password.
+ *
+ * Therefore, while the gpg-agent is running and has the password cached,
+ * this provider is no more secure than a file storing the password in
+ * plaintext.
+ */
�
/*** Includes. ***/
Re: svn commit: r1151069 -
/subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Stefan Sperling wrote on Tue, Jul 26, 2011 at 22:26:14 +0200:
> On Tue, Jul 26, 2011 at 08:28:40PM +0300, Daniel Shahaf wrote:
> > Stefan Sperling wrote on Tue, Jul 26, 2011 at 15:33:34 +0200:
> > > The key difference between the plaintext password store and the
> > > gpg-agent store is that the user must already have a running gpg-agent.
> > > The plaintext password store is always used and is not guarded by
> > > any such precondition.
> > >
> >
> > The prompt function can check that the environment variable is defined.
> > (not connect; just getenv() != NULL)
> >
> > > I think that if someone is already running gpg-agent, they are probably
> > > storing their PGP passphrase in it, which IMO is a secret of much higher
> > > value than a Subversion password.
> > >
> >
> > _If_ the PGP passphrase is stored there too, then of course it's more
> > valuable. I'm not sure how likely that is, though --- ie, people who
> > use svn but not gpg, and people who use svn and instruct gpg not to use
> > the agent (does gpg use the agent by default?), wouldn't have any 'more
> > sensitive' secrets in the agent.
>
> Users can always hit "Cancel" in the gpg agent prompt to get out of it.
> They don't have to enter a password at all if they aren't comfortable
> doing so.
Fair enough.
Re: svn commit: r1151069 -
/subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Posted by Stefan Sperling <st...@elego.de>.
On Tue, Jul 26, 2011 at 08:28:40PM +0300, Daniel Shahaf wrote:
> Stefan Sperling wrote on Tue, Jul 26, 2011 at 15:33:34 +0200:
> > The key difference between the plaintext password store and the
> > gpg-agent store is that the user must already have a running gpg-agent.
> > The plaintext password store is always used and is not guarded by
> > any such precondition.
> >
>
> The prompt function can check that the environment variable is defined.
> (not connect; just getenv() != NULL)
>
> > I think that if someone is already running gpg-agent, they are probably
> > storing their PGP passphrase in it, which IMO is a secret of much higher
> > value than a Subversion password.
> >
>
> _If_ the PGP passphrase is stored there too, then of course it's more
> valuable. I'm not sure how likely that is, though --- ie, people who
> use svn but not gpg, and people who use svn and instruct gpg not to use
> the agent (does gpg use the agent by default?), wouldn't have any 'more
> sensitive' secrets in the agent.
Users can always hit "Cancel" in the gpg agent prompt to get out of it.
They don't have to enter a password at all if they aren't comfortable
doing so.
Re: svn commit: r1151069 -
/subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Stefan Sperling wrote on Tue, Jul 26, 2011 at 15:33:34 +0200:
> On Tue, Jul 26, 2011 at 03:56:17PM +0300, Daniel Shahaf wrote:
> > stsp@apache.org wrote on Tue, Jul 26, 2011 at 12:11:06 -0000:
> > > Author: stsp
> > > Date: Tue Jul 26 12:11:05 2011
> > > New Revision: 1151069
> > >
> > > URL: http://svn.apache.org/viewvc?rev=1151069&view=rev
> > > Log:
> > > * subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this
> > > auth cache provider operates, including security considerations.
> > >
> > > Modified:
> > > subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> > >
> > > Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> > > URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff
> > > ==============================================================================
> > > --- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original)
> > > +++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 2011
> > > @@ -23,6 +23,36 @@
> > >
> > > /* ==================================================================== */
> > >
> > > +[four paragraphs of documentation comment]
> >
> > Looks good :)
> >
> > > + * Therefore, while the gpg-agent is running and has the password cached,
> > > + * this provider is no more secure than a file storing the password in
> > > + * plaintext.
> >
> > Should the gpg-agent provider implement a "plaintext prompt" password
> > that explains this and asks the user's permission to do so?
>
> I was thinking about that, too.
>
> The key difference between the plaintext password store and the
> gpg-agent store is that the user must already have a running gpg-agent.
> The plaintext password store is always used and is not guarded by
> any such precondition.
>
The prompt function can check that the environment variable is defined.
(not connect; just getenv() != NULL)
> I think that if someone is already running gpg-agent, they are probably
> storing their PGP passphrase in it, which IMO is a secret of much higher
> value than a Subversion password.
>
_If_ the PGP passphrase is stored there too, then of course it's more
valuable. I'm not sure how likely that is, though --- ie, people who
use svn but not gpg, and people who use svn and instruct gpg not to use
the agent (does gpg use the agent by default?), wouldn't have any 'more
sensitive' secrets in the agent.
> So if someone has the agent running then svn might as well just use it.
> If the user does not want Subversion to use it it can be turned off in
> the config file (password-stores option).
Re: svn commit: r1151069 -
/subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Posted by Stefan Sperling <st...@elego.de>.
On Tue, Jul 26, 2011 at 03:56:17PM +0300, Daniel Shahaf wrote:
> stsp@apache.org wrote on Tue, Jul 26, 2011 at 12:11:06 -0000:
> > Author: stsp
> > Date: Tue Jul 26 12:11:05 2011
> > New Revision: 1151069
> >
> > URL: http://svn.apache.org/viewvc?rev=1151069&view=rev
> > Log:
> > * subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this
> > auth cache provider operates, including security considerations.
> >
> > Modified:
> > subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> >
> > Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> > URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff
> > ==============================================================================
> > --- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original)
> > +++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 2011
> > @@ -23,6 +23,36 @@
> >
> > /* ==================================================================== */
> >
> > +[four paragraphs of documentation comment]
>
> Looks good :)
>
> > + * Therefore, while the gpg-agent is running and has the password cached,
> > + * this provider is no more secure than a file storing the password in
> > + * plaintext.
>
> Should the gpg-agent provider implement a "plaintext prompt" password
> that explains this and asks the user's permission to do so?
I was thinking about that, too.
The key difference between the plaintext password store and the
gpg-agent store is that the user must already have a running gpg-agent.
The plaintext password store is always used and is not guarded by
any such precondition.
I think that if someone is already running gpg-agent, they are probably
storing their PGP passphrase in it, which IMO is a secret of much higher
value than a Subversion password.
So if someone has the agent running then svn might as well just use it.
If the user does not want Subversion to use it it can be turned off in
the config file (password-stores option).
Re: svn commit: r1151069 -
/subversion/trunk/subversion/libsvn_subr/gpg_agent.c
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
stsp@apache.org wrote on Tue, Jul 26, 2011 at 12:11:06 -0000:
> Author: stsp
> Date: Tue Jul 26 12:11:05 2011
> New Revision: 1151069
>
> URL: http://svn.apache.org/viewvc?rev=1151069&view=rev
> Log:
> * subversion/libsvn_subr/gpg_agent.c: Add a comment that explains how this
> auth cache provider operates, including security considerations.
>
> Modified:
> subversion/trunk/subversion/libsvn_subr/gpg_agent.c
>
> Modified: subversion/trunk/subversion/libsvn_subr/gpg_agent.c
> URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/gpg_agent.c?rev=1151069&r1=1151068&r2=1151069&view=diff
> ==============================================================================
> --- subversion/trunk/subversion/libsvn_subr/gpg_agent.c (original)
> +++ subversion/trunk/subversion/libsvn_subr/gpg_agent.c Tue Jul 26 12:11:05 2011
> @@ -23,6 +23,36 @@
>
> /* ==================================================================== */
>
> +[four paragraphs of documentation comment]
Looks good :)
> + * Therefore, while the gpg-agent is running and has the password cached,
> + * this provider is no more secure than a file storing the password in
> + * plaintext.
Should the gpg-agent provider implement a "plaintext prompt" password
that explains this and asks the user's permission to do so?