Login | Register
My pages Projects Community openCollabNet

Discussions > users > FSVS and versioning /etc - a security risk?

fsvs
Discussion topic

Back to topic list

FSVS and versioning /etc - a security risk?

Author pmarek
Full name P.Marek
Date 2008-06-16 05:40:58 PDT
Message Hello everybody,

I'd like to share a question, and hope to find a simple answer:
How can FSVS avoid showing passwords to unauthorized people?


Me, *personally*, I think -
1) Passwords should be hashed, or similarly unreadable.
   But that's not always possible (eg. when needed for IMAP verification)
2) If /etc is protected, the repository storing /etc must be, too.
   But sometimes that's forgotten, or the history should be viewable by others, too.
3) There's the commit-pipe hook, which can be used to filter out any secret data.
   But that's easily to forget, or to get wrong.


Any ideas? I already thought a bit about that, and could offer making FSVS run as an
ordinary user (or something like that [1]), so that protected files wouldn't get
versioned at all - but that's not ideal, too (as you loose information).


Any ideas? Examples? How do other products solve that?


Regards,

Phil


[1]
The simplest way could be to use a pre-commit-pipe like
   sudo -u nobody cat '$1' 2>/dev/null || true
so that protected data would be stored as empty files.
Running FSVS as a different user might work, too (if it ignores all EPERM) - but then
it'd have to be a special user that can write into the repository.


--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

« Previous message in topic | 1 of 19 | Next message in topic »

Messages

Show all messages in topic

FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-06-16 05:40:58 PDT
     Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-06-16 05:46:33 PDT
         Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-06-16 05:48:47 PDT
         Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-06-16 05:51:07 PDT
             Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-06-16 07:24:37 PDT
                 Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-06-16 07:31:58 PDT
                     Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-06-16 07:50:56 PDT
                         Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-06-16 08:19:56 PDT
                             Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-06-16 08:44:33 PDT
                     Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-06-16 08:07:58 PDT
                 Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-08-12 06:16:34 PDT
                     Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-08-12 07:18:25 PDT
                         Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-08-12 07:47:35 PDT
                             Re: FSVS and versioning /etc - a security risk? pmarek P.Marek 2008-08-12 08:14:31 PDT
                                 Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-08-12 08:26:20 PDT
                                     Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-08-13 05:14:34 PDT
                                         Re: FSVS and versioning /etc - a security risk? Peter Rabbitson <rabbit+list at rabbit dot us> Peter Rabbitson <rabbit+list at rabbit dot us> 2008-08-13 05:23:55 PDT
                                             Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-08-14 05:23:17 PDT
                         Re: FSVS and versioning /etc - a security risk? Sheldon Hearn <sheldonh at starjuice dot net> Sheldon Hearn <sheldonh at starjuice dot net> 2008-08-13 05:10:14 PDT
Messages per page: