dtm: (Default)
dtm ([personal profile] dtm) wrote2006-10-30 10:56 am
Entry tags:

How we set up password changing in subversion

This is another computer-geek post, because I was thinking about it today, and thought it deserved to get documented. Most of my friends will not care, so...

Granted, the audience for this should be extremely small, since the very strongly recommended way to use subversion is through an apache instance, letting apache take care of all user authentication issues. However, subversion is capable of serving as its own server, and occasionally an installation will grow up around that, with more and more people being gradually added to what was initially only a small single-department install.

Anyway, before moving to a "proper" install, with apache and authentication off to some LDAP or Kerberos server somewhere, you might need to provide people with the ability to change their own passwords. Not that the svn user (and root) will still be able to see the password, in cleartext, in the passwd file, but at least you might not have everyone using the default password anymore. Anyway, here's what we did.

First, our repository is structured basically like this:
svn://svnhost/repos/    projectOne/    trunk/
                                       branches/     version1/
                                                     version2/
                                       tags/         rel_1.0.0/
                                                     rel_1.0.1/
                        projectTwo/    trunk/
                                       branches/     version1/
                                                     version2/
                                       tags/         rel_1.0/
                                                     rel_1.1/
                                                     rel_2.0/

This is a pretty standard repository structure; in fact, I think it's the structure recommended in the documentation. Anyway, what I did was commit the following file as svn://svnhost/repos/change_password.txt: (the easiest way to do this is with svn copy)
This file is used to change your subversion password.

Just do this subversion command:
svn -m "JoeJob" rm svn://svnhost/repos/change_password.txt

And your password will be changed to "JoeJob".
Right now, the only characters allowed in a password are
printable characters (so no spaces in the password).

The svn command won't really rm this file - the commit will
fail, but will change your password as a side effect.

Then, I added this section to our pre-commit subversion hook (in the SVNROOT/repos/hooks directory):
  SVNLOOK=/usr/local/bin/svnlook

  if $SVNLOOK changed -t "$TXN" "$REPOS" | \
    grep "^D *change_password.txt *$" > /dev/null; then
    if [ 1 -ne `$SVNLOOK changed -t "$TXN" "$REPOS" | wc -l` ]; then
      echo "Other things changed besides change pass flag file - aborting" >& 2
      exit 1
    else
      author="`$SVNLOOK author -t "$TXN" "$REPOS"`"
      newpass="`$SVNLOOK log -t "$TXN" "$REPOS" | perl -e '<> =~ /\S+/;print$&'`"
      echo "Changing svn password for $author to \"$newpass\"..." >& 2
      perl -pi.bak -e 'BEGIN{$author=shift;$pass=shift}' \
           -e 's/^\Q$author\E *=.*/$author = $pass/' "$author" "$newpass" "$REPOS/conf/passwd"
      echo "password changed" >& 2
      exit 1
    fi
  fi

It looks something like this in action:
$ svn -m duhNewPass rm svn://svnhost/repos/change_password.txt
svn: 'pre-commit' hook failed with error output:
Changing svn password for dmartin to "duhNewPass"...
password changed

Yeah, it's pretty obviously a hack, but it works. (Aside from the fact that no one ever does actually go and change their subversion password, but that's a social problem, not a technical one)

The deliberate restriction to /\S+/ for the password is to prevent someone from abusing this to go and add users to the passwd file. Although technically I only need to worry about newline there, I think I'm doing my users a favor by not letting them accidentally put spaces in their password. (especially at the beginning or end of the password; I suppose I could allow spaces in the middle of the password without any problems)

Looking at this, I think I'm going to indulge in a bit of extra paranoia, and make sure no one's slipping in ascii control characters into their password. Replace the /\S+/ above with a /[!-~]+/ to do that.

[identity profile] kalie-b.livejournal.com 2011-01-11 10:11 pm (UTC)(link)
So this script is all we need to solve the problem? It shouldn't be that complicated after all unless you want to create your own little secure software for that.
Kalie - antivirus tools (http://free.antivirus.com)