On 23.02.2021 17:46, Daniel Shahaf wrote:
If a cron job needs authentication, its credentials need to be stored somewhere, either in plaintext or in "as good as" plaintext. I think storing the passwords in unobfuscated plaintext was a deliberate decision, informed by CVS's design choices in this regard, but I wasn't around in the early days.
It was deliberate. Reading those passwords requires access to the filesystem, so an attacker either has the affected user's credentials -- in which case they probably have access to any encrypted password store as well -- or they're root, and in _that_ case all bets are off anyway.
Note that recently operating systems have gone in the direction of _not_ letting root do everything without extra checks, so maybe the second assumption needs to be reconsidered.
In any case, encrypted or otherwise protected password stores have master passwords that have to be stored somewhere for unattended operation, so that's just moving the problem one level of indirection away.
-- Brane
