Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-1415

Encrypt all passwords stored on the file system

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Passwords are not encrypted in:

      • <FISHEYE_INST>\config.xml
      • <FISHEYE_INST>\var\plugins\user*.config file

      It should include an encryption scheme for better security.

            [CRUC-1415] Encrypt all passwords stored on the file system

            madixin added a comment -

            https://support.atlassian.com/browse/FSH-8447

            madixin added a comment - https://support.atlassian.com/browse/FSH-8447

            Partha added a comment -

            Dear Raghu,

            We do not view this as a major security issue. As pointed out by Jamie on the forums, you should have configured the svn user/pass to be a system account with read only access, rather than your own user/pass.

            Once your box is compromised - i.e. someone gets filesystem access, then you are out of luck.

            We need access to the plain text password for svn, because we need to pass that value to svn. Any 'encryption' would be pretty worthless because the secret would have to be shipped in the application.

            Normally passwords are one way encrypted, i.e. you can never get the plain text value back, you can only check to see if you have one that matches, however in this case we need the plain text value of the user/pass, so one way encryption is not possible.

            For my view, it is a serious issue because the SVN repository I configure is my LDAP password. If some one opens that file, they can access any system with that LDAP password and they can do anything on my account. I can't restrict the file system, because some of my team member need an access.

            As pointed out by Jamie, you should not configure your LDAP user/pass for the svn repository, but instead configure a system account that has minimal access (read only to svn repository).

            Kind Regards,
            Partha Kamal

            Partha added a comment - Dear Raghu, We do not view this as a major security issue. As pointed out by Jamie on the forums, you should have configured the svn user/pass to be a system account with read only access, rather than your own user/pass. Once your box is compromised - i.e. someone gets filesystem access, then you are out of luck. We need access to the plain text password for svn, because we need to pass that value to svn. Any 'encryption' would be pretty worthless because the secret would have to be shipped in the application. Normally passwords are one way encrypted, i.e. you can never get the plain text value back, you can only check to see if you have one that matches, however in this case we need the plain text value of the user/pass, so one way encryption is not possible. For my view, it is a serious issue because the SVN repository I configure is my LDAP password. If some one opens that file, they can access any system with that LDAP password and they can do anything on my account. I can't restrict the file system, because some of my team member need an access. As pointed out by Jamie, you should not configure your LDAP user/pass for the svn repository, but instead configure a system account that has minimal access (read only to svn repository). Kind Regards, Partha Kamal

            Raghu S added a comment -

            This is a serious issue. Can any one get back with ETA or release version in which this fix will be available?

            Raghu S added a comment - This is a serious issue. Can any one get back with ETA or release version in which this fix will be available?

              Unassigned Unassigned
              mgchong Ming Giet Chong [Atlassian]
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: