From: Jeff King <peff@peff.net>
To: Eric Sunshine <sunshine@sunshineco.com>
Cc: "Johannes Schindelin" <Johannes.Schindelin@gmx.de>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Martin Langhoff" <martin.langhoff@gmail.com>,
"Git Mailing List" <git@vger.kernel.org>
Subject: Re: [PATCH 3/3] clone: auto-enable git-credential-store when necessary
Date: Mon, 20 May 2019 08:31:10 -0400 [thread overview]
Message-ID: <20190520123110.GE11212@sigill.intra.peff.net> (raw)
In-Reply-To: <CAPig+cTkjJjuyrDOUh92B16an+wy9OnZgyKY0-bihWnzyWsoKg@mail.gmail.com>
On Mon, May 20, 2019 at 07:28:08AM -0400, Eric Sunshine wrote:
> > The biggest downside is that it's a bit magical from the user's
> > perspective, because now the password is off in some other file (usually
> > ~/.git-credentials, but sometimes in $XDG_CONFIG_HOME). Which
> > complicates things if they want to purge the repo and password, for
> > example, because now they can't just delete the repository directory.
> >
> > The file location is documented, though, and we point people to the
> > documentation. So perhaps it will be enough (and better still, may lead
> > to them configuring a more secure helper).
>
> I'm trying to decide how I feel about this based upon my own
> experience recently of having my password magically stored by Git for
> Windows without warning or consent on a computer which was not my own
> but on which I needed to access a private GitHub repository. Although
> the situation is not perfectly analogous, the concern of having one's
> password magically squirreled-away _somewhere_ unexpectedly is the
> same. Being unfamiliar with Git for Windows's credential helper or
> Windows credential management in general, I experienced more than a
> few minutes of consternation and alarm before finally figuring out
> where Git for Windows had stored my password and how to remove it. The
> sense of alarm and discomfort likely would have not arisen had the
> credential helper given me the opportunity to approve or deny the
> action.
Thanks, that's a good elaboration of the uneasiness I was feeling. This
patch is better than the status quo in that your password was already
being squirreled away in plaintext, and now it's at least locked down
with filesystem permissions. But it's clearly not as far as we could go.
I was mostly just afraid to break existing workflows, but maybe we
should be more opinionated.
Or maybe we just need to give more specific details about how to back
out the change.
> > +"Note that the password is still stored in plaintext in the filesystem;\n"
> > +"consider configuring a more secure helper. See \"git help gitcredentials\"\n"
> > +"and \"git help git-credential-store\" for details.\n"
> > );
>
> Give the above experience, one way to mitigate such feelings of alarm
> might, at a minimum, be for this message to say where the password is
> being stored (and, possibly, how to remove it) so the user can do so
> immediately if desired. Prompting the user to approve or deny the
> action might also go a long way toward making this more palatable
> (assuming the session is interactive).
I actually thought about pointing to the file, but it's non-trivial to
do so (there's a bunch of internal logic in credential-store to decide
between $HOME and XDG locations).
I think what we really need are better commands to manage credentials
independent of helpers, and then we could recommend a simple command to
clear a credential that you don't want to have stored. Right now I think
the best you can do is:
echo url=https://example.com | git credential reject
but:
- "reject" is a funny term; this comes from the C code, which thinks
of it in terms of the server approving/rejecting (and that makes
sense for scripts calling this command). But at the helper level,
the operations are really store/erase. We probably ought to support
those names, too.
- piping the credential protocol is slightly awkward; we probably
ought to allow a url on the command line, and avoid reading stdin if
we get one.
That would give us:
git credential erase https://example.com
which is really quite readable. :)
Likewise, if we choose not to auto-enable the store helper, we'd
probably want to give advice on seeding your password. Right now that
is:
echo url=https://example.com | git credential fill | git credential approve
which is...not intuitive. It would make sense to me to have a "seed"
operation which does a fill/approve together. Maybe that should just be
what "store" does, which would allow:
$ git credential store https://example.com
Username for 'https://example.com':
Password for 'https://user@example.com':
(Of course you can also just "git fetch" to get prompted, but it seems
like this shouldn't require a network operation if you don't want it
to).
-Peff
next prev parent reply other threads:[~2019-05-20 12:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 17:49 Git ransom campaign incident report - May 2019 Martin Langhoff
2019-05-15 18:59 ` Ævar Arnfjörð Bjarmason
2019-05-16 4:27 ` Jeff King
2019-05-17 19:39 ` Johannes Schindelin
2019-05-17 22:20 ` Jeff King
2019-05-17 23:13 ` Martin Langhoff
2019-05-19 5:07 ` Jeff King
2019-05-19 5:10 ` [PATCH 1/3] transport_anonymize_url(): support retaining username Jeff King
2019-05-19 23:28 ` Eric Sunshine
2019-05-20 16:14 ` René Scharfe
2019-05-20 16:36 ` Johannes Schindelin
2019-05-20 16:43 ` Johannes Schindelin
2019-05-19 5:12 ` [PATCH 2/3] clone: avoid storing URL passwords in config Jeff King
2019-05-19 5:16 ` [PATCH 3/3] clone: auto-enable git-credential-store when necessary Jeff King
2019-05-20 11:28 ` Eric Sunshine
2019-05-20 12:31 ` Jeff King [this message]
2019-05-20 16:48 ` Johannes Schindelin
2019-05-20 13:56 ` Ævar Arnfjörð Bjarmason
2019-05-20 14:08 ` Jeff King
2019-05-20 15:17 ` Ævar Arnfjörð Bjarmason
2019-05-20 15:24 ` Jeff King
2019-05-20 17:08 ` Ævar Arnfjörð Bjarmason
2019-05-20 14:43 ` Git ransom campaign incident report - May 2019 Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190520123110.GE11212@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=martin.langhoff@gmail.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).