doc/security
author Paul Crowley <paul@lshift.net>
Tue, 13 Oct 2009 10:41:24 +0100
changeset 110 69596fffcf7d
parent 104 d9665b290636
child 111 eace50ec6427
permissions -rw-r--r--
Less canonicalisation, use os.path to check for dotfiles
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
SECURITY OF MERCURIAL-SERVER
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
mercurial-server relies entirely on sshd to grant access to remote users. As a
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
result, it runs no daemons, installs no setuid programs, and no part of it
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     5
runs as root except the install process: all programs run as the user hg. And
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     6
any attack on mercurial-server can only be started if the Bad Guys already
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
way. No matter what command the user tries to run on the remote system via
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
ssh, mercurial-server is run. 
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
It parses the command line the user asked for, and interprets and runs the
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
corresponding hg operation itself if access is allowed, so users can only read
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
and add to history within repositories; they cannot run any other hg command.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    14
In addition, every push and pull is logged with a datestamp, changeset ID and
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    15
the key that performed the operation.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    16
104
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    17
However, while the first paragraph holds no matter what bugs
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    18
mercurial-server contains, the second depends on the relevant code being
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    19
correct; though the entire codebase is short, mercurial-server is a fairly
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    20
new program and may harbour bugs. Backups are
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
essential!