doc/security
author Paul Crowley <paul@lshift.net>
Wed, 14 Oct 2009 17:10:04 +0100
changeset 132 a5850a63390f
parent 113 dd545202d663
permissions -rw-r--r--
Move basic access control to the start of access control
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
SECURITY OF MERCURIAL-SERVER
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
111
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     3
mercurial-server relies entirely on sshd to grant access to remote users.
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     4
As a result, it runs no daemons, installs no setuid programs, and no part
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     5
of it runs as root except the install process: all programs run as the user
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     6
hg. And any attack on mercurial-server can only be started if the Bad Guys
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     7
already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
     8
bar the way.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
111
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    10
No matter what command the user tries to run on the remote system via ssh,
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    11
mercurial-server is run. It parses the command line the user asked for, and
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    12
interprets and runs the corresponding hg operation itself if access is
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    13
allowed, so users can only read and add to history within repositories;
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    14
they cannot run any other hg command. In addition, every push and pull is
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    15
logged with a datestamp, changeset ID and the key that performed the
eace50ec6427 Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents: 104
diff changeset
    16
operation.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    17
104
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    18
However, while the first paragraph holds no matter what bugs
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    19
mercurial-server contains, the second depends on the relevant code being
d9665b290636 Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    20
correct; though the entire codebase is short, mercurial-server is a fairly
113
dd545202d663 where did that line break come from?
Paul Crowley <paul@lshift.net>
parents: 111
diff changeset
    21
new program and may harbour bugs. Backups are essential!