author | Paul Crowley <paul@lshift.net> |
Wed, 14 Oct 2009 15:36:12 +0100 | |
changeset 128 | b1610de4b6b1 |
parent 113 | dd545202d663 |
permissions | -rw-r--r-- |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
1 |
SECURITY OF MERCURIAL-SERVER |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
111
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
3 |
mercurial-server relies entirely on sshd to grant access to remote users. |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
4 |
As a result, it runs no daemons, installs no setuid programs, and no part |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
5 |
of it runs as root except the install process: all programs run as the user |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
6 |
hg. And any attack on mercurial-server can only be started if the Bad Guys |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
7 |
already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
8 |
bar the way. |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
9 |
|
111
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
10 |
No matter what command the user tries to run on the remote system via ssh, |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
11 |
mercurial-server is run. It parses the command line the user asked for, and |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
12 |
interprets and runs the corresponding hg operation itself if access is |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
13 |
allowed, so users can only read and add to history within repositories; |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
14 |
they cannot run any other hg command. In addition, every push and pull is |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
15 |
logged with a datestamp, changeset ID and the key that performed the |
eace50ec6427
Fix a minor inaccuracy in the security docs
Paul Crowley <paul@lshift.net>
parents:
104
diff
changeset
|
16 |
operation. |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
17 |
|
104
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
18 |
However, while the first paragraph holds no matter what bugs |
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
19 |
mercurial-server contains, the second depends on the relevant code being |
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
20 |
correct; though the entire codebase is short, mercurial-server is a fairly |
113
dd545202d663
where did that line break come from?
Paul Crowley <paul@lshift.net>
parents:
111
diff
changeset
|
21 |
new program and may harbour bugs. Backups are essential! |