author | Paul Crowley <paul@lshift.net> |
Mon, 12 Oct 2009 12:08:19 +0100 | |
changeset 104 | d9665b290636 |
parent 83 | 86ec1268d306 |
child 111 | eace50ec6427 |
permissions | -rw-r--r-- |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
1 |
SECURITY OF MERCURIAL-SERVER |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
3 |
mercurial-server relies entirely on sshd to grant access to remote users. As a |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
4 |
result, it runs no daemons, installs no setuid programs, and no part of it |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
5 |
runs as root except the install process: all programs run as the user hg. And |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
6 |
any attack on mercurial-server can only be started if the Bad Guys already |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
7 |
have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
8 |
way. No matter what command the user tries to run on the remote system via |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
9 |
ssh, mercurial-server is run. |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
10 |
|
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
11 |
It parses the command line the user asked for, and interprets and runs the |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
12 |
corresponding hg operation itself if access is allowed, so users can only read |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
13 |
and add to history within repositories; they cannot run any other hg command. |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
14 |
In addition, every push and pull is logged with a datestamp, changeset ID and |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
15 |
the key that performed the operation. |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
16 |
|
104
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
17 |
However, while the first paragraph holds no matter what bugs |
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
18 |
mercurial-server contains, the second depends on the relevant code being |
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
19 |
correct; though the entire codebase is short, mercurial-server is a fairly |
d9665b290636
Fix remark in security documentation
Paul Crowley <paul@lshift.net>
parents:
83
diff
changeset
|
20 |
new program and may harbour bugs. Backups are |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
21 |
essential! |