358 </section> |
358 </section> |
359 <section> |
359 <section> |
360 <title>How mercurial-server works</title> |
360 <title>How mercurial-server works</title> |
361 <para> |
361 <para> |
362 All of the repositories controlled by mercurial-server are owned by a |
362 All of the repositories controlled by mercurial-server are owned by a |
363 single user, the <literal>hg</literal> user, which is why all URLs for |
363 single user, the <systemitem |
|
364 class="username">hg</systemitem> user, which is why all URLs for |
364 mercurial-server repositories start with <literal>ssh://hg@...</literal>. |
365 mercurial-server repositories start with <literal>ssh://hg@...</literal>. |
365 Each SSH key that has access to the repository has an entry in |
366 Each SSH key that has access to the repository has an entry in |
366 <filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon |
367 <filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon |
367 knows to give that key access. When the user connects over SSH, their |
368 knows to give that key access. When the user connects over SSH, their |
368 commands are run in a custom restricted shell; this shell knows which key |
369 commands are run in a custom restricted shell; this shell knows which key |
386 </para> |
387 </para> |
387 </section> |
388 </section> |
388 <section> |
389 <section> |
389 <title>Security</title> |
390 <title>Security</title> |
390 <para> |
391 <para> |
391 mercurial-server relies entirely on sshd to grant access to remote users. |
392 mercurial-server relies entirely on <command>sshd</command> to grant access to remote users. |
392 As a result, it runs no daemons, installs no setuid programs, and no part |
393 As a result, it runs no daemons, installs no setuid programs, and no part |
393 of it runs as root except the install process: all programs run as the user |
394 of it runs as <systemitem |
394 hg. Any attack on mercurial-server can only be started if the attacker |
395 class="username">root</systemitem> except the install process: all programs run as the user |
|
396 <systemitem |
|
397 class="username">hg</systemitem>. Any attack on mercurial-server can only be started if the attacker |
395 already has a public key in <filename>~hg/.ssh/authorized_keys</filename>, |
398 already has a public key in <filename>~hg/.ssh/authorized_keys</filename>, |
396 otherwise sshd will bar the way. |
399 otherwise <command>sshd</command> will bar the way. |
397 </para> |
400 </para> |
398 <para> |
401 <para> |
399 No matter what command the user tries to run on the remote system via SSH, |
402 No matter what command the user tries to run on the remote system via SSH, |
400 mercurial-server is run. It parses the command line the user asked for, and |
403 mercurial-server is run. It parses the command line the user asked for, and |
401 interprets and runs the corresponding hg operation itself if access is |
404 interprets and runs the corresponding operation itself if access is |
402 allowed, so users can only read and add to history within repositories; |
405 allowed, so users can only read and add to history within repositories; |
403 they cannot run any other hg command. In addition, every push and pull is |
406 they cannot run any other command. In addition, every push and pull is |
404 logged with a datestamp, changeset ID and the key that performed the |
407 logged with a datestamp, changeset ID and the key that performed the |
405 operation. |
408 operation. |
406 </para> |
409 </para> |
407 <para> |
410 <para> |
408 However, while the first paragraph holds no matter what bugs |
411 However, while the first paragraph holds no matter what bugs |