doc/manual.docbook
changeset 151 5758cf47ff43
parent 150 02b464a6b433
child 152 f4688940fe15
equal deleted inserted replaced
150:02b464a6b433 151:5758cf47ff43
   358 </section>
   358 </section>
   359 <section>
   359 <section>
   360 <title>How mercurial-server works</title>
   360 <title>How mercurial-server works</title>
   361 <para>
   361 <para>
   362 All of the repositories controlled by mercurial-server are owned by a
   362 All of the repositories controlled by mercurial-server are owned by a
   363 single user, the <literal>hg</literal> user, which is why all URLs for
   363 single user, the <systemitem
       
   364 class="username">hg</systemitem> user, which is why all URLs for
   364 mercurial-server repositories start with <literal>ssh://hg@...</literal>.
   365 mercurial-server repositories start with <literal>ssh://hg@...</literal>.
   365 Each SSH key that has access to the repository has an entry in
   366 Each SSH key that has access to the repository has an entry in
   366 <filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon
   367 <filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon
   367 knows to give that key access. When the user connects over SSH, their
   368 knows to give that key access. When the user connects over SSH, their
   368 commands are run in a custom restricted shell; this shell knows which key
   369 commands are run in a custom restricted shell; this shell knows which key
   386 </para>
   387 </para>
   387 </section>
   388 </section>
   388 <section>
   389 <section>
   389 <title>Security</title>
   390 <title>Security</title>
   390 <para>
   391 <para>
   391 mercurial-server relies entirely on sshd to grant access to remote users.
   392 mercurial-server relies entirely on <command>sshd</command> to grant access to remote users.
   392 As a result, it runs no daemons, installs no setuid programs, and no part
   393 As a result, it runs no daemons, installs no setuid programs, and no part
   393 of it runs as root except the install process: all programs run as the user
   394 of it runs as <systemitem
   394 hg. Any attack on mercurial-server can only be started if the attacker
   395 class="username">root</systemitem> except the install process: all programs run as the user
       
   396 <systemitem
       
   397 class="username">hg</systemitem>. Any attack on mercurial-server can only be started if the attacker
   395 already has a public key in <filename>~hg/.ssh/authorized_keys</filename>,
   398 already has a public key in <filename>~hg/.ssh/authorized_keys</filename>,
   396 otherwise sshd will bar the way.
   399 otherwise <command>sshd</command> will bar the way.
   397 </para>
   400 </para>
   398 <para>
   401 <para>
   399 No matter what command the user tries to run on the remote system via SSH,
   402 No matter what command the user tries to run on the remote system via SSH,
   400 mercurial-server is run. It parses the command line the user asked for, and
   403 mercurial-server is run. It parses the command line the user asked for, and
   401 interprets and runs the corresponding hg operation itself if access is
   404 interprets and runs the corresponding operation itself if access is
   402 allowed, so users can only read and add to history within repositories;
   405 allowed, so users can only read and add to history within repositories;
   403 they cannot run any other hg command. In addition, every push and pull is
   406 they cannot run any other command. In addition, every push and pull is
   404 logged with a datestamp, changeset ID and the key that performed the
   407 logged with a datestamp, changeset ID and the key that performed the
   405 operation.
   408 operation.
   406 </para>
   409 </para>
   407 <para>
   410 <para>
   408 However, while the first paragraph holds no matter what bugs
   411 However, while the first paragraph holds no matter what bugs