1 SECURITY OF MERCURIAL-SERVER |
1 SECURITY OF MERCURIAL-SERVER |
2 |
2 |
3 mercurial-server relies entirely on sshd to grant access to remote users. As a |
3 mercurial-server relies entirely on sshd to grant access to remote users. |
4 result, it runs no daemons, installs no setuid programs, and no part of it |
4 As a result, it runs no daemons, installs no setuid programs, and no part |
5 runs as root except the install process: all programs run as the user hg. And |
5 of it runs as root except the install process: all programs run as the user |
6 any attack on mercurial-server can only be started if the Bad Guys already |
6 hg. And any attack on mercurial-server can only be started if the Bad Guys |
7 have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the |
7 already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will |
8 way. No matter what command the user tries to run on the remote system via |
8 bar the way. |
9 ssh, mercurial-server is run. |
|
10 |
9 |
11 It parses the command line the user asked for, and interprets and runs the |
10 No matter what command the user tries to run on the remote system via ssh, |
12 corresponding hg operation itself if access is allowed, so users can only read |
11 mercurial-server is run. It parses the command line the user asked for, and |
13 and add to history within repositories; they cannot run any other hg command. |
12 interprets and runs the corresponding hg operation itself if access is |
14 In addition, every push and pull is logged with a datestamp, changeset ID and |
13 allowed, so users can only read and add to history within repositories; |
15 the key that performed the operation. |
14 they cannot run any other hg command. In addition, every push and pull is |
|
15 logged with a datestamp, changeset ID and the key that performed the |
|
16 operation. |
16 |
17 |
17 However, while the first paragraph holds no matter what bugs mercurial-server |
18 However, while the first paragraph holds no matter what bugs |
18 contains, the second depends on the relevant code being correct; though the |
19 mercurial-server contains, the second depends on the relevant code being |
19 entire codebase is currently only about twice as long as this README, |
20 correct; though the entire codebase is short, mercurial-server is a fairly |
20 mercurial-server is a fairly new program and may harbour bugs. Backups are |
21 new program and may harbour bugs. Backups are essential! |
21 essential! |
|