doc/security
changeset 83 86ec1268d306
child 104 d9665b290636
equal deleted inserted replaced
82:7369ff737684 83:86ec1268d306
       
     1 SECURITY OF MERCURIAL-SERVER
       
     2 
       
     3 mercurial-server relies entirely on sshd to grant access to remote users. As a
       
     4 result, it runs no daemons, installs no setuid programs, and no part of it
       
     5 runs as root except the install process: all programs run as the user hg. And
       
     6 any attack on mercurial-server can only be started if the Bad Guys already
       
     7 have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the
       
     8 way. No matter what command the user tries to run on the remote system via
       
     9 ssh, mercurial-server is run. 
       
    10 
       
    11 It parses the command line the user asked for, and interprets and runs the
       
    12 corresponding hg operation itself if access is allowed, so users can only read
       
    13 and add to history within repositories; they cannot run any other hg command.
       
    14 In addition, every push and pull is logged with a datestamp, changeset ID and
       
    15 the key that performed the operation.
       
    16 
       
    17 However, while the first paragraph holds no matter what bugs mercurial-server
       
    18 contains, the second depends on the relevant code being correct; though the
       
    19 entire codebase is currently only about twice as long as this README,
       
    20 mercurial-server is a fairly new program and may harbour bugs. Backups are
       
    21 essential!