doc/security
changeset 111 eace50ec6427
parent 104 d9665b290636
child 113 dd545202d663
equal deleted inserted replaced
110:69596fffcf7d 111:eace50ec6427
     1 SECURITY OF MERCURIAL-SERVER
     1 SECURITY OF MERCURIAL-SERVER
     2 
     2 
     3 mercurial-server relies entirely on sshd to grant access to remote users. As a
     3 mercurial-server relies entirely on sshd to grant access to remote users.
     4 result, it runs no daemons, installs no setuid programs, and no part of it
     4 As a result, it runs no daemons, installs no setuid programs, and no part
     5 runs as root except the install process: all programs run as the user hg. And
     5 of it runs as root except the install process: all programs run as the user
     6 any attack on mercurial-server can only be started if the Bad Guys already
     6 hg. And any attack on mercurial-server can only be started if the Bad Guys
     7 have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the
     7 already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will
     8 way. No matter what command the user tries to run on the remote system via
     8 bar the way.
     9 ssh, mercurial-server is run. 
       
    10 
     9 
    11 It parses the command line the user asked for, and interprets and runs the
    10 No matter what command the user tries to run on the remote system via ssh,
    12 corresponding hg operation itself if access is allowed, so users can only read
    11 mercurial-server is run. It parses the command line the user asked for, and
    13 and add to history within repositories; they cannot run any other hg command.
    12 interprets and runs the corresponding hg operation itself if access is
    14 In addition, every push and pull is logged with a datestamp, changeset ID and
    13 allowed, so users can only read and add to history within repositories;
    15 the key that performed the operation.
    14 they cannot run any other hg command. In addition, every push and pull is
       
    15 logged with a datestamp, changeset ID and the key that performed the
       
    16 operation.
    16 
    17 
    17 However, while the first paragraph holds no matter what bugs
    18 However, while the first paragraph holds no matter what bugs
    18 mercurial-server contains, the second depends on the relevant code being
    19 mercurial-server contains, the second depends on the relevant code being
    19 correct; though the entire codebase is short, mercurial-server is a fairly
    20 correct; though the entire codebase is short, mercurial-server is a fairly
    20 new program and may harbour bugs. Backups are
    21 new program and may harbour bugs. Backups are