doc/security
author Paul Crowley <paul@lshift.net>
Wed, 14 Oct 2009 18:05:39 +0100
changeset 140 0f79d1bea07e
parent 113 dd545202d663
permissions -rw-r--r--
Beef up the caution

SECURITY OF MERCURIAL-SERVER

mercurial-server relies entirely on sshd to grant access to remote users.
As a result, it runs no daemons, installs no setuid programs, and no part
of it runs as root except the install process: all programs run as the user
hg. And any attack on mercurial-server can only be started if the Bad Guys
already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will
bar the way.

No matter what command the user tries to run on the remote system via ssh,
mercurial-server is run. It parses the command line the user asked for, and
interprets and runs the corresponding hg operation itself if access is
allowed, so users can only read and add to history within repositories;
they cannot run any other hg command. In addition, every push and pull is
logged with a datestamp, changeset ID and the key that performed the
operation.

However, while the first paragraph holds no matter what bugs
mercurial-server contains, the second depends on the relevant code being
correct; though the entire codebase is short, mercurial-server is a fairly
new program and may harbour bugs. Backups are essential!