doc/security
author Paul Crowley <paul@lshift.net>
Mon, 12 Oct 2009 17:04:26 +0100
changeset 109 72100d3ed1bd
parent 104 d9665b290636
child 111 eace50ec6427
permissions -rw-r--r--
Don't mix exceptions and sys.exit based failures

SECURITY OF MERCURIAL-SERVER

mercurial-server relies entirely on sshd to grant access to remote users. As a
result, it runs no daemons, installs no setuid programs, and no part of it
runs as root except the install process: all programs run as the user hg. And
any attack on mercurial-server can only be started if the Bad Guys already
have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the
way. No matter what command the user tries to run on the remote system via
ssh, mercurial-server is run. 

It parses the command line the user asked for, and interprets and runs the
corresponding hg operation itself if access is allowed, so users can only read
and add to history within repositories; they cannot run any other hg command.
In addition, every push and pull is logged with a datestamp, changeset ID and
the key that performed the operation.

However, while the first paragraph holds no matter what bugs
mercurial-server contains, the second depends on the relevant code being
correct; though the entire codebase is short, mercurial-server is a fairly
new program and may harbour bugs. Backups are
essential!