diff -r e99262dfa950 -r 731a72b742db doc/security --- a/doc/security Thu May 28 10:43:30 2009 +0100 +++ b/doc/security Tue Oct 13 15:30:03 2009 +0100 @@ -1,21 +1,21 @@ SECURITY OF MERCURIAL-SERVER -mercurial-server relies entirely on sshd to grant access to remote users. As a -result, it runs no daemons, installs no setuid programs, and no part of it -runs as root except the install process: all programs run as the user hg. And -any attack on mercurial-server can only be started if the Bad Guys already -have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the -way. No matter what command the user tries to run on the remote system via -ssh, mercurial-server is run. +mercurial-server relies entirely on sshd to grant access to remote users. +As a result, it runs no daemons, installs no setuid programs, and no part +of it runs as root except the install process: all programs run as the user +hg. And any attack on mercurial-server can only be started if the Bad Guys +already have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will +bar the way. -It parses the command line the user asked for, and interprets and runs the -corresponding hg operation itself if access is allowed, so users can only read -and add to history within repositories; they cannot run any other hg command. -In addition, every push and pull is logged with a datestamp, changeset ID and -the key that performed the operation. +No matter what command the user tries to run on the remote system via ssh, +mercurial-server is run. It parses the command line the user asked for, and +interprets and runs the corresponding hg operation itself if access is +allowed, so users can only read and add to history within repositories; +they cannot run any other hg command. In addition, every push and pull is +logged with a datestamp, changeset ID and the key that performed the +operation. -However, while the first paragraph holds no matter what bugs mercurial-server -contains, the second depends on the relevant code being correct; though the -entire codebase is currently only about twice as long as this README, -mercurial-server is a fairly new program and may harbour bugs. Backups are -essential! +However, while the first paragraph holds no matter what bugs +mercurial-server contains, the second depends on the relevant code being +correct; though the entire codebase is short, mercurial-server is a fairly +new program and may harbour bugs. Backups are essential!