# HG changeset patch # User Paul Crowley # Date 1255601114 -3600 # Node ID 5758cf47ff43c9a99ef45cc88d294e5aa0c87cb6 # Parent 02b464a6b43314c3f10f8395f8d4e6ac6096fefc cleanups to the security section diff -r 02b464a6b433 -r 5758cf47ff43 doc/manual.docbook --- a/doc/manual.docbook Thu Oct 15 11:00:32 2009 +0100 +++ b/doc/manual.docbook Thu Oct 15 11:05:14 2009 +0100 @@ -360,7 +360,8 @@ How mercurial-server works All of the repositories controlled by mercurial-server are owned by a -single user, the hg user, which is why all URLs for +single user, the hg user, which is why all URLs for mercurial-server repositories start with ssh://hg@.... Each SSH key that has access to the repository has an entry in ~hg/.ssh/authorized_keys; this is how the SSH daemon @@ -388,19 +389,21 @@
Security -mercurial-server relies entirely on sshd to grant access to remote users. +mercurial-server relies entirely on sshd to grant access to remote users. As a result, it runs no daemons, installs no setuid programs, and no part -of it runs as root except the install process: all programs run as the user -hg. Any attack on mercurial-server can only be started if the attacker +of it runs as root except the install process: all programs run as the user +hg. Any attack on mercurial-server can only be started if the attacker already has a public key in ~hg/.ssh/authorized_keys, -otherwise sshd will bar the way. +otherwise sshd will bar the way. No matter what command the user tries to run on the remote system via SSH, mercurial-server is run. It parses the command line the user asked for, and -interprets and runs the corresponding hg operation itself if access is +interprets and runs the corresponding operation itself if access is allowed, so users can only read and add to history within repositories; -they cannot run any other hg command. In addition, every push and pull is +they cannot run any other command. In addition, every push and pull is logged with a datestamp, changeset ID and the key that performed the operation.