[issue778] hooks not run in hgwebdir, but works in global hgrc
Matt Mackall
mpm at selenic.com
Fri Oct 12 18:42:19 CDT 2007
On Sat, Oct 13, 2007 at 09:09:38AM +1000, James Mills wrote:
> On Fri, Oct 12, 2007 at 11:15:16AM -0500, Matt Mackall wrote:
> > This is a security feature.
> >
> > Mercurial doesn't trust most settings in hgrc files that are not owned
> > by the current user. If it did, Alice could add an extension to
> > .hg/hgrc that would steal Bob's data when Bob ran "hg log" in her
> > directory. Similar problems are possible with hooks as well.
>
> How then do we get a hook working ?
>
> I have apache running as the 'www' user
> with my hg repos in /data/hg/public/
>
> My hook is in /data/hg/scripts/
> and is owned by root:root
But the important bit is: who owns the _config file_ where the hook is
specified? It must match the user running Mercurial.
--
Mathematics is the supreme nostalgia of our time.
More information about the Mercurial-devel
mailing list