Mercurial-server and hgrc

Robert Bauck Hamar r.b.hamar at usit.uio.no
Fri Apr 30 06:41:59 CDT 2010


*hjazz6:
>I've set it up using the instructions described 
>http://dev.lshift.net/paul/mercurial-server/docbook.html here , and if I
>didn't set it up incorrectly, users don't need a password to login to the
>server hosting all the repositories. My question is isn't this a security
>risk?

Password or not password is not the issue. In stead of a password, you 
would use a key, and you should be the only person having access to this 
key. It's a security risk if your users are stupid and looses the 
password or key, either way. (In that manner, having a key not protected 
by a passphrase is like writing down your password in the most obvious 
place.)

>Users can simply login and change/read/write the files and bypass the 
>access-control implemented by mercurial-server. Or is there a way to preventl 
>users from logging into the server directly? I'm new to the ssh stuff, so 
>all this is rather confusing to me.

When you log in to a *NIX computer, a program called the shell would be 
executed. The shell is the program you type commands into, and it will 
translate this command to some action (e.g. run some program). When the 
user logs in with ssh, then ssh could be set up to run a specific 
program as the shell. The clue is to replace the shell with a special 
program that only accepts safe commands, and should not let your 
users change any settings. This shell can be set differently based on 
the user's key, so some keys can be given more privileges than others.

>Another question is can .hg/hgrc files be pushed/pulled from repositories?

No, as you can set up hooks and extensions in these files, this would be 
a security risk. .hg/hgrc should never be tracked by hg.

-- 
Robert Bauck Hamar
USIT/SAPP/GT - Cerebrum
http://www.uio.no/sok?person=roberth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://selenic.com/pipermail/mercurial/attachments/20100430/30c743ab/attachment.pgp>


More information about the Mercurial mailing list