Publishing Mercurial Repositories Securely
This page describes how to allow limited access to Mercurial repositories via HTTP or SSH without allowing clients to execute arbitrary commands.
1. Security model
Mercurial's command line uses a security model appropriate for a command line: a user who can run a Mercurial command is allowed to do anything that the operating system will let that user do, including running other commands.
Similarly, the built-in Web interface, hgweb, trusts the REMOTE_USER environment variable to control access. No user authentication is done by hgweb.
To safely serve repositories with limited access, Mercurial relies on the security mechanisms built into the operating system or Web server it's running on. This means not exposing Mercurial directly to the Internet, but rather thru a wrapper script or behind an HTTP server like Apache.
2. Configuring a server for limited access
General guidelines regardless of protocol:
Do not allow users to upload or write files to the part of the filesystem containing the repository/-ies via any other means. In particular, do not allow them to write hgrc (or Mercurial.ini) files to any of the locations where Mercurial will read them (see hg help -v config for a list of these locations).
SSH-specific:
Specify a command in authorized_keys. This replaces any command that the user passes to ssh(1) and puts the original command in the SSH_ORIGINAL_COMMAND environment variable.
Use a wrapper script such as hg-ssh to sanitize the invocation of hg(1). Wrapper scripts should not allow the user to specify anything in the hg command line except the path to the repository. hg-ssh takes care of this for you.
- If you use a custom wrapper script:
Its invocation of Mercurial must start with precisely the arguments: hg, -R, <repo path>, serve, --stdio, where <repo path> is replaced by the path to the repository.
It should expand and sanitize the <repo path> before passing it to Mercurial.
HTTP-specific:
If you authenticate users or allow push access, use HTTPS. You can get a free SSL/TLS certificate to enable this from Let's Encrypt.
- Do not put your hgweb config file or your Web server's password file (.htaccess or similar) under the same directory as your repositories.