#pragma section-numbers 2 = Publishing Mercurial Repositories Securely = This page describes how to allow limited access to Mercurial repositories via HTTP or SSH without allowing clients to execute arbitrary commands. <> == Security model == Mercurial's command line uses a security model appropriate for a command line: a user who can run a Mercurial command is allowed to do anything that the operating system will let that user do, including running other commands. Similarly, the built-in Web interface, hgweb, trusts the `REMOTE_USER` environment variable to control access. No user authentication is done by hgweb. To safely serve repositories with limited access, Mercurial relies on the security mechanisms built into the operating system or Web server it's running on. This means not exposing Mercurial directly to the Internet, but rather thru a wrapper script or behind an HTTP server like [[http://httpd.apache.org/|Apache]]. == Configuring a server for limited access == General guidelines regardless of protocol: * Do not allow users to upload or write files to the part of the filesystem containing the repository/-ies via any other means. In particular, do not allow them to write hgrc (or Mercurial.ini) files to any of the locations where Mercurial will read them (see `hg help -v config` for a list of these locations). SSH-specific: * Specify a command in authorized_keys. This replaces any command that the user passes to ssh(1) and puts the original command in the `SSH_ORIGINAL_COMMAND` environment variable. * Use a wrapper script such as [[https://www.mercurial-scm.org/repo/hg/file/tip/contrib/hg-ssh|hg-ssh]] to sanitize the invocation of hg(1). Wrapper scripts should not allow the user to specify anything in the hg command line except the path to the repository. hg-ssh takes care of this for you. * If you use a custom wrapper script: * Its invocation of Mercurial must start with precisely the arguments: `hg`, `-R`, ``, `serve`, `--stdio`, where `` is replaced by the path to the repository. * It '''should''' expand and sanitize the `` before passing it to Mercurial. HTTP-specific: * If you authenticate users or allow push access, use HTTPS. You can get a free SSL/TLS certificate to enable this from [[https://letsencrypt.org/|Let's Encrypt]]. * Do not put your hgweb config file or your Web server's password file (.htaccess or similar) under the same directory as your repositories. == See also == * [[PublishingRepositories]] * [[MultipleCommitters]] * [[SharedSSH]] * [[SecurityDisclosureProcess]] ---- CategoryHowTo