|
Size: 2595
Comment:
|
Size: 2672
Comment: Formatting changes plus an anchor for use with the PublishingRepositories page.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 13: | Line 13: |
| * Alice has a repository in /repos/alice/project * It contains a .hg/hgrc owned by Alice * Bob looks at the repository with hg log |
* Alice has a repository in `/repos/alice/project` * It contains a `.hg/hgrc` owned by Alice * Bob looks at the repository with `hg log` |
| Line 17: | Line 17: |
| If Bob's hg command trusted Alice's .hg/hgrc, then it could be tricked into loading and running whatever hooks, extensions, and so forth that Alice had configured. If Alice was malicious, she could set up a hook to give her access to Bob's account, read his mail, personal files, etc. | If Bob's `hg` command trusted Alice's `.hg/hgrc`, then it could be tricked into loading and running whatever hooks, extensions, and so forth that Alice had configured. If Alice was malicious, she could set up a hook to give her access to Bob's account, read his mail, personal files, etc. |
| Line 22: | Line 22: |
| Users can add settings to their $HOME/hgrc to tell Mercurial to trust other users. For instance, if Bob has decided he can trust Alice not to try to delete his files when he looks at her repository, he could add: | Users can add settings to their `$HOME/hgrc` to tell Mercurial to trust other users. For instance, if Bob has decided he can trust Alice not to try to delete his files when he looks at her repository, he could add: |
| Line 34: | Line 34: |
| /!\ Only Bob can make Bob's Mercurial trust Alice. If Alice adds "users = alice" to her .hg/hgrc file, Bob's Mercurial will naturally ignore it as it doesn't trust those settings already. | /!\ Only Bob can make Bob's Mercurial trust Alice. If Alice adds "users = alice" to her `.hg/hgrc` file, Bob's Mercurial will naturally ignore it as it doesn't trust those settings already. |
| Line 40: | Line 40: |
| <<Anchor(WebServerLogMessages)>> | |
| Line 41: | Line 42: |
| In this case, the user running your Apache server (eg 'apache' or 'www-data') is Bob in our example and the user who owns the repository is Alice. In other words, the web server user doesn't trust the repository owner. | In this case, the user running your Apache server (such as `apache`, `daemon`, `nobody` or `www-data`) is Bob in our example and the user who owns the repository is Alice. In other words, the web server user doesn't trust the repository owner. |
| Line 46: | Line 47: |
| * Add a trust setting in the web server's home directory hgrc file | * Add a trust setting in the web server's home directory `hgrc` file |
| Line 48: | Line 49: |
| * Add a global trust setting in /etc/mercurial/ or similar (only if you trust everyone!) | * Add a global trust setting in `/etc/mercurial/` or similar (only if you trust everyone!) |
Configuring Mercurial Trust
1. Why am I getting this "not trusting file" message?
If you've seen a message like this, you're in the right place:
Not trusting file /home/alice/repo/.hg/hgrc from untrusted user alice, group users
For security reasons, Mercurial only trusts hgrc files owned by the user running Mercurial. Settings from untrusted files will generally be ignored.
2. Why is this a security issue?
Imagine the following scenario:
Alice has a repository in /repos/alice/project
It contains a .hg/hgrc owned by Alice
Bob looks at the repository with hg log
If Bob's hg command trusted Alice's .hg/hgrc, then it could be tricked into loading and running whatever hooks, extensions, and so forth that Alice had configured. If Alice was malicious, she could set up a hook to give her access to Bob's account, read his mail, personal files, etc.
Instead, Mercurial ignores these settings, which means that hooks and extensions (malicious or not!) that Alice has enabled will be ignored.
3. What if I think Alice is trustworthy?
Users can add settings to their $HOME/hgrc to tell Mercurial to trust other users. For instance, if Bob has decided he can trust Alice not to try to delete his files when he looks at her repository, he could add:
[trusted] users = alice, carl, dan
Alternately, Bob can decide to trust a group of people (as specified in an operating system group)
[trusted] group = dev-team
![/!\](/moin-static/modernized/img/alert.png "/!\"){kind=small}
Only Bob can make Bob's Mercurial trust Alice. If Alice adds "users = alice" to her .hg/hgrc file, Bob's Mercurial will naturally ignore it as it doesn't trust those settings already.
Bob shouldn't do this unless he actually trusts Alice!
More info can be found in hgrc manpage.
4. I'm still confused, I'm getting this message in my webserver logs?
In this case, the user running your Apache server (such as apache, daemon, nobody or www-data) is Bob in our example and the user who owns the repository is Alice. In other words, the web server user doesn't trust the repository owner.
Once you've understood the security implications above, there are several possibilities for fixing this:
- Ignore it - hooks and extensions aren't required
Add a trust setting in the web server's home directory hgrc file
- Change the repository to be owned by the web server (note that setting the group is not the same as setting the owner)
Add a global trust setting in /etc/mercurial/ or similar (only if you trust everyone!)