0

Would anyone know how I can restrict users from pushing to an hg repository if I give then access via hg-ssh?

Some details to help eliminate the obvious:

1) This is a for a shared hosting situation where I don't have root access to install mercurial-server nor can I create the "hg" username that it requires.

2) When I allow a user to connect via SSH to a shared hosting site, they will basically have their public key in my authorized_keys file and they will have be authenticated as me (i.e. they will have my credentials on the server). I can restrict their access to only a few hg repositories by specifying a "command=" clause in my authorized_keys file as documented here: https://www.mercurial-scm.org/repo/hg-stable/raw-file/tip/contrib/hg-ssh. However that gives the user full access to these repositories. Can I restrict this to pull-only access?

Any of these would solve my problem:

1) I know that mercurial-server solves this problem somehow because all the users their share the same user account called "hg". How do they do it? Can I do the same without root-access to set up things?

OR 2) Is there is a patch that I can add to hg-ssh such that hg-ssh can take some permissions on its command-line. Something like "hg-ssh -read-only repo1 repo2 -read-write repo3".

OR 3) Get "hg -R {repo} serve --stdio" to take a command line option such that it will not allow push.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
roshanjames
  • 276
  • 1
  • 7

3 Answers3

2

The quick and dirty way would be to tweak the command= value to be something like this:

command=hg-ssh --config hooks.pretxnchangegroup=false repo1 repo2

but that's just the AclExtension done sloppily.

Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
  • I just tried this and I seem to be able to push. Are you sure hg-ssh takes a --config flag? I am looking at the code here http://www.selenic.com/repo/hg-stable/raw-file/tip/contrib/hg-ssh and I see no provision for it. Maybe I am missing something obvious? – roshanjames Feb 23 '11 at 01:41
  • If hg-ssh doesn't carry over command line options then put the option in the hg-ssh script itself. Just find where it invokes hg and add it there. – Ry4an Brase Feb 23 '11 at 03:07
  • Thanks Ry4an. Even though this didn't let me do exactly what I wanted it gave me enough of an understanding of hg hooks to pull off what I needed and write my own hg-ssh like script. – roshanjames Mar 04 '11 at 02:11
1

mercurial-server gives you the simplest control over this. You can install it as a non-root user, but you have to take a little longer to understand how it works.

Paul Crowley
  • 1,656
  • 1
  • 14
  • 26
  • I did not know that mercurial server can be installed without root access - in particular I thought it needed a dedicated "hg" user account. Do you have a link to an installation instructions page? I must say that I went ahead and wrote my own hg-gateway tool to do this: http://parametricity.net/b/hg-gateway – roshanjames May 05 '11 at 23:13
  • I think not using a dedicated account for a job like this would be a bad idea, especially since mercurial-server has to delete and rewrite your authorized-keys file. The account doesn't have to be called "hg" though. The key file you need to configure is the .mercurial-server file in the home directory of the dedicated account. – Paul Crowley May 06 '11 at 14:43
0

Use the AclExtension. It lets you block access for ssh actions as well as http actions, and since it's enabled/disabled by hooks you'll be able to bypass it when you're logged in interactively.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
  • (Please ignore the comment above; just getting used to the fact that hitting enter posts the comments). Ry4an, after having a look at AclExtension I am puzzled about how this should work. The usernames specified in AclExtension are Unix usernames, are they not? If so, when I add someone else's public key to my authorized keys, they would show up as me, i.e. with my username. I don't want to restrict myself, just connections coming in through some public keys. – roshanjames Feb 23 '11 at 00:29
  • It does use usernames, but if you're logged in interactively you can easily bypass the AclExtension by unsetting the hook from the command line. – Ry4an Brase Feb 23 '11 at 03:08