Security issue: how to use HTTP user as Mercurial user

Tony Mechelynck antoine.mechelynck at gmail.com
Tue Jun 8 12:31:15 UTC 2010 

On 08/06/10 07:55, Igor Lautar wrote:
> Hi,
>
> On Mon, Jun 7, 2010 at 11:41 PM, Zeljko Trogrlic<zeljko_t at post.htnet.hr>  wrote:
>> I am using Apache + mod_wsgi + mod_auth_sspi + Mercurial 1.5.4 on Windows.
>>
>> Authentication works fine, but there is one security issue:
>> instead of user authenticated on Apache,
>> username configured in user's mercurial.ini [ui] section
>> is stored in repository as changeset's author.
>>
>> It means that users can fake their username, making traceability impossible.
>>
>> How can I configure Mercurial to use user authenticated by Apache as
>> Mercurial user?
>
> As Benoit said, it doesn't really make sense in DVCS world.
>
> However, I was there and did something else that helped to a certain degree.
>
> You can create a precommit (or changegroup) hook that checks changes
> and rejects them if authors are not correct. In my case, we had a file
> containing list of 'valid' push users, and if any changeset had author
> not on the list, it would be rejected.
>
> Regards,
> _______________________________________________
> Mercurial mailing list
> Mercurial at selenic.com
> http://selenic.com/mailman/listinfo/mercurial
>

What about if Evildoer (not on the list) tries to push a changeset 
saying "Author: Goodboy <manager at example.com>" (who is on the list)? 
There would have to be an authentication process on top of the changeset 
manifest validation process, and probably also a pushlog history (which 
might even be external to the Mercurial repo itself) saying which (SSH, 
OpenID, whatever) credentials were used by whoever pushed changeset 
ab2c4df6fbbc, so sheriffs can lay a blame when the next "make && make 
test" fails on the central repo (and, if you're compiling some Mozilla 
application, that will be several hours after the evildoer has 
disconnected).


Best regards,
Tony.
-- 
BLACK KNIGHT:  Come on you pansy!
     [hah] [parry thrust]
     [ARTHUR chops the BLACK KNIGHT's right arm off]
ARTHUR:        Victory is mine!  [kneeling]
                We thank thee Lord, that in thy merc-
     [Black Knight kicks Arthur in the head while he is praying]
                                   The Quest for the Holy Grail (Monty 
Python)

More information about the Mercurial mailing list