SSH scripts
Ludovic Chabant
ludovic at chabant.com
Sun Jan 27 04:43:36 UTC 2019
I'm replying to myself after some experimentation, in case anybody
was curious.
> 1. I need to support read/write vs. read-only access. The hg-ssh
> script adds hooks on the fly to reject pushes. Instead of doing
> that, could I patch the hg command (which looks like "hg -R
> /path/to/repo serve -- stdio") by adding a "--web-conf
> reject.conf" at the end?
When `hg serve` has `--stdio` as an argument, the command dispatcher
gets super strict and _only_ allows `hg -R /path/to/repo serve --stdio`,
and nothing else. It's kinda weird to me since people who want to secure
their SSH access could check those arguments before it reaches
Mercurial, so I don't know why it's done there, but anyway, we can't
pass anything else. See
https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/dispatch.py#l299
> 2. Why do we need the "prepushkey" hook? Wouldn't the "pretxnopen"
> hook be sufficient to gate any writing operation to the repo?
This I got no idea -- the tests I did where I'm trying to push various
things seems to always get caught by "pretxnopen" already.
> 3. The documentation for "hg serve" indicates that it refuses push by
> default, yet, the "hg serve" that's run through SSH seems to allow
> it... how come?
This seems to be because, again, the `--stdio` argument actually runs "hg serve" in a completely different way that it's usually run. See https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/commands.py#l5264
(it runs an SSH-specific version of the command server, so I assume it's pull/push by default)
In the end, I'm using the contrib/hg-ssh script but it's kinda sad because the environment I'm in is Python3 so I have to shell out to a different process (running Python2) to make it work. I hear there's good progress on Mercurial on Python3 though so hopefully that's temporary.
--
l u d o .
. 8 0 17 80
More information about the Mercurial
mailing list