Thejesh GN  committed c911bb4

hg pull trust error

  • Participants
  • Parent commits 227f3ff
  • Branches default

Comments (0)

Files changed (1)

File mercurial_not_trusting_user_on_pull.txt

+Hash: SHA512
+"Not trusting file.." on pull
+Alexis S. L. Carvalho alexis at 
+Tue Oct 31 23:37:40 CST 2006
+Previous message: "Not trusting file.." on pull
+Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+Thus spake TK Soh:
+> I am getting this message (edited to mask user and path) when trying
+> to pull using the recent crew revision
+>  % hg pull
+>  Not trusting file /remote/repo/.hg/hgrc from untrusted user me, group 
+>  mygroup
+> What is he "Not trusting file.." message trying to tell us?
+Mercurial obviously uses some settings from the .hg/hgrc file from a
+repo.  Some of these settings could be (ab)used by the owner of a repo
+to trick the user running hg into executing some arbitrary code.  For
+example, when you pull, the "outgoing" hook is executed automatically.
+Up to 0.9.1, most (all?) of these problems would appear only if you
+actively interacted with the repo (i.e. used pull, push, incoming,
+outgoing, commit, email, etc), but current tip will automatically load
+extensions specified in .hg/hgrc files[1] for all commands that open the
+repository.  This means that a simple "hg paths" could lead to arbitrary
+code execution.
+To prevent this, hg looks up the owner and the group of a .hg/hgrc file
+before loading it.  If it doesn't trust this user/group, it doesn't use
+the settings from this file[2].
+You can tell that you trust some user/group by adding something like
+this to ~/.hgrc:
+users = foo, bar, baz
+groups = fred, barney
+(use "*" if you want to trust all users/groups)
+Now, the user running hg should always be trusted.  If the
+/remote/repo/.hg/hgrc file does belong to you, you may have hit a bug
+:-/ .  In this case, can you put the next few lines in a file and
+execute it (after fixing the '/remote/repo/.hg/hgrc', of course)?
+- --x--
+#!/usr/bin/env python
+import os
+import pwd
+print 'my name:', pwd.getpwuid(os.getuid())[0]
+st = os.stat('/remote/repo/.hg/hgrc')
+print 'file owner:', pwd.getpwuid(st.st_uid)[0]
+- --x--
+Some additional info about your setup would also be interesting (is the
+/remote/repo on NFS, are you using NIS, LDAP, ...).
+[1] - the extension is loaded only after parsing the command line, so
+you still can't use commands defined by this extension.  IOW, this is
+useful for e.g. the notify extension, but not for mq.
+[2] - right now, the only exception is hgweb, since it's common to run
+the CGI script as one user, serving repos from other users.
+Version: GnuPG v1.4.11 (GNU/Linux)