+-----BEGIN PGP SIGNED MESSAGE-----
+"Not trusting file.." on pull
+Alexis S. L. Carvalho alexis at cecm.usp.br
+Tue Oct 31 23:37:40 CST 2006
+Previous message: "Not trusting file.." on pull
+Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
+> I am getting this message (edited to mask user and path) when trying
+> to pull using the recent crew revision
+> Not trusting file /remote/repo/.hg/hgrc from untrusted user me, group
+> What is he "Not trusting file.." message trying to tell us?
+Mercurial obviously uses some settings from the .hg/hgrc file from a
+repo. Some of these settings could be (ab)used by the owner of a repo
+to trick the user running hg into executing some arbitrary code. For
+example, when you pull, the "outgoing" hook is executed automatically.
+Up to 0.9.1, most (all?) of these problems would appear only if you
+actively interacted with the repo (i.e. used pull, push, incoming,
+outgoing, commit, email, etc), but current tip will automatically load
+extensions specified in .hg/hgrc files for all commands that open the
+repository. This means that a simple "hg paths" could lead to arbitrary
+To prevent this, hg looks up the owner and the group of a .hg/hgrc file
+before loading it. If it doesn't trust this user/group, it doesn't use
+the settings from this file.
+You can tell that you trust some user/group by adding something like
+(use "*" if you want to trust all users/groups)
+Now, the user running hg should always be trusted. If the
+/remote/repo/.hg/hgrc file does belong to you, you may have hit a bug
+:-/ . In this case, can you put the next few lines in a file and
+execute it (after fixing the '/remote/repo/.hg/hgrc', of course)?
+print 'my name:', pwd.getpwuid(os.getuid())
+st = os.stat('/remote/repo/.hg/hgrc')
+print 'file owner:', pwd.getpwuid(st.st_uid)
+Some additional info about your setup would also be interesting (is the
+/remote/repo on NFS, are you using NIS, LDAP, ...).
+ - the extension is loaded only after parsing the command line, so
+you still can't use commands defined by this extension. IOW, this is
+useful for e.g. the notify extension, but not for mq.
+ - right now, the only exception is hgweb, since it's common to run
+the CGI script as one user, serving repos from other users.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+-----END PGP SIGNATURE-----