0

I have a centos server with code maintained using a mercurial repo. To allow a new person to commit code to mercurial, I create a new user, add them to the webdev group, and they can push / pull code by 

hg pull ssh://name@server.com.

However, there are some files (config files) that I would not like new users to have access to. Mercurial has been asked not to track these files, so the only way to access them is to ssh into the system and look at the files. Which I dont want new users to be able to do.

In essence, I want my new developers to only pull/push files through hg and disallow ssh-ing directly into the system. What the best way to do this? Can I provide hg access to a repo without providing ssh access to the files?

(or is my approach to the problem flawed?)

Thanks!

crazyphoton
  • 623
  • 5
  • 20

2 Answers2

2

In term of an authorization layer (similar to Gitolite for Git), you have mercurial-server (not to be mixed up with the Mercurial light-weight web server hgserve)

mercurial-server gives your developers remote read/write access to centralized Mercurial repositories using SSH public key authentication; it provides convenient and fine-grained key management and access control.

See its repository here.

It is based on the same SSH forced-command mechanism than the script mentioned by Ry4an in his answer (+1 on his answer, because it is already packaged with Mercurial).
See for illustration the "mercurial-server" source of refreshauth.py.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
2

This can be really easily done by taking advantage of the command option available in .ssh\authorized_keys files. When you're granting their key access in that file you can prepend a "command=...." argument to their key and that's the only command they can run.

Mercurial ships with a handy script for doing exactly that. It has instructions inside:

https://www.mercurial-scm.org/repo/hg/file/tip/contrib/hg-ssh

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Ry4an Brase
  • 78,112
  • 7
  • 148
  • 169
  • Mercurial-server is based on exactly the same approach, but does for you a lot of the work that you'll otherwise be doing by hand, like editing the authorized_keys file. I'm biased because I'm the author, but I'd definitely recommend using mercurial-server over hg-ssh for most situations. – Paul Crowley Apr 17 '12 at 11:03
  • Whereas I'm (admittedly) biased against mercurial-server, both because of the hundreds of newbies who installed it on ubuntu due to its confusing name expecting to get hgweb.cgi's http:// serving and because I think it adds complexity w/o much value. It occupies a middleground between hg-ssh/hgweb and something really full featured like Rhodecode, adding complexity without adding much by way of feature set. Clearly that's just one person's opinion though. – Ry4an Brase Apr 17 '12 at 13:26