Restrict Mercurial repository access

Question

I have a Mercurial server using mercurial-server. I edited access.conf in hgadmin repo as follows:

deny repo=a/b
read user=x/**
read user=y/**

write repo=a/b user=x/abc
write repo=a/b user=y/z

But user z still can't access this repo. Any ideas?

Answer 1

The documentation mentions:

user=globpattern: path to the user's key

So the path of z's key might be wrong, or the path of the repo is off.

When considering a request, mercurial-server steps through all the rules in /etc/mercurial-server/access.conf and then all the rules in access.conf in hgadmin, looking for a rule which matches on every condition.
The first match determines whether the request will be allowed; if there is no match in either file, the request will be denied.

Other possibility: Maybe a deny rule (applicable for user z) is found first.

Answer 2

The first matching rule applies. In this instance the deny rule is first, so it will match first; no user will be given access to repo a/b no matter what other rules follow this one.

Try placing the two write rules above the deny rule.

Note also that any rules in /etc/mercurial-server/access.conf will logically precede these rules.

Answer 3

There is one more especiality about mercurial server that you may need to know. That you can not duplicate keys several times in keys/ of hgadmin. Because on server side those keys are compiled into /var/lib/mercurial-server/.ssh/authorized_keys. So if you specify same key in different key files in keys/ then when hg do ssh it will use first occurence of the key in authorixed_keys and probbaly refer to first only repo and disable access to another repos which refer to another file (but with same key)