User masquerading - audit trail?

Kurt Granroth kurt.mercurial at granroth.com
Sat Oct 4 14:57:54 CDT 2008 

Matt Mackall wrote:
> On Fri, 2008-10-03 at 12:12 -0700, Kurt Granroth wrote:
>> Mercurial allows you to set the username for patches to anything you
>> want.  This makes is trivially simple to masquerade as somebody else.
> 
> Given that Mercurial is a distributed system, not only is it trivial, it
> is unpreventable. The user has complete control of the execution
> environment on their laptop and can tell hg whatever name it wants.

Yes, but the user has that ultimate control only at the local level.  I
can get the mercurial repo locally and make a holy mess in it... but
eventually, if I try to push it back to the central repository, all that
is for naught.  I still have to authenticate in order to push and so the
central server *does* know who I am, regardless of who I'm claiming to be.

>> For instance, say I have the ability to write to the primary hg repo.
>> For whatever reason, I decide to commit a patch under the username "Matt
>> Mackall <mpm at selenic.com>".  There's nothing in hg that will stop me
>> from pushing the patch as-is.  Now we have a patch in the repo that
>> claims to be authored by somebody other than who really did it.
>>
>> How can I detect that?  In all the tests I've done, the masquerade is
>> pretty complete.  I cannot find any way of seeing who really created any
>> given patch.
>>
>> What I'm hoping for is some way to identify a patch by the ssh username.
>>  Something like a 'Pushed by: kurt at selenic.com' even though the username
>> says 'Matt'.
> 
> Presumably the 'server' would be adding this information. But there's
> really no special notion of server (any client can also be a server), so
> there's no notion of a server being more trusted than anything else.
> What happens when the 'server' pushes the chain set up another level?
> Now you need 'Pushed by: kurt according to the repo at 10.0.0.1/tmp'.
> Hmm, that's not very useful. Nor is it hard to fake (much like
> Received-by: headers in email).

I know that you're the author of hg and all.. but I still have to
disagree :-)

Let's look at the mercurial repo again.  I can do a clone of
http://www.selenic.com/hg/ and pretend all I want that it's now the
official repo.  Maybe I make a change in my cloned repo and a bunch of
people pull that change directly from me.  It sure *seems* like my repo
is as much of a server as the selenic.com one.  It's not, though.  The
selenic.com/hg repo has been blessed as The One True Mercurial
Repository.  Whatever is there is what is the official code.  If you
want to write to it, then you have to get permission from the powers
that be first and authenticate prior to pushing.

In every practical way, that describes what a central server does!

So in this case, we could have a hook (or similar) on selenic.com/hg
that appended a "Authenticated User: kurt" to all patches that I pushed.
 You could clone that off and change it to whatever you want on your
local copy... but unless you had sufficient privileges on selenic.com,
you *wouldn't* be able to do it on the one repository that actually
mattered.

Yes, an admin user on selenic.com could still mess with things.  That's
unavoidable even with traditionally server-centric VCS systems like CVS
and Subversion.  Once you are root, all things are possible.

>> Is there anything like that?
> 
> No, but there is a gpg extension for digitally signing things.

That's an interesting idea.  Time to investigate if there is a Windows
GUI for gpg-agent...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://selenic.com/pipermail/mercurial/attachments/20081004/8c3f108f/attachment.pgp

More information about the Mercurial mailing list