How to Setup Mercurial Security.. specifically the users - security

I have mercurial setup by following these instructions.
I'm trying to understand where or what file to setup the users in. Everything I've read seems kind of cryptic... it gives all these snippets of code saying use this but it seems to be leaving out steps of how it's all connected and what file to put the snippets of code in... can someone please de-mystify all this for the ID10T#TheKeyboard?

Keep in mind that the basic model of Mercurial cannot actually prevent anybody from checking something in. The only thing it can do is prevent those users from uploading something to the your copy of the repository.
IIS can set up authentication so that Mercurial knows which user is doing the uploading and so only certain users are even allowed to try to upload. If all you care about is limiting who has commit access to your repository you can stop right here. But if you want something finer grained, I think you are currently out of luck.
But, if it ever ends up working with web server authentication, you'll have to use the ACL extension if you want finer grained access control than simple who's allowed to send changesets to your repository.
The way the ACL extension works when changes are being sent over a network is as a pre-transaction hook on changegroups (a set of Mercurial revisions). It can look through these changegroups to make sure all the changes satisfy a given set of criteria. There are a wide variety of criteria that can be specified.
The ACL extension can be configured either in the global hgrc file, in which case it applies to all repositories, or the .hg/hgrc file of the repository you want to control access to. In my opinion the global option isn't terribly useful.

Check out the "Securing Mercurial" section here:
http://win1337ist.wordpress.com/tag/mercurial-iis7/
Also see this related question that has a lot of good info:
How to setup Mercurial and hgwebdir on IIS?

Related

How to restrain access to OpenGrok results?

We created an OpenGrok server and indexed our sources. The problem is that the SCM we use (here, Perforce, but I guess this does not apply to Perforce only as permission at file/folder level is widely used) restrains access per file or folder, and OpenGrok doesn't !
So today, any user performing a search with OpenGrok will retrieve all files, even the ones for which he/she should not have access to ! Which is, in my opinion, a blocker: we will never release such a security breach in production.
Do you know any setup/workaround to implement such a security ?
EDIT : this OpenGrok should be used by anyone, I could of course retrieve Perforce sources with my permissions (so I would only get the files I have permissions for) to perform searches but this would not answer this requirement of widespread audience.
https://github.com/OpenGrok/OpenGrok/issues/503
feel free to join debate there(or in similar requests), ev. send patches
Did you consider creating a different p4 user for just syncing your source code for OpenGrok indexing? That user can have limited access based on the entries in protections table of P4. That way you can sync the code at folder level while hiding the sub folders based on protections table permissions.
I have done a similar setup for my opengrok instance :)
Well, I finally found a workaround:
locate your tomcat server XML config file (mine is located in .../apache-tomcat-8.0.52/conf/server.xml)
add the following markup in Server > Service > Engine > Host:
< Valve allow="< list of IPs allowed>" className="org.apache.catalina.valves.RemoteAddrValve" deny="" />
I have a daily script that generates this list of IPs from the workstations allowed and updates this file accordingly. This list is like "1.2.3.4|5.6.7.8|6.2.5.3".

Get all files located on a server?

I'm trying to find all of the (javascript) resources located on a specific site.
What would be a efficient way of finding them?
Everything I could think of is bruteforcing every possible name and check whether there's a file with this name at the server, although this isn't exactly that efficient.
Yes you can do this. The thing which you actually want to do is web directory traversal..
It is a kind of web vulnerability which is usually taken in to consideration by the web master so you get 403-Forbidden or 404-Not Found Error. Manual exploitation on this is surely possible with trial and error basis in case u get to know directory that contains .js files. For automation You can take use of Python/Perl for ease of use. I am personally working on a same project targeting the same objective using PHP and cURL. At very present I can not help about any source code but for sure I'll be posting same.

How do I move ExpressionEngine (EE) to another server?

What are the best steps to take to prevent bugs and/or data loss in moving servers?
EDIT: Solved, but I should specify I mean in the typical shared hosting environment e.g. DreamHost or GoDaddy.
Bootstrap config is the smartest method (Newism has a free bootstrap config module). I think it works best on fresh installs myself, but ymmv.
If you've been given an existing EE system and need to move it, there are a few simple tools that can help:
REElocate: all the EE 2.x path and config options, in one place. Swap one URL for another in setup, check what's being set and push the button.
Greenery: Again, one module to rule them all. I've not used this but it's got a good rating.
So install, set permissions, move files and and DB, and then use either free module. If you find that not all the images or CSS instantly comes back online, check your template base paths (in template prefs) and permissions.
I'm also presuming you have access to the old DB. If not, and you can't add something simple like PHPMyAdmin to back it up, try:
Backup Pro(ish): A free backup module for files and db. Easy enough that you should introduce it to the site users (most never consider backups). All done through the EE CP. The zipped output can easily be moved to the new server.
The EE User Guide offers a reasonably extensive guide to Moving ExpressionEngine to Another Server and if you follow all of these steps then you will have everything you need to try again if any bugs or data loss occur.
Verify Server Compatibility
Synchronize Templates
Back-up Database and Files
Prepare the New Database
Copy Files and Folders
Verify File Permissions
Update database.php
Verify index.php and admin.php
Log In and Update Paths
Clear Caches
As suggested by Bitmanic, a dynamic config.php file helps with moving environments tremendously. Check out Leevi Graham's Config Bootstrap for a quick and simple solution. This is helpful for dev/staging/prod environments too!
I'd say the answer is the same as any other system -- export your entire database, and download all of your files (both system and anything uploaded by users - images, etc). Then, mirror this process by importing/uploading to the new server.
Before I run my export, I like to use the Deeploy Helper module to change all of my file paths in EE to the new server's settings.
Preventing data loss primarily revolves around the database and upload directories.
Does your website allow users to interact with the database? If so at some point you'll need to turn off EE to prevent DB changes. If not that you don't have too much to worry about as you can track and changes on the database end between the old and new servers.
Both Philip and Derek offer good advice for migrating EE. I've also found that having a bootstrap config file helps tremendously - especially since you can configure your file upload directories directly via config values now (as of EE2.4, I think).
For related information, please check out the answers to this similar Stack Overflow question.

Is there a module or simple way to allow the cc.net.config file to be seen from the webdashboard?

I'd like to be able to have either web dashboard logged in administrators or general users depending on which the team prefers be able to see the contents of this file without remoting into the box, is this possible using the webdashboard?
This is not an answer to how it can be seen from the web dashboard...
... but it is possible to store the ccnet.config file in source control and set up a special build on the build server that automatically retrieves the newest config file.
This way you do not even have to remote into the box in order to edit the contents of the file.
See more details in the documentation:
http://confluence.public.thoughtworks.org/display/CCNET/Configure+CruiseControl.Net+to+Automatically+Update+its+Config+File

Mercurial: Acl Extension Sample Of Preventing Web Access

I can see how you can use the Acl Extension to control the push/pull to a particular repository by certian users, but can you control "WEB" access to a repository using the Acl Extenstion? I would like certain repositories to only show up for certain users.
I am deploying on IIS7, so the solution will need to work in that environment.
I'm assuming you're doing this via the HGWeb CGI script. If you are, you can specify allow_push and allow_read parameters in each project's .hg/hgrc file. If you specify an allow_read other than *, users who are not in the list will not even see the project on the HGWeb project listing page.
Just use normal .htaccess like fonctionnality to restrict which repo are accessible. hg mostly doesn't care about auth and leaves that to the web server.

Resources