You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the --allow-run is a carte blanche privilege.
Running a script with --allow-run we might run it with --allow-all just as well, because a script having --allow-run can run itself with --allow-all and escalate its Deno privileges (not the OS privileges).
We need a new permission type and a command similar to Deno.run() to run other Deno programs only (e.g. Deno.denoRun() or a different name) but with additional property in RunOptions being permissions to keep. Running:
would run the same deno interpreter with permission arguments being the intersection of permissions in Deno.denoRun() and the current Deno.permissions(), e.g.:
/path/to/deno --allow-read abc (if Deno.permissions() include read)
/path/to/deno abc (if Deno.permissions() don't include read) or alternatively throw an exception (reject the promise) if the required permissions are not present in Deno.permissions() (maybe running with less permissions or throwing can be configurable with some other option)
Current permissions
Currently the permissions are binary, the command line flags take no arguments and the properties of Deno.permissions() are booleans:
With binary permissions the new Deno.denoRun() would take a simple set intersection.
Future permissions
In the future I expect the flags to take arguments and the properties of Deno.permissions() to be either booleans for absolute permissions (like read everything) or arrays of path names (or network masks for net permission etc):
--allow-run Allow running subprocesses (risk of privilege escalation)
--allow-deno Allow running Deno subprocesses (same permissions or less)
or changing the current --allow-run to --allow-exe or --allow-exec to make the --allow-run in line with deno run:
--allow-exe Allow running subprocesses (risk of privilege escalation)
--allow-run Allow running Deno subprocesses (same permissions or less)
Optionally no flag for that functionality
One might argue that running other Deno programs with the same or less privileges should not need a separate permission because doing so the script doesn't gain any more access than it already had, but I'd argue that it might be useful to have a separate permission flag for that to avoid possible problems in the future (like e.g. fork bombs etc).
More info:
See the comments to Deno eval #2081 where I came up with the idea and showed more examples.
Currently the
--allow-run
is a carte blanche privilege.Running a script with
--allow-run
we might run it with--allow-all
just as well, because a script having--allow-run
can run itself with--allow-all
and escalate its Deno privileges (not the OS privileges).We need a new permission type and a command similar to
Deno.run()
to run other Deno programs only (e.g.Deno.denoRun()
or a different name) but with additional property inRunOptions
being permissions to keep. Running:would run the same deno interpreter with permission arguments being the intersection of
permissions
inDeno.denoRun()
and the currentDeno.permissions()
, e.g.:/path/to/deno --allow-read abc
(ifDeno.permissions()
includeread
)/path/to/deno abc
(ifDeno.permissions()
don't includeread
) or alternatively throw an exception (reject the promise) if the required permissions are not present inDeno.permissions()
(maybe running with less permissions or throwing can be configurable with some other option)Current permissions
Currently the permissions are binary, the command line flags take no arguments and the properties of
Deno.permissions()
are booleans:With binary permissions the new
Deno.denoRun()
would take a simple set intersection.Future permissions
In the future I expect the flags to take arguments and the properties of
Deno.permissions()
to be either booleans for absolute permissions (like read everything) or arrays of path names (or network masks fornet
permission etc):With scoped permissions the new
Deno.denoRun()
would need to take a subset of the scope fromDeno.permissions()
andDeno.denoRun()
invocation, e.g.Deno.permissions()
returns{ read: ["/etc/x", "/etc/y"], write: false }
Deno.denoRun()
requires{ read: ["/etc/x/abc"] }
--allow-read=/etc/x/abc
or:
Deno.permissions()
returns{ read: ["/etc/x", "/home/y"], write: false }
Deno.denoRun()
requires{ read: ["/home"] }
--allow-read=/home/y
Possible flag names:
Keeping the existing
--allow-run
:or changing the current
--allow-run
to--allow-exe
or--allow-exec
to make the--allow-run
in line withdeno run
:Optionally no flag for that functionality
One might argue that running other Deno programs with the same or less privileges should not need a separate permission because doing so the script doesn't gain any more access than it already had, but I'd argue that it might be useful to have a separate permission flag for that to avoid possible problems in the future (like e.g. fork bombs etc).
More info:
See the comments to Deno eval #2081 where I came up with the idea and showed more examples.
Related issues:
The text was updated successfully, but these errors were encountered: