-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --allow-read #1225
Comments
👍 to --allow-read. It's conceivable you'd want net access without read. This could later be modified e.g. to specify which dirs have read access. |
Isn't this better handled by OS level permissions? Why reinvent the wheel (likely badly)? With every feature, especially one like this, there is a huge cost to usability, and large usability friction will only reduce adoption. If there is no risk with read access, why hassle with it. Ergo, why not remove Yeah, it is conceivable that you would want net access without read. You might want net access without access to the env too, that does mean it weakens the security module by implicitly allowing it. |
I was experimenting a little to see if it was possible to read environment variables from the filesystem via At the very least if they know where to look for environment variables ( Although protection from writing environment variables might still be useful. |
I have no knowledge of the inner workings on Your explanation makes perfect sense
However, the assumption behind this message is that the sandboxing can't and won't be broken. Having an |
If they can break the At the moment, while you can't get unfettered net access, you could form a module identity in the runtime that could make a request to an arbitrary server that could send information "readable" from the host. That is covered by #712. |
I can second that. And reading the reasoning also makes sense, but: I like the statement on the roadmap: "We want to be secure by default; user should be able to run untrusted code, like the web." |
After discussing with several people it seems adding As @hayd said in the first comment, it's conceivable you'd want net access without read. Deno's prerogative is security over ergonomics. Once we have I'm renaming this issue to reflect the new goal. Thanks for the helpful comments. |
I'm wondering whether we should provide an explicit
|
@F001 or adding a 4th one?: |
@kevinkassimo Actually, I think int flag might be not enough for fine grained permission control. As discussed in #720, many people want different permission for different paths. Which means, we should provide a map (or even a route system) for permission settings.
What's more, if we want to provide a sandbox, this system should allow mounting. For example, we can access "/a/b/c" in typescript, but it actually mapped to "/x/y/z" in operating system. |
Let's do this piecemeal - it should be easy to add |
I agree that |
Hi all--new Deno'er here. It looks like @sh7dm and I have duplicated some work on this, but not a ton. There are some open questions I've had as I started on this. What's a read operation?
whereas in mine, I include also:
Can anyone give an authoritative/exhaustive list of what Ops should ask for read access? @sh7dm let me know if you want to merge our branches and split up the remaining work on this. Thanks! |
Thanks @kitsonk this was just a case of bad timing as I started looking into this yesterday just as a way to familiarize myself with Deno, so I'm fine to step off of it. |
@fewf Thanks for looking into this! (FYI I asked @fewf to look into this but stupidly also asked @sh7dm to too - many apologies - bad project management!)
Agree that these need allow-read
Not sure about this one... I guess it is exposing something about the disk but
I think these should require allow-write but not allow-read. Or am I missing something? |
Naw, that makes sense. I was thinking very maximally at first. (edit to add: for instance, in the case of |
I've closed my PR in favor of @sh7dm . I did continue to do some more work towards fixing this issue, which I have in a PR into @sh7dm 's branch: dsseng#1 . Tests are passing, but I think there's still room to add new tests to ensure the feature is implemented correctly. Hope this can be used and sorry if I stepped on anyone's toes--very excited to be working on this project! |
@fewf I think we should merge our branches to find the best code and use it |
Currently, deno allows disk read access without a flag. The idea behind this is that although programs may be able to access secret info (e.g. your ssh key) without network access or disk write access, there isn't anyway they could exploit that knowledge. It's meant as a connivance.
Environmental variable access is quite similar to disk read access. If you can access the environ without having write or network access - there is no way to exploit that.
This seems to be a double standard. Thus I propose we either remove --allow-env and treat it as read access to the disk. Or we get more constrained and bundle and add --allow-read for disk access.
The text was updated successfully, but these errors were encountered: