Ask HN: Is there a process manager with a permissions model similar to Deno?
From Deno's documentation:
> Deno is secure by default. Therefore, unless you specifically enable it, a program run with Deno has no file, network, or environment access. Access to security sensitive functionality requires that permissions have been granted to an executing script through command line flags, or a runtime permission prompt.
I think Deno is interesting in how it locks down permissions by default and only enables access to certain features via startup flags. For Example:
> --allow-env=<allow-env> Allow environment access for things like getting and setting of environment variables. Since Deno 1.9, you can specify an optional, comma-separated list of environment variables to provide an allow-list of allowed environment variables.
--allow-hrtime Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
--allow-net=<allow-net> Allow network access. You can specify an optional, comma-separated list of IP addresses or hostnames (optionally with ports) to provide an allow-list of allowed network addresses.
--allow-ffi Allow loading of dynamic libraries. Be aware that dynamic libraries are not run in a sandbox and therefore do not have the same security restrictions as the Deno process. Therefore, use with caution. Please note that
--allow-read=<allow-read> Allow file system read access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.
--allow-run=<allow-run> Allow running subprocesses. Since Deno 1.9, You can specify an optional, comma-separated list of subprocesses to provide an allow-list of allowed subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process. Therefore, use with caution.
--allow-write=<allow-write> Allow file system write access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.
-A, --allow-all Allow all permissions. This enables all security sensitive functions.
My question is... Is there a process manager, that can run any process (not just deno/javascript application) that has a similar permissions model, where everything is locked down by default and you have to explicitly grant permission to your application to be able to have access to these functions that could pose a security threat.
0 comments
[ 5.4 ms ] story [ 12.7 ms ] threadNo comments yet.