Script permission system / sandboxing
Closed this issue · 3 comments
Any script running in Lune can steal cookies with roblox.getAuthCookie(), read and write arbitrary files with fs, and send network traffic with net.
It's very important to block access to these when running scripts that aren't your own.
An additional argument could be added to the Lune executable that specifies permissions, for example:
lune rwnc arg arg arg
where each letter in the arg rwnc represents a feature that is allowed.
---- - No perms.
rw-- - File read / write perms.
r-n- - File read and net perms.
r-nc - File read, net, and cookie perms.
Etc.
Might be neat to follow something like how deno's permissions work https://deno.com/manual@v1.33.2/basics/permissions
Looking forward to PR'ing this! Would something like a --allow flag that takes in a comma separated list of permissions to allow sound good?
In the future, we could build on this and only allow access to certain files, exec commands, etc. similar to Deno.
I'll be closing this issue in favor of better documentation around security when using Lune.
Permissions systems like the ones in Deno tend to be good for making a user feel safe but it's very easy to end up simply annoying them with prompts while not actually providing much protection. Security is something much more nuanced than permission prompts make it out to be, because a prompt for X may actually end up permitting some other action Y that the user is not aware of.
If a user really wants complete security, we should tell them to use containers, VMs, or other similar approaches.