Declare deno task run-with-perms task specifying all the permissions actually needed and alias all other tasks through that
#136
Conversation
BrunoBernardino
left a comment
There was a problem hiding this comment.
Thanks for this. There are a couple of changes I'd like to see, and I'd have to find the time to thoroughly test the permissions before allowing this. I do prefer explicit permissions over "all", though.
deno.json
Outdated
| "test": "deno test -A --check", | ||
|
|
||
| "migrate-db": "deno task run-with-perms ./migrate-db.ts", | ||
| "run": "deno task run-with-perms ./main.ts" |
There was a problem hiding this comment.
We already have preview above, which does the same thing.
There was a problem hiding this comment.
And that name absolutely doesn’t convey that it’s useful for running in production…
Can we rename current start to preview and preview to either start or run maybe?
There was a problem hiding this comment.
(Actually just applied my suggestion.)
c9a24d2 to
b13dd7a
Compare
|
Also updated Dockerfile to use |
…permissions actually needed and alias all other tasks through that Also add `migrate-db` task to the Deno configuration and use that in the `Makefile`, so that the Makefile is fully optional, and swap the meanings of the `start` and `preview` tasks, so that `start` is for production while `preview` is for development.
b13dd7a to
a705a58
Compare
BrunoBernardino
left a comment
There was a problem hiding this comment.
I've pulled this down and had to make a few changes while testing everything.
Unfortunately read and write access to / is necessary due to some node/deno/fresh compatibility needs (to look into the env vars and build into temporary/cache directories), and also to work both in docker and locally.
If this version causes issues in Windows (I'm unable to test), I'll just change them to --allow-write and --allow-read (global/everything) instead of specifying what the app needs and root (it's redundant, but clearer, I hope).
| { | ||
| "lock": true, | ||
| "tasks": { | ||
| "execute-with-permissions": "deno run --allow-env --allow-net --allow-sys=networkInterfaces,hostname,cpus,homedir --allow-read=.,/ --allow-write=data-files,/ --allow-run", |
There was a problem hiding this comment.
Umm… why is --allow-run (with no restrictions) in that list? That’s completely identical to just disabling sandboxing entirely.
There was a problem hiding this comment.
I don't recall what was the process that needed it, but if you remove it and run it (at least via docker), it'll request that permission (I think it's for some node:fs compatibility layer used in fresh). And that's probably why I've had --allow-all or -A before.
|
We obviously have different ideas of what a breaking change is. I know Deno’s handling of file access is isn’t great, so I’m not surprised about the extended permissions there, although what you wrote is actually identical to just using The plain |
Also add
runandmigrate-dbtasks to the Deno configuration and use them from theMakefile, so that the Makefile is fully optional.Just some conveniences, also means the list of permissions is passively tested.