Question about default sandbox settings
simbados opened this issue · comments
Hi!
Thanks for this awesome project, really appreciate the effort to make the node ecosystem more secure.
I have one question:
Why does the default sandbox need permission to read master.passwd and passwd? (See lines 31 and 32)
node-safe/src/sandbox/macos_defaults.sb
Line 31 in 6641fb8
@simbados thanks for the feedback :)
In my testing vanilla Node.js was accessing these files, though blocking them seemed to not break anything. I've whitelisted them for the time being until I've had the chance to dig deeper into this and understand the possible implications of blocking access to these specific files.
(If someone knows more specifically why node is accessing them feel free to chime in)
Thanks for the answer!
I might have two more questions:
- I would really love to see that this repo gets more traction. What do you think about funding, for example a gitcoin grant?
- Do you think this concept is portable to other package managers, e.g. pip or cargo?
I think these ecosystems suffer from the same problems (maybe not that extensive, but restricting permission is always a good default option). Not sure if this is way out of scope or if this could be introduced at a later time.
Have a good week!