If the user that executes remote scripts is the same as the user that creates and runs the telekinesis service itself, then remote users are able to create a script that opens the security database and rewrites their permissions.
In that scenario, script.create and script.update.[x] can be trivially escalated to full permissions.
To prevent this:
Create a new OS user who will execute telekinesis scripts
Set permissions on that user to prevent anything unwanted from happening
Before running, chown "run.py" or the binary to that user, and chmod it 6777
If the user that executes remote scripts is the same as the user that creates and runs the telekinesis service itself, then remote users are able to create a script that opens the security database and rewrites their permissions.
In that scenario, script.create and script.update.[x] can be trivially escalated to full permissions.
To prevent this: