search

berstend / node-safe

🤠 Make using Node.js safe again with Deno-like permissions
https://node-safe.com
205 stars 8 forks source link

Question about default sandbox settings #5

Open simbados opened 2 years ago

simbados commented 2 years ago

Hi!

Thanks for this awesome project, really appreciate the effort to make the node ecosystem more secure. I have one question: Why does the default sandbox need permission to read master.passwd and passwd? (See lines 31 and 32)

https://github.com/berstend/node-safe/blob/6641fb8c73f616c992278665370d25df102b863b/src/sandbox/macos_defaults.sb#L31

berstend commented 2 years ago

@simbados thanks for the feedback :) In my testing vanilla Node.js was accessing these files, though blocking them seemed to not break anything. I've whitelisted them for the time being until I've had the chance to dig deeper into this and understand the possible implications of blocking access to these specific files.

(If someone knows more specifically why node is accessing them feel free to chime in)

simbados commented 2 years ago

Thanks for the answer! I might have two more questions:

  1. I would really love to see that this repo gets more traction. What do you think about funding, for example a gitcoin grant?
  2. Do you think this concept is portable to other package managers, e.g. pip or cargo? I think these ecosystems suffer from the same problems (maybe not that extensive, but restricting permission is always a good default option). Not sure if this is way out of scope or if this could be introduced at a later time.

Have a good week!