#61 Updoc provides privileged scope to updoc scripts
Updoc and Elmer by default run Updoc scripts with all
their user's authority -- just as *.e scripts are
normally run. Actually, the situation is currently
worse than that -- this default is the only option
currently provided by these programs. This means that
the decision to run an Updoc script must be taken
exactly as seriously as the decision of run a *.e
script, which is to say, as seriously as the decision
to install a conventional program on your computer.
Followup by mark on 2001-Sep-15 16:43
Security. Regarding this security issue, the E system
supports less privileged code contexts -- emakers and
caplets. (EMakers are already supported. Caplets are
coming soon.) EMakers are evaluated with no authority
to affect the world outside themselves. Caplets are
emakers whose evaluation result is, by convention,
handed certain restricted authorities -- primarily the
authority to ask (presumably the user) for more
authority. Updoc must provide a means of running Updoc
scripts in a caplet-like way: of implicitly turning its
usage of names from the privileged scope (like
"<unsafe:...>") into authorization requests.
Logged In: YES
user_id=54168
Originator: NO
Now that we have updoc scripts on our new wiki, which is publicly editable, this bug has become urgent. I have accordingly promoted it to the highest priority.