deno icon indicating copy to clipboard operation
deno copied to clipboard

Published 20 hours ago verified publisher icon denoland

(Deno.spawn/Deno.spawnChild) kill ability permission requirement

Open jsejcksn opened this issue 2 years ago • 2 comments

I ran a subprocess using Deno from within a process that had already been granted a specific run permission for Deno (--allow-run=deno), and then tried to kill the child process. I tried two ways: by providing an AbortSignal in the options, and by using Deno.Child#kill. I was met with this permission prompt both times:

⚠️  ️Deno requests run access to all. Run again with --allow-run to bypass this prompt.
   Allow? [y/n (y = yes allow, n = no deny)]

I denied it (because I don't want to run the script with unlimited run permissions — I already granted the process name in advance), and an exception was thrown:

⚠️  ️Deno requests run access to all. Run again with --allow-run to bypass this prompt.
   Allow? [y/n (y = yes allow, n = no deny)]  n
error: Uncaught (in promise) PermissionDenied: Requires run access to all, run again with the --allow-run flag
  ac.abort();
     ^
    at Object.opSync (deno:core/01_core.js:170:12)
    at Child.kill (deno:runtime/js/40_spawn.js:172:12)
    at onAbort (deno:runtime/js/40_spawn.js:128:34)
    at AbortSignal.[[[signalAbort]]] (deno:ext/web/03_abort_signal.js:80:11)
    at AbortController.abort (deno:ext/web/03_abort_signal.js:159:32)
    at file:///...

I haven't followed the stack trace into the built-ins and core yet, but I was quite surprised to see this. Is it a requirement to grant blanket run permission to all processes in order to kill any child process using the spawn/spawnChild API? If so, why? And can this be changed before stabilization?

jsejcksn avatar Jul 16 '22 09:07 jsejcksn

The reason is it currently calls the same op as Deno.kill, which needs unbounded run perms. I was gonna change this in the new subprocess API PR, but there was a reason i didnt (cant remember), but it is something that should be changed

crowlKats avatar Jul 16 '22 10:07 crowlKats

I second this behavior as odd. I ran into this with my own script, which had a simple --allow-run=mpv permission, but I would need to allow running any subprocess if I wanted to kill that spawned Deno.Process

andykais avatar Jul 29 '22 04:07 andykais

deno puppeteer also requires run-all because of this

sigmaSd avatar Sep 21 '22 19:09 sigmaSd

I updated the title to reflect the new Deno.Command API as a replacement of the spawn API and that this still applies to the new API.

jsejcksn avatar Nov 20 '22 02:11 jsejcksn

Unfortunately, giving unbound run permissions reduces the run process permission to absurdum. Deno should be able to kill processes of executables that are located under the allowed run scope. Alternatively, a permission to kill processes with a specific scope should be added.

https://github.com/denoland/deno/pull/15339 I see there are already pull requests made and pending review. Hopefully this can be resolved.

SINE avatar Feb 21 '23 00:02 SINE