Constrain rights of post-install script?

[pledbrook]

The post-install script is a dangerous beast, which could wreak havoc on a user's system. We can rely for a time on verifying the safety of various templates before including them in the main repository, but if the number of templates increases significantly, we just can't keep that up.

The post-install script should really run in a limited sandbox by default unless the user explicitly authorises the script to run with unlimited permissions. Ideally the script would have full filesystem access to the project directory, but nowhere else. Perhaps global read permissions would be OK, but even that might be too much.

Anyway, it's clear this issue needs to be researched and a general security policy decided upon before it's implemented.