corral icon indicating copy to clipboard operation
corral copied to clipboard

Published 20 hours ago verified publisher icon ponylang

Remove promisicious Env usage?

Open SeanTAllen opened this issue 6 years ago • 3 comments

Currently all the VCSes get passed Env which allows them to print to stdout, stderr etc.

Unfortunately this also gives me ambient auth which we probably do not want. Given that Env gives access to root it would allow for anything to be done, open files, open sockets, etc.

I think we should narrow down to passing only the minimally needed env usage and work from there and add additional access as needed.

SeanTAllen avatar Aug 01 '19 14:08 SeanTAllen

Should we separate out the auth that is needed by VCSs to get their programs, and the vars that are needed for PATH and sub-processes, and err and out for writing output?

cquinn avatar Aug 01 '19 20:08 cquinn

Yes, and whatever auth we supply to VCSs should be the minimal required.

SeanTAllen avatar Aug 01 '19 20:08 SeanTAllen

The VCSs use an env for these things:

  • Find their binary on env.vars["PATH"] or use AmbientAuth if binary is an absolute path.
  • Pass env.vars to VCS command processes
  • Get auth for ProcessMonitor, which needs StartProcessAuth and ApplyReleaseBackpressureAuth
  • Print to env.err which can be easily replaced or migrated to use Log

Other than the last item, I am not clear on how to supply all these disparate values to the VCSs so that they can find and run their binaries.

cquinn avatar Nov 24 '19 00:11 cquinn