Re: [Monotone-devel] Re: Question for Tim - testsuite.lua giant list

[Jack Lloyd]

On Tue, Jul 04, 2006 at 11:01:03AM -0700, Zack Weinberg wrote:

> Given that hooks already have access to os.remove and os.execute (==
> system()) I don't think adding filesystem primitives increases
> people's exposure to dangerous hooks, although I suppose an argument
> could be made for its being harder to grep for dangerous operations.

I don't know Lua at all, but would a namespacing mechanism be
possible/reasonable? Eg, os.execute -> unsafe.execute and so forth?

> I'd argue that it would be better to restrict hooks based on paths
> rather than operations (e.g. "no access to files outside the workspace
> and the temp directory") but I recognize that that is substantially
> harder.

Generalized: A (trusted) hook that is passed the operation and the
filename or args, and returns permission approved/denied. Default
implementation as you suggest. That would also allow one to, say,
limit os.execute to specific programs, or other interesting/arbitrary
restrictions. Probably a lot of work, though...

-Jack