Spotted while reviewing #634.
The built-in Permissions::user() (apps/skit/src/permissions.rs) restricts core nodes to a specific safe set that excludes core::file_writer (flagged as an arbitrary-write risk) and allows allowed_plugins = ["plugin::*"].
The sample [permissions.roles.user] in samples/skit.toml instead grants core::* (which includes core::file_writer) and allowed_plugins = [].
This divergence is pre-existing (the sample already used core::* before #634). It means an operator who copies the sample config gets a broader core-node surface than the secure built-in default, while simultaneously being more restrictive on plugins.
Proposal
Decide the intended posture for the sample and align it:
- Either tighten the sample
user role's allowed_nodes to match the built-in safe core set (drop blanket core::*, deny core::file_writer), and reconcile allowed_plugins, or
- Document explicitly that the sample is intentionally illustrative/looser than the built-in default.
Refs: apps/skit/src/permissions.rs (Permissions::user()), samples/skit.toml ([permissions.roles.user]), #634.
Spotted while reviewing #634.
The built-in
Permissions::user()(apps/skit/src/permissions.rs) restricts core nodes to a specific safe set that excludescore::file_writer(flagged as an arbitrary-write risk) and allowsallowed_plugins = ["plugin::*"].The sample
[permissions.roles.user]insamples/skit.tomlinstead grantscore::*(which includescore::file_writer) andallowed_plugins = [].This divergence is pre-existing (the sample already used
core::*before #634). It means an operator who copies the sample config gets a broader core-node surface than the secure built-in default, while simultaneously being more restrictive on plugins.Proposal
Decide the intended posture for the sample and align it:
userrole'sallowed_nodesto match the built-in safe core set (drop blanketcore::*, denycore::file_writer), and reconcileallowed_plugins, orRefs:
apps/skit/src/permissions.rs(Permissions::user()),samples/skit.toml([permissions.roles.user]), #634.