On Saturday, 8 October 2022 at 19:57:35 UTC, kdevel wrote:

   ~/.ssh/authorized_keys?

   ~/.profile
   ~/.bashrc

https://xkcd.com/1958/

"Except... the program could also just write those files when you run it. What's stopping people now?"

"Yeah, messing with people's home folder isn't hard."

"I guess it's just that most people aren't criminals?"

"Oh right, I always forget."

"An underappreciated component of our computer security system."

On Saturday, 8 October 2022 at 20:14:24 UTC, FeepingCreature wrote:

Andrey asked for compilation only. Of course the program is ran under a separate user.

True if you set the file perms to 0777. Uh sorry. std.conv.octal!"777".to!int.

An open door may tempt a saint.

On Saturday, 8 October 2022 at 07:33:42 UTC, Araq wrote:

Wow - I've kept my eye on Nim a bit over the years, but I didn't realize that it already does do things like reading files at compile-time out of the box. Very cool. However, there are some limitations still:

import std/httpclient

proc doCrazyStuff(): string =
  var client = newHttpClient()
  let content = client.getContent("https://forum.dlang.org/thread/ijvehaanfbuhywaziqns@forum.dlang.org")
  echo content

const stuff = doCrazyStuff()

/usr/lib/nim/pure/httpclient.nim(335, 12) Error: cannot evaluate at compile time: defaultSslContext

Jai should already be capable of this, seeing as how it can load a window, play sounds, etc. Hopefully competition ramps up in this area. :o)

On Saturday, 8 October 2022 at 20:44:15 UTC, kdevel wrote:

A better analogy would be "the safest house is one that doesn't exist". Closing the door doesn't impair the capabilities of your house. The ban on compile-time output severely impairs the capabilities of the compiler.

On Saturday, 8 October 2022 at 20:44:15 UTC, kdevel wrote:

Under what circumstances would you compile a program on an account with more sensitive data than the one you run it on?

On Sunday, 9 October 2022 at 08:00:58 UTC, FeepingCreature wrote:

The D program P is compiled before another program Q is compiled, both on the same account. After compilation the programs are deployed to the production machine/account where the "more sensitive data" reside. By mere compilation P can alter the source code of Q. Though P is never executed in the production environment its code is run via Q.

Note that for pure scripting languages (without separate compilation stage) this attack vector does not exist.

On Saturday, 8 October 2022 at 19:57:35 UTC, kdevel wrote:

   ~/.ssh/authorized_keys?

   ~/.profile
   ~/.bashrc

I see what you mean and I agree with you that unrestricted writing should not be allowed.

But I see that my question was a bit unclear so let me re-phrase it. Right now D has restricted compile-time reading: you can read a file only in a subdir of -J CLI parameter (if there is no -J then DMD will error out). What additional security risks do you see if writing has the same restrictions as reading: requires command line option (error out otherwise) and be allowed to create files under specified (by CLI) folder only?

On Sunday, 9 October 2022 at 12:33:59 UTC, kdevel wrote:

Again though, refer to my last post. We already have this problem with basically all of our other build systems that way have today. The world hasn't ended yet because of that, so we may as well at the very least reduce the layers of tooling complexity at the same time.

On Monday, 10 October 2022 at 01:10:42 UTC, Andrey Zherikov wrote:

If the context which invokes dmd -J already has write permission and the source code of the context and the source code handed over to dmd is of same origin then none.

On Monday, 10 October 2022 at 12:59:30 UTC, kdevel wrote:

I don't think that -J should support writing so let's introduce new CLI option, say -pragma-out=<dir>. Now, if context that invokes dmd -pragma-out has no write permissions then compilation should error out when it tries to write to file.

Regarding "source code of the context", I'm not sure I get what you mean here. If you mean something that calls dmd then is it makefile or build tool? The first one is usually written by owners of the code you are compiling, the second one is not.