i'm not sure how using js for configuration files, as opposed to using a language commonly deployed for the same purpose, such as lua, presents an innate constraint on security.
if i'm somehow expected to ignore how unlikely it is for the configuration vm to: a. intentionally have the ability of boundlessly influencing program behavior, or b. provide exploits that aid users with the privileges required for configuring said program in boundlessly influencing program behaviour, and that said person even has the incentive to do so (maybe in your site sudo configuration files are generated from entries to pub/guestbook.html?) then i would point out that, if anything, a popular js implementation receives broader testing than sudo's dsl. On Thu, Nov 22, 2012 at 9:04 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: >> Follow-up interview, much better to say what you want instead of having >> people >> interpret your email. > > Do you know polkit (which I believe is cross platform but I prefer to > remove it, primarily because it gives little indication of what is > allowed and requires constant review, unlike sudo) now uses Javascript > for it's configuration files because the author (from his blog) > believed JS to be the most universal language he could think of. I'm > still unsure if he's serious or just taking the piss. I'm sure though > he writes security software, he didn't realise any security > ramifications in any case. > > Anyway sorry to lower the tone. Cross polination and health is > important. Less can certainly be more and mean more sooner for everyone. > > -- > _______________________________________________________________________ > > 'Write programs that do one thing and do it well. Write programs to work > together. Write programs to handle text streams, because that is a > universal interface' > > (Doug McIlroy) > _______________________________________________________________________
