Go to the first, previous, next, last section, table of contents.


Control-struct: asMeDo{ ... }
file: job.t
package: muf
status: alpha

This construct allows you to write a function which can be called by other people, but which will execute with your privileges when they call it. This is the standard way of extending the access other people have to your objects.

This construct saves the current value of @$s.actingUser on the loop stack, then sets @$s.actingUser to the owner of the currently executing function. Upon exit from the construct, the original value of @$s.actingUser is restored.

Functions using this construct should be very carefully written and do a very clearly defined task: If you make a mistake, you may wind up granting everyone full access to all your objects, the ability to send mail under your name, and so forth.

Functions using this construct and owned by root should be extremely carefully written and do an extremely clearly defined, simple task: Every such function is part of the "security kernel" of your system, which is only as secure as the least secure function of this kind. It only takes one carelessly written one-line asMeDo{...} function owned by root to eliminate all security and privacy on a complete Muq system.

On any well-administered Muq system, there should be at least one administrator who knows exactly where all the root-owned asMeDo functions are, exactly what each one does, and who either makes or is informed of all modifications to these functions. I considered having the server force all such functions to be stored on some particular object, but decided this was inconsistent with the design goal of a policy-free server. I do think you would be wise to pick some spot like .u["root"].asMeDo and in it keep a pointer to all such functions.

See section pushUserMeFrame. See section pushLockframe.

Go to the first, previous, next, last section, table of contents.