file: job.t package: muf status: alpha
This construct allows you to write a function which can be called by other people, but which will execute with your privileges when they call it. This is the standard way of extending the access other people have to your objects.
This construct saves the current value of
@$s.actingUser on the loop stack, then sets
@$s.actingUser to the owner of the currently
executing function. Upon exit from the construct, the
original value of @$s.actingUser is restored.
Functions using this construct should be very carefully written and do a very clearly defined task: If you make a mistake, you may wind up granting everyone full access to all your objects, the ability to send mail under your name, and so forth.
Functions using this construct and owned by root should be
extremely carefully written and do an
extremely clearly defined, simple task: Every such
function is part of the "security kernel" of your system,
which is only as secure as the least secure function of this
kind. It only takes one carelessly written one-line
asMeDo{...} function owned by root to
eliminate all security and privacy on a complete Muq system.
On any well-administered Muq system, there should be at
least one administrator who knows exactly where all the
root-owned asMeDo functions are, exactly what each
one does, and who either makes or is informed of all
modifications to these functions. I considered having the
server force all such functions to be stored on some
particular object, but decided this was inconsistent with
the design goal of a policy-free server. I do think you
would be wise to pick some spot like .u["root"].asMeDo
and in it keep a pointer to all such functions.
See section pushUserMeFrame. See section pushLockframe.
Go to the first, previous, next, last section, table of contents.