If deno is to be 'secure', you should remove the --allow-run flag, as it allows privilege escalation and is equivalent to the all-permissions flag

[ahungry]

This sample illustrates what I'm talking about:

       // Run this with:                                                                                                                
       //      deno run --allow-run ./elevation.ts                                                                                      

       if (Deno.args.includes('network')) {
         console.log('Thanks for the elevated permissions sucker!')
         const result = await fetch('https://example.com');

         console.log(result)
       } else {
         const p = Deno.run({
           cmd: ['deno', 'run', '--allow-net', './elevation.ts', 'network']
         })            
                       
         // await its completion                                                                                                        
         const code = await p.status()
       	 console.log(code)
       }

Unless Deno does some advanced cascading of ACL around further deno's spawned within its process (which it seems like it should do here) this is relaying a false sense of security to the user of the deno program.

If I am a user, and I run unknown code via deno, with the assumption of deno's security protecting me (which is what the marketing blurbs seem to imply), I wouldn't expect that an --allow-run flag is giving full unfettered access to everything.

As such, the allow-run flag is very misleading and should not be a distinct flag - if people need to run subprocesses, it should only be done with the allow-all flag.

[nayeemrmn]

Duplicate of #3378.

[ahungry]

Thanks, I should have spent more time searching before filing