Trusted or Restricted ?

[Jean-Luc]

This was discussed on the French forum and I would have your opinion.

Is the separation between Trusted and Restricted folders useful ?
Could it be simplified ?
Do we need such separation ?

I have recorded a script (creating an empty image and drawing something with the Paint brush). By default, PSP records in Restricted. After the script creation, I move the script to the Trusted folder. And I may run the script from this location. Conclusion : Restricted is useless.

Now, if I record a script with a save command, it will not run if stored in Restricted. It will run in Trusted. Conclusion : Restricted is useless.

If all scripts are saved and are running in the Trusted folder, they are working the same as if they are running in two different folders.

What do you mean ?

[Kathy_9]

My thoughts are that you would want to have both restricted and trusted for security purposes.

[LeviFiction]

The conclusions here are that restricted is useless because all simple scripts run regardless of them being run from the restricted or trusted folders and because it's easy to simply move one to the trusted folder?

I have a different take on what these mean.

As Kathy_9 said, it's for security purposes. Trusted scripts are the only ones that can save files, access the harddrive, load libraries, close files (because it might involve saving the file), etc. So if you record a script that needs to close an image you need to save it to the trusted scripts folder otherwise it cannot be used. I will agree that the usefulness is hampered by how easy it is to simply give full permissions to a script. Also the system was developed back in PSP8, similar systems have been tried and replaced by other companies because the security they offer is substandard. So I would say the trusted option is the closest to useless. But, more specifically, the current two permission levels are inadequate for good security.

I would say that the question isn't if one mode is useless or not, but rather how concerned are we with the possibility of a script causing damage to our computers or potentially spying on us?

The great danger with scripts is this forum. A centralized repository of scripts where anyone can submit a script without review and unsuspecting users will download it. Technically all they have to do is make the script function appropriately and they could hide a virus, spyware, or whatever they wanted in the script and your average user wouldn't know. In this way I'd suggest that simply having a folder for scripts you want to trust is the useless option for security. And that simply running all scripts with trusted permissions is the dumbest thing a user can do. If a script can run restricted, it should be run restricted.

Technically plugins have this same risk. They run free to do whatever they want, restricted only by the permissions of the user running the system. So the question isn't whether or not Restricted is useless but whether or not we care about the risks posed by Trusted. And what measures we are willing to put up with to be secure. How much should PSP babysit us?

Honestly I believe the system could stand to be updated and here are a few thoughts:

1) Opening, closing, and saving using PSP's built-in functions should not be considered trusted actions. - These don't offer direct access to the harddrive, they work through PSP. The worst they can do is overwrite the image the user was working on and close it so they couldn't undo the changes. But that's what auto-preserve is for. To prevent such mishaps. This would eliminate some of the most common reasons a script is requested to be installed in the Trusted folder.

2) Accessing libraries should continue to be a trusted permission. - As is any direct access to the computer. But very specifically access to the libraries like sys, os, urllib, etc. The libraries that give me decent access to the computer to do whatever I want. Including harmful activities.

3) Decrease the need for external libraries by offering more built-in commands - Being able to use random numbers and math are not harmful libraries but it would be difficult with python to restrict the permissions of different libraries so, instead, limit the need to access these libraries, which I think would be among the most common ones needed by users. Also include the ability to access image data directly via callback. Essentially, decrease the need for trusted scripts by offering greater access to PSP.

4) Use a permissions parameter in Script Properties instead of a folder - This is probably the hardest option, and the most potentially annoying to the user. But it would allow a single location to be used instead of two different folders. As Jean-Luc pointed out, the only difference between restricted and trusted run-level permissions is which folder the script is in. This is far too lenient in my opinion. I think a script should request trusted run-level permissions in Script Properties. And a warning should be presented to the user. A user can then also request that the pop-up never show up again if they get too annoyed by it but only on a script by script basis.