Description
Currently, there doesn't appear to be any way to completely disable the loading of plugins. Individual plugins can be disabled, but there is no way to force micro to only run its own self-contained code.
Since plugins are loaded from the user-writeable ~/.config/micro folder, any process which can write into that folder could inject a plugin. This could be a concern in security sensitive contexts. Preventing this would be a significant attack surface reduction.
I am aware this would likely mean disabling the builtin extensions as well. I am fine with this.
Edit: Of course, this would need to be configurable somewhere that's not user-writeable, for obvious reasons... perhaps a separate config file in /etc/micro would be best. Would be good for other security related options like autosu, and would allow global configuration in multi-user setups as well.
Description
Currently, there doesn't appear to be any way to completely disable the loading of plugins. Individual plugins can be disabled, but there is no way to force micro to only run its own self-contained code.
Since plugins are loaded from the user-writeable
~/.config/microfolder, any process which can write into that folder could inject a plugin. This could be a concern in security sensitive contexts. Preventing this would be a significant attack surface reduction.I am aware this would likely mean disabling the builtin extensions as well. I am fine with this.
Edit: Of course, this would need to be configurable somewhere that's not user-writeable, for obvious reasons... perhaps a separate config file in
/etc/microwould be best. Would be good for other security related options like autosu, and would allow global configuration in multi-user setups as well.