On Thursday 06 October 2016 13:21:49 Radu Cotescu wrote: > Why do we need to remove that statement? sling-scripting is the user that > scripting modules should use for reading scripts. Since Sling's > "executable" content is in the search paths (which for now are /libs and > /apps), I think that by default the sling-scripting user should not be > allowed to do more.
Removing "deny" is not a must, but we should keep it simple and we do not gain much (nothing?) from a security point of view as "everyone" (else) can read from /content (or / with current setup). We can not enforce scripting bundles to use the service/system user and simply by using an anonymous resource resolver allows reading from /content (/). I'm not sure if "deny" on / is a performance penalty also, maybe someone with more insights can comment on this. Regards, O. > On Thu, 6 Oct 2016 at 13:50 Oliver Lietz <apa...@oliverlietz.de> wrote: > > - it is best practice to avoid "deny", so it should be removed from sling- > > scripting (which would allow sling-scripting to read from /content also)