How shadowenv manages authorization

Best Practices Integration

Short version: Run shadowenv trust to tell Shadowenv that it’s ok to run from the directory you’re in.

Because of how shadowenv works (loading code from whichever directory you cd into), it’s important to have some concept of trusting shadowlisp code before it’s allowed to run. Shadowenv does this in a fairly lightweight way, by marking an entire directory as trusted, and allowing any code to be run from within it forever. The main case we’re trying to defend against is downloading a random tarball and having it modify your environment upon cd‘ing into it.

The first time Shadowenv runs, it will create a cryptographic signing key at ~/.config/shadowenv/trust-key. When you cd into a directory with a .shadowenv.d (or create one), you’ll see an error message:

shadowenv failure: directory contains untrusted shadowenv program: shadowenv help trust to learn more.

If you run shadowenv trust, a new file will be created at .shadowenv.d/trust-<fingerprint>, where <fingerprint> is derived from your key. The contents of the file is a signature of the directory in which the .shadowenv.d lives. Before loading any code, shadowenv verifies this signature.

This signature will become invalid if you move the directory, and it does resolve symbolic links before signing.