Deno Permissions

Deno is a runtime with security by default.

Unless you allow it, a Deno module has no access to file, network, or the environment.

In order to allow this access, Deno provides some lists of command line flags.

For example, to read a file in a Deno program, you have to specify the --allow-read flag.

Example of a Program that needs Write Permission

We will create a program that attempts to write to a file without giving it the write permission.

const file_path = 'intro-write.txt'

// Write to file async non-blocking
await Deno.writeTextFile(file_path, 'Writing text is simple.');

Run the from your computer with:

$ deno run intro-write.js
error: Uncaught PermissionDenied: write access to "/tmp/intro-write.js", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Deno throws a PermissionDenied error because we did not provide access for the program to write files.

To make this program work, run it again with the --allow-write flag.

$ deno run --allow-write intro-write.js

Example of a Program that needs Read Permission

We will create a program that attempts to read a file without giving it the read permission.

const file_path = 'intro.txt'

// Write to file async non-blocking
console.log(await Deno.readTextFile(file_path));

Run the from your computer with:

$ deno run intro-read.js
error: Uncaught PermissionDenied: read access to "/tmp/intro-write.js", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Deno throws a PermissionDenied error because we did not provide access for the program to read files.

To make this program work, run it again with the --allow-read flag.

$ deno run --allow-read intro-write.js

  Do It Yourself

Example of a Program that needs Network Access

Deno also restricts network access by default, which means an attempt to make an HTTP request or open a TCP connection will not be automatically allowed in Deno unless explicitly given access. Let us check the following example for better understanding:

Deno Network Acess: File serve.ts

//Import the server module
import { serve } from "https://deno.land/std/http/server.ts";

// serve on port 5000
const s = serve({ port: 5000 });

console.log('Listening to port 5000 on http://localhost:5000');

// Wait for request and response with a text
for await (const req of s) {
  req.respond({ body: "My First Deno Web Server\n" });
}
  Do It Yourself

Run the code:

$ deno run serve.ts

This throws an error:

error: Uncaught PermissionDenied: network access to "0.0.0.0:5000", run again with the --allow-net flag
    at unwrapResponse ($deno$/ops/dispatch_json.ts:43:11)
    at Object.sendSync ($deno$/ops/dispatch_json.ts:72:10)
    at Object.listen ($deno$/ops/net.ts:51:10)
    at Object.listen ($deno$/net.ts:155:22)
    at serve (https://deno.land/std/http/server.ts:256:25)
    at /deno-server.ts:5:11

A PermissionDenied error was thrown because the --allow-net flag is not specified. Let's run it again by specifying the --allow-net flag.

$ deno run --allow-net server.ts

The code runs successfully:

Listening to port 5000 on http://localhost:5000

Deno Permission Flags List

Flag Function
-A, --allow-all Allow all permissions. This disables all security.
--allow-env Allow environment access for things like getting and setting of environment variables.
--allow-hrtime Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
--allow-net=\<allow-net> Allow network access. You can specify an optional, comma-separated list of domains to provide an allow-list of allowed domains.
--allow-plugin Allow loading plugins. Please note that --allow-plugin is an unstable feature.
--allow-read=\<allow-read> Allow file system read access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.
--allow-run Allow running subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process. Therefore, use with caution.
--allow-write=\<allow-write> Allow file system write access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.

Deno Permissions allow-list

Deno allow-lists allows you to customize how permissions are restricted. You can provide comma-separated lists to the --allow-write, --allow-read and --allow-net flags, specifying that the values in the list should bypass permission restriction.   For example, you can specify a list of the directory where you want Deno to give read/write permission to.

The following example runs the above program with only write permission to the /bin and /tmp directory. 

$ deno run --allow-write=/bin,/tmp intro-write.js

Alternatively, you can also specify the --allow-all to allow all permissions.

What You Should Know at the End of this Chapter

  • You should understand the flags used to allow the file, environment, and network access.