Deno Tutorial

Deno Permissions

Deno is a runtime with security by default.

Unless you allow it, a Deno module has no access to file, network, or the environment.

In order to allow this access, Deno provides some lists of command line flags.

For example, to read a file in a Deno program, you have to specify the --allow-read flag.

Example of a Program that needs Write Permission

We will create a program that attempts to write to a file without giving it the write permission.

const file_path = 'intro-write.txt'

// Write to file async non-blocking
await Deno.writeTextFile(file_path, 'Writing text is simple.');

Run the from your computer with:

$ deno run intro-write.js
error: Uncaught PermissionDenied: write access to "/tmp/intro-write.js", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Deno throws a PermissionDenied error because we did not provide access for the program to write files.

To make this program work, run it again with the --allow-write flag.

$ deno run --allow-write intro-write.js

Example of a Program that needs Read Permission

We will create a program that attempts to read a file without giving it the read permission.

const file_path = 'intro.txt'

// Write to file async non-blocking
console.log(await Deno.readTextFile(file_path));

Run the from your computer with:

$ deno run intro-read.js
error: Uncaught PermissionDenied: read access to "/tmp/intro-write.js", run again with the --allow-read flag
► $deno$/dispatch_json.ts:40:11
    at DenoError ($deno$/errors.ts:20:5)
    ...

Deno throws a PermissionDenied error because we did not provide access for the program to read files.

To make this program work, run it again with the --allow-read flag.

$ deno run --allow-read intro-write.js

Do It Yourself

Example of a Program that needs Network Access

Deno also restricts network access by default, which means an attempt to make an HTTP request or open a TCP connection will not be automatically allowed in Deno unless explicitly given access. Let us check the following example for better understanding:

Deno Network Acess: File serve.ts

//Import the server module
import { serve } from "https://deno.land/std/http/server.ts";

// serve on port 5000
const s = serve({ port: 5000 });

console.log('Listening to port 5000 on http://localhost:5000');

// Wait for request and response with a text
for await (const req of s) {
  req.respond({ body: "My First Deno Web Server\n" });
}

Do It Yourself

Run the code:

$ deno run serve.ts

This throws an error:

error: Uncaught PermissionDenied: network access to "0.0.0.0:5000", run again with the --allow-net flag
    at unwrapResponse ($deno$/ops/dispatch_json.ts:43:11)
    at Object.sendSync ($deno$/ops/dispatch_json.ts:72:10)
    at Object.listen ($deno$/ops/net.ts:51:10)
    at Object.listen ($deno$/net.ts:155:22)
    at serve (https://deno.land/std/http/server.ts:256:25)
    at /deno-server.ts:5:11

A PermissionDenied error was thrown because the --allow-net flag is not specified. Let's run it again by specifying the --allow-net flag.

$ deno run --allow-net server.ts

The code runs successfully:

Listening to port 5000 on http://localhost:5000

Deno Permission Flags List

Flag	Function
`-A`, `--allow-all`	Allow all permissions. This disables all security.
`--allow-env`	Allow environment access for things like getting and setting of environment variables.
`--allow-hrtime`	Allow high-resolution time measurement. High-resolution time can be used in timing attacks and fingerprinting.
`--allow-net=\<allow-net>`	Allow network access. You can specify an optional, comma-separated list of domains to provide an allow-list of allowed domains.
`--allow-plugin`	Allow loading plugins. Please note that `--allow-plugin` is an unstable feature.
`--allow-read=\<allow-read>`	Allow file system read access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.
`--allow-run`	Allow running subprocesses. Be aware that subprocesses are not run in a sandbox and therefore do not have the same security restrictions as the Deno process. Therefore, use with caution.
`--allow-write=\<allow-write>`	Allow file system write access. You can specify an optional, comma-separated list of directories or files to provide an allow-list of allowed file system access.

Deno Permissions allow-list

Deno allow-lists allows you to customize how permissions are restricted. You can provide comma-separated lists to the --allow-write, --allow-read and --allow-net flags, specifying that the values in the list should bypass permission restriction. For example, you can specify a list of the directory where you want Deno to give read/write permission to.

The following example runs the above program with only write permission to the /bin and /tmp directory.

$ deno run --allow-write=/bin,/tmp intro-write.js

Alternatively, you can also specify the --allow-all to allow all permissions.

What You Should Know at the End of this Chapter

You should understand the flags used to allow the file, environment, and network access.

Previous Chapter Next Chapter