Greetings!
From a security perspective, what is the scope of what can and can not be done via a python script that’s passed to Blender on the command line with --python?
I haven’t code much in python, but as I understand it, a python script is able to interact with the system by executing external shell commands, manipulate files, etc, only confined by the normal permission scope that applies to the user that the script is running under, like any other programming language.
I would assume this also holds true for python scripts passed to Blender, but I don’t really know what Blender’s doing internally; perhaps it’s only allowing python operations within the Blender scope?
The reason I ask is because a user wants a new feature in Loki Render: have the option to specify a python script to pass to blender when rendering. Loki currently doesn’t secure transmissions between master and grunts, so I’m wary of this and want to be certain of the security implications, as it might open up the possibility of a ‘man in the middle’ attack where a malicious python script could be injected into a task and then executed on a grunt.
It would be great to hear any insight into this.