[tialaramex]

Design bug here: Clearly we need to run code as somebody, so, there's no reason to have infrastructure which just executes user code with the current context or server (presumably? or maybe an actual zero, ie root) context.

If we design the software this way, when we try to write the erroneous code we're caught - oh, wait, which user is authenticated? We need to... oh... we shouldn't be here without authenticating.

[toast0]

Afaik, if you were running the Erlang SSH daemon, when you connect as an authorized user (or just ask!), it drops you into the Erlang debug shell. There's no concept of different users in the debug shell. Erlang dist is kind of an almost single system image cluster, with no security boundaries once you're connected to the cluster. (Well, not exactly no boundaries, you can mark a process sensitive, and ets tables private, and do some other things to make introspection difficult [1], but you can likely still spawn an os process debugger and get to everything; you would need to modify the OTP sources to disable os process spawning)

I didn't think anybody would actually run the Erlang SSH daemon, but there's evidence that some do. It makes more sense to run openssh, so you can debug BEAM failures etc, and you can load a debug shell from your OS shell easily.

[1] https://security.erlef.org/secure_coding_and_deployment_hard...