Description
Currently, if a user has docker installed and set up so their user can run it without sudo, it's possible to craft a stack.yaml that runs arbitrary commands as root. This is due to well-known security weaknesses with Docker and basically any arbitrary code you run on your system (like, say, downloading an executable or shell script, or building a Haskell package that uses TemplateHaskell) could also take advantage of it), so this is far from unique to stack.
That said, I'd like to at least close the hole with stack.yaml, so that if you're doing your builds in a Docker container security is improved. I propose to disallow the following settings in the project's stack.yaml (but still allow them in global/user stack.yamls and from the command-line).
run-argsmountpass-hostdatabase-pathauto-pull
Since a user may want to change these settings for a project, adding the option of a "local" project config inside .stack-work may be desirable (kind of like you can add extra git excludes in .git/extra/excludes).
In addition, any time a new image is encountered in a stack.yaml, an explicit action should be required to approve it with a big warning to not approve untrusted images. Anyone could craft a malicious image and point the repo setting to it, but I don't think we want to be in the business of whitelisting images.
I also considered using the docker run -u option to always start containers as a non-root user, but anyone could still craft an image that has an entrypoint which sudos to root, so that doesn't end up helping very much.