fix(runtime): allow r/w access to /etc without --allow-all (#23718)

This is not a special path that can be used to escalate or bypass Deno
permissions, such as `--allow-env`.

2 files changed, 1 insertions, 10 deletions

diff --git a/runtime/permissions/lib.rs b/runtime/permissions/lib.rs
index 1ac8779af..e66f16a7f 100644
--- a/runtime/permissions/lib.rs
+++ b/runtime/permissions/lib.rs
@@ -1691,19 +1691,10 @@ impl PermissionsContainer {
           self.check_was_allow_all_flag_passed().map_err(error_all)?;
         }
       }
-      if path.starts_with("/etc") {
-        self.check_was_allow_all_flag_passed().map_err(error_all)?;
-      }
     } else if cfg!(unix) {
       if path.starts_with("/dev") {
         self.check_was_allow_all_flag_passed().map_err(error_all)?;
       }
-      if path.starts_with("/etc") {
-        self.check_was_allow_all_flag_passed().map_err(error_all)?;
-      }
-      if path.starts_with("/private/etc") {
-        self.check_was_allow_all_flag_passed().map_err(error_all)?;
-      }
     } else if cfg!(target_os = "windows") {
       fn is_normalized_windows_drive_path(path: &Path) -> bool {
         let s = path.as_os_str().as_encoded_bytes();
diff --git a/tests/specs/permission/special/main.js b/tests/specs/permission/special/main.js
index 99f0e74f4..53a7adc9e 100644
--- a/tests/specs/permission/special/main.js
+++ b/tests/specs/permission/special/main.js
@@ -4,8 +4,8 @@
 const testCases = [
   // Allowed, safe
   [["darwin", "linux"], null, "/dev/null"],
+  [["darwin", "linux"], null, "/etc/passwd"],
   // Denied, requires `--allow-all`
-  [["darwin", "linux"], /PermissionDenied/, "/etc/hosts"],
   [["darwin", "linux"], /PermissionDenied/, "/dev/ptmx"],
   [["linux"], /PermissionDenied/, "/proc/self/environ"],
   [["linux"], /PermissionDenied/, "/proc/self/mem"],