If I create a new script and explicitly omit ftp policy, when called through the scheduler or winbox gui “Run Script” the file will not be created due to insufficient permissions as expected.
/system script add name=examplescript policy=read source="/export file=example"
When the same script is called from the terminal it inherits all permissions from the user’s shell. If logged in under a “full” group user calling the script from the cli will export the file.
/system script run examplescript
I think when calling a script it should always inherit only permissions set by the script policy, not the calling users permissions. It seems misleading to allow policy to be set per script, but depending on how the script is called the permissions can silently change. It would be very sneaky to alter an existing script without “sensitive” and “ftp” permissions to dump passwords and secret keys to a file or emailed if someone happened to call the script by command line and the user had those permissions enabled on their account.
I’m less worried about the security more than I am about the misleading behavior though. I previously was testing scripts by the command line before adding them to the scheduler, and then noticed that previously tested scripts were silently failing to output files when called by the scheduler.