7

I heard that Lua is great for configuration files, so long as you are secure about it. Lua has been used as config files by programs such as awesome and (recently) conky.

However, I also heard that using programming to configure a program is an anti-pattern.

Since Lua does not get compiled as part of the program, would this prove as an exception?

Here's a hint of what Lua might look like as a config file:

return {
  rootdir = "/abc/123",
  debug = true,
  things = {
    "foo",
    "bar",
    "baz",
    "qux"
  }
}
Nolan Akash
  • 1,294
  • 2
  • 10
  • 11
  • 2
    I can't speak for Lua, but the idea to have a program being a configuration makes my stomach grumble. –  Dec 10 '16 at 22:45
  • 2
    Still, having a programming language for complex configuration beats something like `sendmail.cf`, which is accidentally Turing-complete. – Jörg W Mittag Dec 11 '16 at 01:45
  • Except for `return` it looks like JSON. You should make things as simple as they can be, not as complex as they can be -- for the latter it is justified question "hey, should I use quantum computer to read my configs?". Drop `return`, stick to JSON (if you like the look), use JSON parser and that's it. – greenoldman Dec 11 '16 at 08:16
  • 2
    @greenoldman: "*Except for return it looks like JSON.*" Of course it does. That's what JSON is: JavaScript, used as a data description language. The first "JSON parsers" were just JavaScript developers using `eval`. The OP is asking about using Lua in the same way. – Nicol Bolas Dec 11 '16 at 15:19
  • @NicolBolas, I meant JSON as data, not as evaluated program to data. Here, in OP you see running program, not just data. For me it is bringing more tools than necessary. – greenoldman Dec 12 '16 at 15:23
  • 1
    @greenoldman: You seem to think that JSON was created as a data format. It wasn't; it's *just JavaScript*. It was created because sending JavaScript was something that web developers could already do, so they encoded their data as JavaScript files that were then executed. Eventually, people streamlined this process by creating dedicated JSON parsers. But the basic idea of using a scripting language as a data language is at the very heart of JSON. If it was valid for JavaScript, why wouldn't it be valid for Lua? – Nicol Bolas Dec 12 '16 at 15:53
  • 1
    I use Lua for this purpose, but that said: 1) the software is happily married to Lua as its primary embedded scripting language. 2) I don't really work in a domain where security is a concern. If a user wants to write an infinite loop in their configs and make it so the software can't start up, so be it. In my case I don't use an explicit `return` to return a table. I just define global variables (the config script is given a clean environment, and the environment is tossed away after reading the configs). –  Feb 01 '18 at 06:29
  • There are also some examples from Programming in Lua that specifically cover Lua for use as a DDL and also specifically for configs, like so: https://www.lua.org/pil/25.html. It is nice if you are already married to Lua like me to use the same syntax for configs as you do to program large portions of the software, and also the same kind of convenient code used in binding to read the config variables from Lua to C without requiring like a separate XML parser or something. –  Feb 01 '18 at 06:32

2 Answers2

7

The needs for any language that you use for configuration files are the same, regardless of whether it is a programming language or not:

  1. The people who use it can do so reasonably effectively. If actual human beings aren't writing them, then it needs to be readable by programs. And possibly debugged by programmers.

    Lua's table syntax was actually derived from an older configuration file format, so it is equally as effective as JavaScript for this purpose (what do you think JSON is?). It's about as self-documenting as such things, with comments and so forth.

  2. Improper configuration files should not break your program. Or worse, hijack it. It's very easy to sandbox a Lua state, in that you have to do actual work in order to make a Lua state do something.

    However, the biggest thing you need to worry about is a pre-compiled Lua script breaking your encapsulation. Which means you need a mechanism to prevent loading pre-compiled Lua scripts as config files. Lua 5.2 and above provide this. For Lua 5.1, if you don't take special care, you can create a gaping security hole in your program.

  3. Reading/writing the file needs to be reasonably easy for code. Lua's table interface can be a bit wordy, but with a couple of wrapper functions, it should be no problem to deal with it.

  4. If errors show up in the file, you should be able to give a reasonable error message. Lua's parser is not the greatest, but it's not terrible at giving error messages.

That being said, given the number of XML and JSON parsers out there, I wouldn't bother using "LON" as a configuration language unless my program already incorporated Lua in some other way.

Nicol Bolas
  • 11,813
  • 4
  • 37
  • 46
4

Using a programming language for a configuration file is reasonable if the following cases are met:

  1. The software is open source (so there's no worry about users doing introspection to get at its internals).
  2. The configuration needs can often be very complicated and depend on parts of the environment and application state.
  3. The users can expected to be technical.
  4. There is no great cost if the user screws something up.

Xmonad and Emacs (2 bits of software I love and use every day) both use programming languages for their configuration, which enables them to be incredibly extensible. They also hit all of the above pointts.

So I think whether you should use any programming language for your config is appropriate in rare cases. I would choose your language based on how easy it is to pick up and how easy it is to integrate. Lua is usually going to do well on those two.

walpen
  • 3,231
  • 1
  • 11
  • 20