Should the non-root execution path limit transactions to the safe itself?

[mmv08]

One could enable modules, owner changes, and delegate calls by executing a transaction to self. Perhaps it should be limited as well

[rmeissner]

Introducing more "permissions" is indeed a good idea. For the initial version we should add another indicator (similar to requiresRootAccess) for config changes. In the future this could be replace be a more complete permissioning system, but this would be overkill right now imo.

[mmv08]

Why does it need a separate flag? IMO it's a security flaw if you can execute delegate call transactions without requiring root access.

[rmeissner]

The point was to provide an intermediate access level. Currently it is an all or nothing approach

• no permission -> cannot execute transaction targeting the Safe or Manager, also cannot execute delegate call
• root access -> can execute arbitrary transactions via the Safe including delegate calls

So having a more fine grained permission model that allow the change of the Safe configuration or the Manager settings, might make sense.

Ultimately this could also be done via hooks, but it would be a built in security level.