RFS: plash (the Principle of Least Authority shell)

To: debian-mentors@lists.debian.org
Subject: RFS: plash (the Principle of Least Authority shell)
From: Mark Seaborn <seaborn@cs.jhu.edu>
Date: Wed, 18 May 2005 21:12:08 +0100 (BST)
Message-id: <[🔎] 20050518.211208.640898968.mrs@localhost>

Hi,

I'm looking for a sponsor for my project, Plash:

  Plash (the Principle of Least Authority shell) is a replacement Unix
  shell which lets the user run Linux programs with access only to the
  files and directories that they need to run.

  The syntax is similar to Bash, but with some changes, eg. to grant
  write access to files (by default it's read-only).  For example, if
  you run the "oggenc" encoder program with the command:

    oggenc foo.wav => -o foo.ogg

  then the oggenc process will have access only to the files foo.wav
  (read-only), foo.ogg (read/write/create), and those files in its
  installation endowment.  By default, the installation endowment
  consists of /usr, /bin, /lib and /etc -- all as read-only -- but you
  can change this on a per-program basis.  Programs aren't given
  access to other files, such as those in your home directory, unless
  explicitly granted them.

  Plash works by virtualizing the filesystem.  Each process can have
  its own file namespace.

  This implemented in two steps: Firstly, processes are run in a
  chroot() environment under different UIDs, so they can't access
  files using the normal Linux system calls and are isolated from each
  other.  Secondly, in order to open files, a process makes requests
  to a server process via a socket; the server can send file
  descriptors across the socket in reply.

  Plash dynamically links programs with a modified version of GNU libc
  so that they can do filesystem operations using this different
  mechanism.

  No kernel modifications are required.  Plash can run Linux binaries
  unmodified, provided they are dynamically linked with libc, which is
  almost always the case.

  In most cases this does not affect performance because the most
  frequently called system calls, such as read() and write(), are not
  affected.

Debian packages are at:
http://www.cs.jhu.edu/~seaborn/plash/plash_1.8_i386.deb
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.8.dsc
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.8.tar.gz
(The Debian source package contains a copy of glibc 2.3.3, which is
13Mb, but the source to Plash itself is only 200k.)

and there's more info at:
http://www.cs.jhu.edu/~seaborn/plash/plash.html

I've been creating Debian binary packages for Plash for a while, but
recently I have got the build process to build the patched glibc
without manual intervention.

I may not have the Debian packaging entirely correct, so any feedback
is appreciated.

I do know one part that is not FHS compliant: Plash uses a chroot()
jail directory containing a directory that needs to be writable.  At
the moment I've put this at "/usr/lib/plash-chroot-jail", but I
imagine it should go under, say, "/var/lib/plash/chroot-jail".  The
chroot() jail needs to contain an executable.  Is it okay to put an
executable in /var?

Cheers,
Mark

Reply to:

Prev by Date: Re: Question about next step
Next by Date: Fwd: Re: [Fwd: Packaging ACT-R]
Previous by thread: Re: Question about next step
Next by thread: Fwd: Re: [Fwd: Packaging ACT-R]
Index(es):
- Date
- Thread