RFS: plash (the Principle of Least Authority shell)
Hi,
I'm looking for a sponsor for my project, Plash:
Plash (the Principle of Least Authority shell) is a replacement Unix
shell which lets the user run Linux programs with access only to the
files and directories that they need to run.
The syntax is similar to Bash, but with some changes, eg. to grant
write access to files (by default it's read-only). For example, if
you run the "oggenc" encoder program with the command:
oggenc foo.wav => -o foo.ogg
then the oggenc process will have access only to the files foo.wav
(read-only), foo.ogg (read/write/create), and those files in its
installation endowment. By default, the installation endowment
consists of /usr, /bin, /lib and /etc -- all as read-only -- but you
can change this on a per-program basis. Programs aren't given
access to other files, such as those in your home directory, unless
explicitly granted them.
Plash works by virtualizing the filesystem. Each process can have
its own file namespace.
This implemented in two steps: Firstly, processes are run in a
chroot() environment under different UIDs, so they can't access
files using the normal Linux system calls and are isolated from each
other. Secondly, in order to open files, a process makes requests
to a server process via a socket; the server can send file
descriptors across the socket in reply.
Plash dynamically links programs with a modified version of GNU libc
so that they can do filesystem operations using this different
mechanism.
No kernel modifications are required. Plash can run Linux binaries
unmodified, provided they are dynamically linked with libc, which is
almost always the case.
In most cases this does not affect performance because the most
frequently called system calls, such as read() and write(), are not
affected.
Debian packages are at:
http://www.cs.jhu.edu/~seaborn/plash/plash_1.8_i386.deb
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.8.dsc
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.8.tar.gz
(The Debian source package contains a copy of glibc 2.3.3, which is
13Mb, but the source to Plash itself is only 200k.)
and there's more info at:
http://www.cs.jhu.edu/~seaborn/plash/plash.html
I've been creating Debian binary packages for Plash for a while, but
recently I have got the build process to build the patched glibc
without manual intervention.
I may not have the Debian packaging entirely correct, so any feedback
is appreciated.
I do know one part that is not FHS compliant: Plash uses a chroot()
jail directory containing a directory that needs to be writable. At
the moment I've put this at "/usr/lib/plash-chroot-jail", but I
imagine it should go under, say, "/var/lib/plash/chroot-jail". The
chroot() jail needs to contain an executable. Is it okay to put an
executable in /var?
Cheers,
Mark
Reply to: