RFS: Plash: a shell and restricted environment for running programs with minimum authority

[Mark Seaborn]

I'm looking for a sponsor for my project, Plash.

The main page is:  http://plash.beasts.org
and Debian packages are at:
http://www.cs.jhu.edu/~seaborn/plash/plash_1.9_i386.deb
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.9.dsc
http://www.cs.jhu.edu/~seaborn/plash/with-glibc/plash_1.9.tar.gz
(The Debian source package contains a copy of glibc 2.3.3, which is
13Mb, but the source for Plash itself is only 200k.)

  Plash (the Principle of Least Authority shell) is a replacement Unix
  shell which lets the user run Linux programs with access only to the
  files and directories that they need to run.

  The syntax is similar to Bash, but with some changes, eg. to grant
  write access to files (by default it's read-only).  For example, if
  you run the "oggenc" encoder program with the command:

    oggenc foo.wav => -o foo.ogg

  then the oggenc process will have access only to the files foo.wav
  (read-only), foo.ogg (read/write/create), and those files in its
  installation endowment.  By default, the installation endowment
  consists of /usr, /bin, /lib and /etc -- all as read-only -- but you
  can change this on a per-program basis.  Programs aren't given
  access to other files, such as those in your home directory, unless
  explicitly granted them.

  Plash works by virtualizing the filesystem.  Each process can have
  its own file namespace.

  This implemented in two steps: Firstly, processes are run in a
  chroot() environment under different UIDs, so they can't access
  files using the normal Linux system calls and are isolated from each
  other.  Secondly, in order to open files, a process makes requests
  to a server process via a socket; the server can send file
  descriptors across the socket in reply.

  Plash dynamically links programs with a modified version of GNU libc
  so that they can do filesystem operations using this different
  mechanism.

  No kernel modifications are required.  Plash can run Linux binaries
  unmodified, provided they are dynamically linked with libc, which is
  almost always the case.

  In most cases this does not affect performance because the most
  frequently called system calls, such as read() and write(), are not
  affected.

This version should be compliant with the FHS and Debian standards.
Previously, I put the chroot jail directory that Plash uses at
/usr/lib/plash-chroot-jail.  I have moved it to
/var/lib/plash-chroot-jail, because it contains a directory that needs
to be writable.

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]