Plash: the Principle of Least Authority shell
Plash is a secure, restricted execution environment for running Linux programs with minimum privileges necessary. You can grant a process read-only or read-write access to specific files and directories, which can be mapped at any point in its private filesystem namespace.
The execution environment doesn't require a modified Linux kernel -- it uses chroot() and UIDs. It works with existing Linux executables, provided they are dynamically linked, because Plash uses a modified version of GNU libc.
Plash virtualizes the filesystem. With the modified libc, open() works by sending a request across a socket. The server process can send a file descriptor back across the socket in response. Usually, Plash does not slow programs down because the most frequently used system calls (such as read() and write()) work on kernel-level file descriptors as before.
Plash provides a shell, with a syntax similar to the Bourne shell or Bash. Unlike Bash, it distinguishes between string arguments and file arguments, because it needs to know which files to grant the program access to. By default, the shell grants only read-only access to files and directories. There is extra syntax for granting read/write/create access.
Plash also provides a tool, run-emacs, for running XEmacs and granting it access to individual files dynamically. This means you don't have to run XEmacs with access to all of your files.
There is a mailing list. To subscribe, e-mail firstname.lastname@example.org with "subscribe" in the subject line. Another way to be notified of new releases is to subscribe to the project on its Freshmeat page.
The Debian source packages include the glibc source, which is needed to build Plash's modified glibc. However, the regular source packages don't include glibc. You can download it separately from:
|Version||Files||Description of changes|
(13th August 2005)
|Major new feature: Add plash-run-emacs tool. Made changes so that it's safer to run the shell as root. Documentation has been improved, and converted to DocBook format.|
(20th July 2005)
|Implemented fchdir(). "rm -r", "install -d" and "mkdir -p" now work.|
(10th July 2005)
|Changed implementation of file namespace construction. Now possible to add/replace entries in existing directories (without modifying the directory).|
(22nd May 2005)
|Overhauled build system for modified glibc. Add option for granting access to the X11 Window System (off by default). New mechanism for setting shell options. Added limited support for directory file descriptors, so that XEmacs works.|
(1st May 2005)
|Major new feature: executable objects.|
(18th January 2005)
|New argument syntax: "PATHNAME = EXPR", allowing objects to be attached anywhere in the file namespace.|
(7th January 2005)
|Add recursive read-only directories. Add example "chroot" program: first tool to use object-capability protocol.|
(4th January 2005)
|Implemented object-capability protocol. This is used as an additional layer in the communication between client and server.|
(29th December 2004)
|Better security: runs processes under dynamically-allocated user IDs rather than the user "nobody". Add globbing and file descriptor redirection to the shell. Implemented bind(), symlink(), utime(), rename() and link().|
(18th December 2004)
|Fixed open64() and libpthread.so. Implemented pipes in the shell. Added "!!" syntax to shell. Added support for "#!" scripts. Added options window for enabling logging.|
(10th December 2004)
|Added job control to shell.|
(7th December 2004)