plash — Shell for running programs with minimum authority


plash [--rcfile file]
      [-c command]


Plash is the Principle of Least Authority shell. It lets you run Linux programs with access only to the files and directories they need to run. Programs are given access to files which were passed as command line arguments.


--rcfile file

Executes the given script on startup. Does not switch off interactive mode.

By default, the shell does not read any scripts on startup.

-c command

Execute the given command, and then exit. Disables interactive mode.

Argument lists

arglist1 => arglist2

By default, files and directories are passed as read-only. The "=>" operator lets you pass files and directories with read-write access. Objects to the right of "=>" are passed as read-write slots, so the object doesn't have to exist in advance.

arglist1 + arglist2

Files and directories that appear to the right of the "+" operator are not included in the argument list (the one used in execve()), but they are attached into the file namespace of the process.




Arguments that are not filenames should be quoted, unless they begin with '-'.


You can attach objects to arbitrary points in the file namespace. Here, expr typically evaluates to a file, directory, or executable object. This will include pathname in the argument list.

{ arglist }

You can limit the scope of "+" or "=>" using curly brackets.







IO redirection. You can change the file descriptors that are passed to the process.

Example commands

ls .

Arguments that were implicit before must now be made explicit. With the Bourne shell or Bash you can write `ls' to list the current directory's contents. With Plash you must add `.' to grant access to the current directory.

gcc -c foo.c => -o foo.o + .

make + => .

tar -cvzf => foo.tar.gz dir1

grep 'pattern' file | less

Pipes work as in conventional shells.


If you want to execute a command in the conventional way -- without running the process with a virtualised filesystem, in a chroot jail, etc. -- you can prefix it with "!!". This can be applied to individual command invocations in a pipeline. The syntax for command invocations is the same whether "!!" is used or not, but when it is used, files listed after the "+" operator are ignored.


cd pathname

Sets the current directory.

fg job-number

Puts the given job in the foreground. (Job numbers are not prefixed with `%', unlike in Bash.)

bg job-number

Puts the given job in the background.

def var = expr

Binds the object reference returned by the expression to a variable.



Returns the object reference that is bound to the variable.

F pathname

Returns the file or directory object at the given path. Will follow symbolic links.

mkfs args...

This expression returns a fabricated directory object containing the files listed in args. The object resides in a server process started by the shell.

args is processed in the same way as argument lists to commands, so read-only access will be given for files that are listed unless "=>" is used, and objects can be attached at points in the directory tree using path=expr.

capcmd command args...

This built-in expression is similar to a normal command invocation, except that it expects the resulting process to return an object reference as a result. The shell passes the process a return continuation argument (return_cont; see the PLASH_CAPS environment variable), which the process invokes with the result.

This expression doesn't wait for the process to exit: the process will typically act as a server and stay running in the background to handle invocations of the object that it returned.

If the process drops the return continuation without invoking it (which will happen if it exits without passing the reference on), the expression results in an error.

See also

exec-object, plash-opts, plash-socket-publish, plash-socket-connect



Mark Seaborn <>