Plash: the Principle of Least Authority shell

Mark Seaborn


Table of Contents

1. Introduction
2. The Plash shell
Overview of differences from Bash
Bourne shell features missing from Plash
Installation endowment
Enabling access to the X11 Window System
Job control
Shell scripts
3. Plash's restricted execution environment
Architecture overview
Symbolic links
Semantics
Implementation
Remaining problems
Parent directories: the semantics of dot-dot using dir_stacks
Directory file descriptors
4. Executable objects
Introduction
Applying POLA to argument files and other files
Invocations between programs
Examples
Notes
The process replacement behaviour
Discovering file descriptors
Garbage collection
Limitations
Linux, job control, and TTY file descriptors
Job control
exec-object limitations
Shell limitations
5. Protocols and interfaces
Protocol for messages with file descriptors
Object-capability protocol
Closing the connection
Conventions
Future extensions
PLASH_COMM_FD and PLASH_CAPS
fs_op object
Filesystem objects: files, directories and symlinks
Executable objects
conn_maker object
fs_op_maker object
6. Man pages
plash - Shell for running programs with minimum authority
plash-opts - Set options in the Plash shell
exec-object - Creates executable objects for use under Plash
plash-chroot - chroot program, for use under Plash
plash-socket-publish - Make a Plash object reference available via a named socket
plash-socket-connect - Get a reference to a Plash object that was exported to a socket
plash-run-emacs - Run XEmacs and then grant it access to individual files
7. Internals
Region-based memory management
String handling
Object system
Methods
Reference counting
Marshalling
Encodings for marshalling
Documentation format: XXML, an XML surface syntax
8. Bugs and vulnerabilities
Security vulnerabilities
Bugs
Might be problems in future
Programs that don't work under Plash