|| ||Mark Seaborn <mseaborn-AT-onetel.com>|
|| ||Announce: Plash 1.14, tools for running programs with minimum
|| ||Thu, 10 Nov 2005 23:13:03 +0000 (GMT)|
Your readers might be interested in the newly-released version of
(Debian packages and RPMs available for i386 Linux.)
Plash is a secure, restricted execution environment for running Linux
programs with the minimum necessary privileges. It is similar to
using chroot jails, but is more lightweight and flexible. You can use
Plash to grant a process read-only or read-write access to specific
files and directories, which can be mapped at any point in its private
Plash's purpose is to protect you from the programs you run,
whether they are malicious, are vulnerable to compromise from external
attacks, or just behave unexpectedly.
Plash provides two interfaces for launching programs:
* pola-run, a command line tool;
* a Bash-like shell for interactive use.
New in this version are "file powerboxes". Powerboxes are a design
pattern for dynamically granting authority to a GUI program. A file
powerbox works just like a file open/save dialog box, except that it
also grants authority to access a file. Currently, the powerbox has
been integrated with XEmacs only. This lets you run XEmacs without
having to give it access to all of your files. For example, it is
possible to edit root-owned files without running XEmacs as root.
How it works: The Plash execution environment doesn't require a
modified Linux kernel -- it uses chroot() and UIDs. It works with
existing Linux executables, provided they are dynamically linked --
Plash uses a modified version of GNU libc. Plash virtualizes the
filesystem: a server process implements calls such as open() by
sending a process a file descriptor across a socket.
to post comments)