Plash: tools for practical least privilege
Table of contents
Introduction
How it works: virtualizing the file namespace
Mailing list
Related systems
Roadmap
Licence
Downloading and installing Plash
Installing Plash
Pre-built packages
Building Plash from source
Using Debian source packages
Building without using Debian scripts
Creating Debian packages from SVN
Requirements
SVN repository
Download previous versions
Examples
Running GUI applications
Running Leafpad (a simple text editor)
Running Gnumeric
Running Inkscape
Running command line programs
Running gcc
Running rpm to build a package as a non-root user
Running servers
Running a webmail server
Screenshots
Using the powerbox from Gtk applications
Using the powerbox from XEmacs
The powerbox: a GUI for granting authority
Introduction to powerboxes
What is a file powerbox?
Why "least privilege" is important: an example
How do powerboxes work?
The history of powerboxes
How to run programs to use the powerbox
Limitations
X Window System security
UI limitations
Reviewing and revoking
Nested use of pola-run
Secure handling of symlinks
Backup and temporary files
Persistence
Integrations: powerbox for Gtk applications
How it works
Limitations
Earlier version of the GtkFileChooserDialog replacement
Integrations: powerbox for Emacs/XEmacs
The powerbox API
pola-run: A command line tool for launching sandboxed programs
Synopsis
Description
Options
Examples
Environment variables
Plash's sandbox environment
Architecture overview
Symbolic links
Semantics
Implementation
Remaining problems
Parent directories: the semantics of dot-dot using dir_stacks
Directory file descriptors
Why not do interception of system calls using, for example, ptrace?
How does Plash compare with chroot jails?
FAQs: frequently asked questions
pola-shell: A shell for interactive use
Differences from Bash: examples
Bourne shell features missing from pola-shell
Installation endowment
Enabling access to the X11 Window System
Job control
Shell scripts
Options
Argument lists
Commands
Expressions
Executable objects: a replacement for setuid executables
Introduction
Applying POLA to argument files and other files
Invocations between programs
Examples
Notes
The process replacement behaviour
Discovering file descriptors
Garbage collection
Limitations
Linux, job control, and TTY file descriptors
Job control
exec-object limitations
Shell limitations
Communication protocols
Protocol for messages with file descriptors
Object-capability protocol
Closing the connection
Conventions
Initial state of a newly-created connection
Call-return
Future extensions
PLASH_COMM_FD
and
PLASH_CAPS
RPC methods
fs_op object
Filesystem objects: files, directories and symlinks
Executable objects
conn_maker object
fs_op_maker object
News
Version 1.17 (2006-12-23)
Version 1.16
Version 1.11
Running the shell as root
Following symlinks
Documentation overhaul
Other changes
Version 1.10
Version 1.9
Other changes
Version 1.8
New build system
Syntax change
Enabling X11 access
Shell options
Support for directory file descriptors
Version 1.7
Version 1.6
Version 1.5
Internals
Region-based memory management
String handling
Object system
Methods
Reference counting
Marshalling
Encodings for marshalling
Documentation format: XXML, an XML surface syntax
Issues
Security vulnerabilities
connect() race condition
chmod() race condition
Running pola-shell as root
Bugs
Aspects that need more testing
Might be problems in future
Problems running specific programs
GNU Emacs (resolved)
Konqueror (resolved)
XEmacs
Copyright