Skip to content

klik news: presentation at LSB packaging meeting; experiments with 'Plash'

Sunday, 10 December 2006  |  pipitas

probono last week gave a presentation to the participants of the LSB packaging meeting, which took place in Berlin (hosted by SAP). His slides are available on the klik website.

Expect some improvements and changes in klik in the next few months as a result from the discussions that took place there.

From the klik development front the most exciting news are about some experiments of utilizing a thing called "Plash". Plash is little know so far, so let me throw a fast outline at you:

  • Plash stands for the "principle of least authority shell" (see also POLA).
  • Plash can run programs while giving them access to only the files and directories they need to run.
  • Plash 'virtualizes' the filesystem as seen by the programs.
  • Plash gives to each process its own namespace.
  • Plash's namespaces for applications contain only a subset of all files present on the system.
  • Plash requires no kernel modifications.
  • Plash is implemented by modifying GNU libc, replacing the system calls that use filenames.

To give an example: the open() system call is modified. Under Plash, open() sends a message to a file server via a socket. If the request is successful [i.e. the client program using open() is allowed to access the file], the server sends back a file descriptor. Processes run as user 'nobody' in a chroot jail.

If this outline has sparked your interest in Plash and want to learn more, go grok this Plash README next.

If you've ever looked at klik before and how it works, you'll probably see the enormously useful potential that lies in the marriage of klik with Plash.

If you've not looked at klik before, you surely missed a fun experience with using new programs on your system. In this case, visit the klik website, read the user's FAQ, and give some new programs like pdfedit a spin....