Plash is a Unix shell designed for running Unix programs with limited access to files and directories required for their execution.
Firstly, processes are run in a chroot() environment under different UIDs which isolates them from each other and prevents them from accessing files using normal Linux system calls. Secondly, in order to open files, a process must request them via a socket from a server process. The server can then send file descriptors across the socket in response.
One of the benefits of Plash is that no kernel modifications are required to run Linux binaries unmodified. This is because Plash dynamically links programs with a modified version of GNU libc, which allows them to perform filesystem operations through a different mechanism. In most cases, users won't notice a significant impact on performance, since the most commonly used system calls, such as read() and write(), are not affected.
The recent release of Plash features a change to the build system for PlashGlibc. This results in better integration with glibc's normal build process, making it easier to build Plash on architectures other than i386. This is also the first release to support AMD-64. Additionally, the previous release's stdin/stdout/stderr forwarding caused some bugs that should now be fixed.
Overall, if you're looking for a Unix shell replacement that provides secure access to necessary files and directories, Plash is definitely worth checking out.
Version 1.19: N/A