Skip to main content

Restrict Poetry to a smaller privilege

Project description

poetry-restrict-plugin

This Poetry plugin aims to restrict Poetry's allowed accesses to what it needs to fulfill its function, the goal is to apply principle of least privilege to our development tooling.

Motivation

What's the worst thing that could happen if you install a malicious Python dependency on your computer? Which information could it gather from your files, and how could it make itself a permanent home on your computer?

With poetry-restrict-plugin, that looks as follows:

$ poetry run cat ~/.ssh/config
poetry-restrict-plugin: Landlock engaged.
cat: /home/jc/.ssh/config: Permission denied
$ poetry run ls ~/.ssh
poetry-restrict-plugin: Landlock engaged.
ls: cannot open directory '/home/jc/.ssh': Permission denied

Installation

poetry-restrict-plugin is currently only supported on Linux with the Landlock LSM enabled.

Installation depends on how you installed Poetry. With pipx:

pipx inject poetry poetry-restrict-plugin

Alternatively, you can install it with poetry self add:

poetry self add poetry-restrict-plugin

See poetry self add --help for more options for installation, including installing development versions.

For other installation methods, see the Poetry plugin documentation.

Usage

The plugin will automatically run whenever you invoke poetry. If you run into an error with it and need an escape hatch, you can re-run your command with the environment variable POETRY_NO_RESTRICT=1 set.

Disclaimer

poetry-restrict-plugin is not a perfect sandbox, and probably never will be. If you're looking for something like that, nsjail might be interesting for you.

License

poetry-restrict-plugin is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

poetry-restrict-plugin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with poetry-restrict-plugin; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

poetry_restrict_plugin-0.1.0a7.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

poetry_restrict_plugin-0.1.0a7-py3-none-any.whl (8.3 kB view details)

Uploaded Python 3

File details

Details for the file poetry_restrict_plugin-0.1.0a7.tar.gz.

File metadata

  • Download URL: poetry_restrict_plugin-0.1.0a7.tar.gz
  • Upload date:
  • Size: 7.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.11.2 Linux/6.1.0-23-amd64

File hashes

Hashes for poetry_restrict_plugin-0.1.0a7.tar.gz
Algorithm Hash digest
SHA256 b568131b373abd6073de566b5eb5ac1a522369de694b02fc1b9d6acf5a0e196d
MD5 a4292502f50e7a2866e2c41d14bffa0c
BLAKE2b-256 d34008b9823fd0c63d498d6ef6e81dd83dedaaaabf27cc4d3e50afcb7ee79784

See more details on using hashes here.

File details

Details for the file poetry_restrict_plugin-0.1.0a7-py3-none-any.whl.

File metadata

File hashes

Hashes for poetry_restrict_plugin-0.1.0a7-py3-none-any.whl
Algorithm Hash digest
SHA256 614b1648bb7e23df55e1842bae46c3ba6e82d960b680655777d00e663eb6f731
MD5 114c680925c75b62edcf68512af59b61
BLAKE2b-256 a460e20a713d3ca773314e9181ac1e4e95eac175866876768af27d68bd66acb5

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page