Restrict Poetry to a smaller privilege
Project description
poetry-restrict-plugin
This Poetry plugin aims to restrict Poetry's allowed accesses to what it needs to fulfill its function, the goal is to apply principle of least privilege to our development tooling.
Motivation
What's the worst thing that could happen if you install a malicious Python dependency on your computer? Which information could it gather from your files, and how could it make itself a permanent home on your computer?
With poetry-restrict-plugin
, that looks as follows:
$ poetry run cat ~/.ssh/config
poetry-restrict-plugin: Landlock engaged.
cat: /home/jc/.ssh/config: Permission denied
$ poetry run ls ~/.ssh
poetry-restrict-plugin: Landlock engaged.
ls: cannot open directory '/home/jc/.ssh': Permission denied
Installation
poetry-restrict-plugin
is currently only supported on Linux with the Landlock
LSM enabled.
Installation depends on how you installed Poetry. With
pipx
:
pipx inject poetry poetry-restrict-plugin
Alternatively, you can install it with poetry self add
:
poetry self add poetry-restrict-plugin
See poetry self add --help
for more options for installation, including
installing development versions.
For other installation methods, see the Poetry plugin documentation.
Usage
The plugin will automatically run whenever you invoke poetry. If you run into an
error with it and need an escape hatch, you can re-run your command with the
environment variable POETRY_NO_RESTRICT=1
set.
Disclaimer
poetry-restrict-plugin
is not a perfect sandbox, and probably never will be.
If you're looking for something like that,
nsjail might be interesting for you.
License
poetry-restrict-plugin is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
poetry-restrict-plugin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with poetry-restrict-plugin; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file poetry_restrict_plugin-0.1.0a7.tar.gz
.
File metadata
- Download URL: poetry_restrict_plugin-0.1.0a7.tar.gz
- Upload date:
- Size: 7.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.3 CPython/3.11.2 Linux/6.1.0-23-amd64
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b568131b373abd6073de566b5eb5ac1a522369de694b02fc1b9d6acf5a0e196d |
|
MD5 | a4292502f50e7a2866e2c41d14bffa0c |
|
BLAKE2b-256 | d34008b9823fd0c63d498d6ef6e81dd83dedaaaabf27cc4d3e50afcb7ee79784 |
File details
Details for the file poetry_restrict_plugin-0.1.0a7-py3-none-any.whl
.
File metadata
- Download URL: poetry_restrict_plugin-0.1.0a7-py3-none-any.whl
- Upload date:
- Size: 8.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.8.3 CPython/3.11.2 Linux/6.1.0-23-amd64
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 614b1648bb7e23df55e1842bae46c3ba6e82d960b680655777d00e663eb6f731 |
|
MD5 | 114c680925c75b62edcf68512af59b61 |
|
BLAKE2b-256 | a460e20a713d3ca773314e9181ac1e4e95eac175866876768af27d68bd66acb5 |