[HN Gopher] Show HN: boxxy - Control where Linux programs put fi...
___________________________________________________________________
Show HN: boxxy - Control where Linux programs put files, without
symlinks
Author : notamy
Score : 147 points
Date : 2023-02-09 20:04 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| yesco wrote:
| I'd been meaning to make something like this for ages but never
| had the patience to figure out the namespace API, great work!
| notamy wrote:
| Thanks :D <3
| oneplane wrote:
| AWS an interesting example considering it's also a default search
| path for the SDK so anything using an AWS SDK is going to check
| for ~/.aws/config; does boxxy apply the rules to anything run in
| a shell, or only if 'run by boxxy'?
| notamy wrote:
| Only in the latter case; I didn't want to assume how people
| want things done, and implicitly magical tools break more often
| than not in my experience.
|
| You may also be able to tell I don't have a lot of AWS
| experience (:
| oneplane wrote:
| I suppose that is indeed more trouble than it's worth. As for
| applications that might behave like AWS and their SDK; I
| think that if someone uses boxxy they would probably also
| remember to do the same thing for other stuff that uses aws
| under the hood, so overall a win either way!
| bheadmaster wrote:
| Would be cool if there was a tool that could detect that
| configured path was attempted to be opened, and redirect the
| open() syscall to the real path... But that would most likely
| require kernel support.
|
| Boxxy seems good enough for userspace.
| sjaak wrote:
| Lo and behold
|
| http://ordiluc.net/fs/libetc/
| notamy wrote:
| I actually attempted using ptrace to rewrite syscalls
| first! It was... horribly painful, and didn't work anywhere
| near as well as the bind-mount version.
| oneplane wrote:
| In the past I used something like inotab to use an
| inotify-based trigger to pipe data from SSH to a
| different system that didn't have any NAS or SAN support,
| it might also work to detect 'who' is touching any files
| that boxxy has previously seen rules for.
|
| Perhaps still too tricky to make it do magic things and
| break programs in the process, but it could be used to
| audit who's working with what paths and let the user
| print a report so they know what apps to boxx up and make
| them behave.
| notamy wrote:
| That is an excellent idea! Something like could
| definitely be worth adding. It's why there's a "remount
| rootfs as ro" flag; that way anything not specified in
| rules is ro and misbehaving programs will explode.
| oneplane wrote:
| Love exploding apps. That's what they get for eating my
| filesystem.
| yegle wrote:
| Fun fact, one layer of App Engine's sandbox from a couple
| years ago was implemented using ptrace. It will redirect
| filesystem IO to in-memory files.
| notamy wrote:
| Interesting! That makes perfect sense, I just don't think
| I'm smart enough to use ptrace properly right now :P
| gary_0 wrote:
| Were you mostly going off the ptrace man page? I tried
| reading it to figure out ptrace and it made me feel not
| smart enough too.
| notamy wrote:
| The man page + Google! There's very few good examples of
| it, and I've accepted that I'm just not familiar enough
| with that specific problem space.
| blueblob wrote:
| If I were to try to do this without symlinks, maybe I'd try
| mount
| ossusermivami wrote:
| nice idea but tmux may not be the right example for the readme
| example since tmux actually supports XDG and its config in
| ~/.config/tmux/tmux.conf
| notamy wrote:
| TIL! I guess I'll find a better example.
| boomskats wrote:
| Isn't this what your `~/.config` directory is for? Is that where
| you'd expect it to try first?
|
| Really interesting project for other use cases too btw.
| notamy wrote:
| It is, but I find many programs ignore ~/.config 3:
| bullfightonmars wrote:
| This is very cool and would massively simplify how I build my
| dotfiles. Is there any way this could support macOS?
| notamy wrote:
| > Is there any way this could support macOS?
|
| I don't use macOS often-enough to know for sure, but a quick
| search suggests that bind-mounts (or similar) are more
| complicated on macOS. Not against the idea tho!
|
| Edit:
|
| > and would massively simplify how I build my dotfiles.
|
| I guess I should tell r/unixporn at some point, huh? (:
| fezzez wrote:
| This looks really convenient
| nikau wrote:
| If only files and directories starting with a dot were hidden
| from view
| pshirshov wrote:
| It would be very nice to integrate it with Nix and make the
| hijacking automatic (perhaps with LD_LIBRARY_PATH).
| vippy wrote:
| Ok, hi! My name is Boxxy...
| sergiotapia wrote:
| my queen, i kneel.
| userbinator wrote:
| That brings back memories... of an era of Internet that many
| here are probably too young to have experienced.
| Insanity wrote:
| I wonder what the demographic for HN looks like. I never
| questioned how much younger the audience would be than me
| (and I definitely remember Boxxy and the related
| internet/4chan drama).
| RamblingCTO wrote:
| I'd think the demographics are more 30+ and thus do
| probably remember the 4chan stuff.
| swozey wrote:
| HN is predominately older millennials and genx. This site
| isn't really making waves among the "kids" and I doubt ever
| will unfortunately.
|
| It's us taking this ship to its end. o7
|
| I would like to see the ages and sign up numbers over the
| years.
| bpiche wrote:
| our screamo queen, glad to see this here
| cheapliquor wrote:
| YOU'S TROLLIN' I'S NOT TROLLIN I AM BOXXY YOU SEE ^_^
| ghc wrote:
| Oh, god...I'm old now :(
| [deleted]
| flangola7 wrote:
| She's on regular TV now IIRC
| RamblingCTO wrote:
| God, that title sent me down memory lane
| https://www.youtube.com/watch?v=6bMLrA_0O5I
| whalesalad wrote:
| Is this named after the one and only boxxy?!
| notamy wrote:
| No! I just thought it was a cute name ("put things in a box"),
| and it wasn't a common repo name on GitHub.
| sosodev wrote:
| You might be surprised how many of us were obsessed with
| Boxxy lol.
| warent wrote:
| YUP, she was the OG camgirl, sadly got all the worst parts
| of the gross attention / fame without any of the
| perks/money that Belle Delphine gets now
| notamy wrote:
| I remember it quite well! Just not my particular cup of
| tea.
| marssaxman wrote:
| I wonder if this could be used to move the obnoxious ~/snap
| directory.
| stabbles wrote:
| Question is if those user/mount namespace tricks are composable
| notamy wrote:
| As far as I'm aware, yes! You should be able to nest
| namespaces and mounts.
| JosephRedfern wrote:
| I was wondering the same. So infuriatingly obnoxious!
| pipeline_peak wrote:
| .
| [deleted]
| notamy wrote:
| *she, but thanks! (:
| [deleted]
| Zurrrrr wrote:
| This is nice. This is why I like to use minimal distros like
| Alpine or Void, so I know where everything is on my system and
| have some control over it.
| nyanpasu64 wrote:
| Does this use namespaces or chroot? The readme mentions
| namespaces (like Flatpak?), but
| https://github.com/queer/boxxy/blob/mistress/src/enclosure/m...
| seems to indicate it uses chroot.
| notamy wrote:
| It creates a new mount namespace, and bind-mounts your ENTIRE
| filesystem into it, before chrooting, so that it can optionally
| remount / as ro to prevent applications from writing outside of
| the desired directories. The namespace is to allow doing the
| bind mounts in the first place.
| stabbles wrote:
| Is there an infinite recursion in /tmp? Do you use a
| bubblewrap-like pivot_root trick?
| hdjjhhvvhga wrote:
| It looks like a useful project.
|
| By the way, as for the original motivation:
|
| > I recently had to use the AWS CLI. It wants to save data in
| ~/.aws, but I don't want it to just clutter up my $HOME however
| it wants. boxxy lets me force it to puts its data somewhere nice
| and proper.
|
| - they could have used AWS_CONFIG_FILE and
| AWS_SHARED_CREDENTIALS_FILE.
| notamy wrote:
| TIL! Thanks :D
| jxf wrote:
| But you shouldn't have to -- that's the point of the complaint.
| That's like saying that if your neighbor is dumping toxic waste
| in your yard, you can always ask them to stop. Sure, but maybe
| they just shouldn't do that in the first place.
| hdjjhhvvhga wrote:
| Sure. But there will be many scenarios where you can't use
| boxxy.
| sureglymop wrote:
| This is awesome!! Good stuff
| arberx wrote:
| Whats the difference between this and a chroot?
| notamy wrote:
| Instead of chrooting to somewhere else, replicating your
| filesystem, ..., this switches into a new mount namespace and
| uses bind mounts to shadow the files/directories that are
| intended to be redirected. This way your entire filesystem
| continues to be visible to the target application, and only the
| paths you want altered are altered.
| [deleted]
| iamdamian wrote:
| This seems like a great idea, thank you for sharing.
|
| Are you aware of any notable caveats to using Boxxy, given the
| mount-based implementation? E.g., will this continue to work if
| you sync ~/ with other machines (rsync, FTP, SyncThing)?
| notamy wrote:
| > This seems like a great idea, thank you for sharing.
|
| Thanks :D
|
| > Are you aware of any notable caveats to using Boxxy, given
| the mount-based implementation?
|
| System configuration to allow mount namespaces, tools might
| have to understand recursive paths, it's tested for my use-
| cases.
|
| > E.g., will this continue to work if you sync ~/ with other
| machines (rsync, FTP, SyncThing)?
|
| I haven't tried it! Would love to see what happens as that's
| unfortunately not a use-case I have.
| TechBro8615 wrote:
| In my experience doing weird things with mountpoints, there
| is almost always some bug that happens on reboot of the
| system. For example, if your mounts aren't in /etc/fstab,
| they simply won't be restored. And if you have a script that
| sets them up manually, then make sure that script runs on
| boot _after_ any mounts it implicitly depends on.
|
| Also note that any scripts with config stored in these
| mountpoints (which seems to be the point of the tool) will
| not be able to run until the mountpoints are up. That seems
| like an obvious observation, but it's easy to fall into a
| trap where one of your scripts installed with this tool is
| called in a setup script that runs on boot of your machine.
| [deleted]
| notamy wrote:
| Yes, absolutely! Good points to be aware of; I should find
| a way to add some warnings about this to the README.
|
| (earlier less-relevant comment was deleted)
| jpeeler wrote:
| Can boxxy make use of rules with regex? If not, consider this a
| feature request.
| notamy wrote:
| It sadly can't. Regex paths are hard due to the way it's
| implemented; if it was intercepting syscalls via ptrace then
| regex would be a lot more viable, but since this is just
| glorified collection of bind mounts in the end, I'm unsure how
| I'd implement that nicely...
| jpeeler wrote:
| Okay understood. Consider adding a way to query all files
| written by a boxed application. If it generated a config file
| based on this info that would be super useful. Thanks for
| considering!
| nmstoker wrote:
| Maybe I've misunderstood, but it seems like this would only help
| for files the program puts in places itself. Thus it wouldn't
| help with files placed by the installer would it?
| aendruk wrote:
| The package manager already installs the program into the right
| place.
| notamy wrote:
| It could, you would just have to then run the installer itself
| under boxxy and write the rules for it.
| adhoc_slime wrote:
| Hah I was literally just complaining about applications not
| following the XDG directory spec today.
|
| there's a non-exhaustive list of applications on the archwiki [0]
| that put their config/data in dotfiles in the home directory.
| surprisingly, there's also lots of pushback from maintainers of
| projects who don't want to change this, for whatever excuse they
| can produce. a Reddit thread has some list of issues where the
| change is brought up [1].
|
| Anyway, I'll look forward to testing this out.
|
| [0] https://wiki.archlinux.org/title/XDG_Base_Directory
|
| [1]
| https://www.reddit.com/r/linux/comments/971m0z/im_tired_of_f...
| joshuaissac wrote:
| Some of these programs also spam the home folder on Windows
| instead of using the path specified in the %APPDATA%
| environment variable.
| NoboruWataya wrote:
| Yep, this does my head in. I really feel like there's no excuse
| for it in 2023.
| inanutshellus wrote:
| Can I also soapbox about the XDG_CONFIG_HOME (~/.config) folder
| having gigs of temp data in it?
|
| (I'm looking at you, _Slack_!)
|
| How awesome would it be to be able to back up my custom app
| configs just by copying around one tiny folder? Or throwing it
| in a git repo and knowing what config changed when? :\
| vngzs wrote:
| $ du -sch ~/.config/Slack 846M $HOME/.config/Slack
| 846M total
|
| ... this is on a two day old machine. WTF, Slack? Junk cached
| data belongs in ~/.local/share ($XDG_DATA_HOME), not
| ~/.config.
| deadbunny wrote:
| I think you mean `~/.cache`.
| toastal wrote:
| Should've kept Slack in a containered in a browser tab where
| it belongs so it can't go messing with your system or prevent
| you from blocking their tracking.
___________________________________________________________________
(page generated 2023-02-09 23:00 UTC)