[HN Gopher] Show HN: boxxy - Control where Linux programs put fi... ___________________________________________________________________ Show HN: boxxy - Control where Linux programs put files, without symlinks Author : notamy Score : 147 points Date : 2023-02-09 20:04 UTC (2 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | yesco wrote: | I'd been meaning to make something like this for ages but never | had the patience to figure out the namespace API, great work! | notamy wrote: | Thanks :D <3 | oneplane wrote: | AWS an interesting example considering it's also a default search | path for the SDK so anything using an AWS SDK is going to check | for ~/.aws/config; does boxxy apply the rules to anything run in | a shell, or only if 'run by boxxy'? | notamy wrote: | Only in the latter case; I didn't want to assume how people | want things done, and implicitly magical tools break more often | than not in my experience. | | You may also be able to tell I don't have a lot of AWS | experience (: | oneplane wrote: | I suppose that is indeed more trouble than it's worth. As for | applications that might behave like AWS and their SDK; I | think that if someone uses boxxy they would probably also | remember to do the same thing for other stuff that uses aws | under the hood, so overall a win either way! | bheadmaster wrote: | Would be cool if there was a tool that could detect that | configured path was attempted to be opened, and redirect the | open() syscall to the real path... But that would most likely | require kernel support. | | Boxxy seems good enough for userspace. | sjaak wrote: | Lo and behold | | http://ordiluc.net/fs/libetc/ | notamy wrote: | I actually attempted using ptrace to rewrite syscalls | first! It was... horribly painful, and didn't work anywhere | near as well as the bind-mount version. | oneplane wrote: | In the past I used something like inotab to use an | inotify-based trigger to pipe data from SSH to a | different system that didn't have any NAS or SAN support, | it might also work to detect 'who' is touching any files | that boxxy has previously seen rules for. | | Perhaps still too tricky to make it do magic things and | break programs in the process, but it could be used to | audit who's working with what paths and let the user | print a report so they know what apps to boxx up and make | them behave. | notamy wrote: | That is an excellent idea! Something like could | definitely be worth adding. It's why there's a "remount | rootfs as ro" flag; that way anything not specified in | rules is ro and misbehaving programs will explode. | oneplane wrote: | Love exploding apps. That's what they get for eating my | filesystem. | yegle wrote: | Fun fact, one layer of App Engine's sandbox from a couple | years ago was implemented using ptrace. It will redirect | filesystem IO to in-memory files. | notamy wrote: | Interesting! That makes perfect sense, I just don't think | I'm smart enough to use ptrace properly right now :P | gary_0 wrote: | Were you mostly going off the ptrace man page? I tried | reading it to figure out ptrace and it made me feel not | smart enough too. | notamy wrote: | The man page + Google! There's very few good examples of | it, and I've accepted that I'm just not familiar enough | with that specific problem space. | blueblob wrote: | If I were to try to do this without symlinks, maybe I'd try | mount | ossusermivami wrote: | nice idea but tmux may not be the right example for the readme | example since tmux actually supports XDG and its config in | ~/.config/tmux/tmux.conf | notamy wrote: | TIL! I guess I'll find a better example. | boomskats wrote: | Isn't this what your `~/.config` directory is for? Is that where | you'd expect it to try first? | | Really interesting project for other use cases too btw. | notamy wrote: | It is, but I find many programs ignore ~/.config 3: | bullfightonmars wrote: | This is very cool and would massively simplify how I build my | dotfiles. Is there any way this could support macOS? | notamy wrote: | > Is there any way this could support macOS? | | I don't use macOS often-enough to know for sure, but a quick | search suggests that bind-mounts (or similar) are more | complicated on macOS. Not against the idea tho! | | Edit: | | > and would massively simplify how I build my dotfiles. | | I guess I should tell r/unixporn at some point, huh? (: | fezzez wrote: | This looks really convenient | nikau wrote: | If only files and directories starting with a dot were hidden | from view | pshirshov wrote: | It would be very nice to integrate it with Nix and make the | hijacking automatic (perhaps with LD_LIBRARY_PATH). | vippy wrote: | Ok, hi! My name is Boxxy... | sergiotapia wrote: | my queen, i kneel. | userbinator wrote: | That brings back memories... of an era of Internet that many | here are probably too young to have experienced. | Insanity wrote: | I wonder what the demographic for HN looks like. I never | questioned how much younger the audience would be than me | (and I definitely remember Boxxy and the related | internet/4chan drama). | RamblingCTO wrote: | I'd think the demographics are more 30+ and thus do | probably remember the 4chan stuff. | swozey wrote: | HN is predominately older millennials and genx. This site | isn't really making waves among the "kids" and I doubt ever | will unfortunately. | | It's us taking this ship to its end. o7 | | I would like to see the ages and sign up numbers over the | years. | bpiche wrote: | our screamo queen, glad to see this here | cheapliquor wrote: | YOU'S TROLLIN' I'S NOT TROLLIN I AM BOXXY YOU SEE ^_^ | ghc wrote: | Oh, god...I'm old now :( | [deleted] | flangola7 wrote: | She's on regular TV now IIRC | RamblingCTO wrote: | God, that title sent me down memory lane | https://www.youtube.com/watch?v=6bMLrA_0O5I | whalesalad wrote: | Is this named after the one and only boxxy?! | notamy wrote: | No! I just thought it was a cute name ("put things in a box"), | and it wasn't a common repo name on GitHub. | sosodev wrote: | You might be surprised how many of us were obsessed with | Boxxy lol. | warent wrote: | YUP, she was the OG camgirl, sadly got all the worst parts | of the gross attention / fame without any of the | perks/money that Belle Delphine gets now | notamy wrote: | I remember it quite well! Just not my particular cup of | tea. | marssaxman wrote: | I wonder if this could be used to move the obnoxious ~/snap | directory. | stabbles wrote: | Question is if those user/mount namespace tricks are composable | notamy wrote: | As far as I'm aware, yes! You should be able to nest | namespaces and mounts. | JosephRedfern wrote: | I was wondering the same. So infuriatingly obnoxious! | pipeline_peak wrote: | . | [deleted] | notamy wrote: | *she, but thanks! (: | [deleted] | Zurrrrr wrote: | This is nice. This is why I like to use minimal distros like | Alpine or Void, so I know where everything is on my system and | have some control over it. | nyanpasu64 wrote: | Does this use namespaces or chroot? The readme mentions | namespaces (like Flatpak?), but | https://github.com/queer/boxxy/blob/mistress/src/enclosure/m... | seems to indicate it uses chroot. | notamy wrote: | It creates a new mount namespace, and bind-mounts your ENTIRE | filesystem into it, before chrooting, so that it can optionally | remount / as ro to prevent applications from writing outside of | the desired directories. The namespace is to allow doing the | bind mounts in the first place. | stabbles wrote: | Is there an infinite recursion in /tmp? Do you use a | bubblewrap-like pivot_root trick? | hdjjhhvvhga wrote: | It looks like a useful project. | | By the way, as for the original motivation: | | > I recently had to use the AWS CLI. It wants to save data in | ~/.aws, but I don't want it to just clutter up my $HOME however | it wants. boxxy lets me force it to puts its data somewhere nice | and proper. | | - they could have used AWS_CONFIG_FILE and | AWS_SHARED_CREDENTIALS_FILE. | notamy wrote: | TIL! Thanks :D | jxf wrote: | But you shouldn't have to -- that's the point of the complaint. | That's like saying that if your neighbor is dumping toxic waste | in your yard, you can always ask them to stop. Sure, but maybe | they just shouldn't do that in the first place. | hdjjhhvvhga wrote: | Sure. But there will be many scenarios where you can't use | boxxy. | sureglymop wrote: | This is awesome!! Good stuff | arberx wrote: | Whats the difference between this and a chroot? | notamy wrote: | Instead of chrooting to somewhere else, replicating your | filesystem, ..., this switches into a new mount namespace and | uses bind mounts to shadow the files/directories that are | intended to be redirected. This way your entire filesystem | continues to be visible to the target application, and only the | paths you want altered are altered. | [deleted] | iamdamian wrote: | This seems like a great idea, thank you for sharing. | | Are you aware of any notable caveats to using Boxxy, given the | mount-based implementation? E.g., will this continue to work if | you sync ~/ with other machines (rsync, FTP, SyncThing)? | notamy wrote: | > This seems like a great idea, thank you for sharing. | | Thanks :D | | > Are you aware of any notable caveats to using Boxxy, given | the mount-based implementation? | | System configuration to allow mount namespaces, tools might | have to understand recursive paths, it's tested for my use- | cases. | | > E.g., will this continue to work if you sync ~/ with other | machines (rsync, FTP, SyncThing)? | | I haven't tried it! Would love to see what happens as that's | unfortunately not a use-case I have. | TechBro8615 wrote: | In my experience doing weird things with mountpoints, there | is almost always some bug that happens on reboot of the | system. For example, if your mounts aren't in /etc/fstab, | they simply won't be restored. And if you have a script that | sets them up manually, then make sure that script runs on | boot _after_ any mounts it implicitly depends on. | | Also note that any scripts with config stored in these | mountpoints (which seems to be the point of the tool) will | not be able to run until the mountpoints are up. That seems | like an obvious observation, but it's easy to fall into a | trap where one of your scripts installed with this tool is | called in a setup script that runs on boot of your machine. | [deleted] | notamy wrote: | Yes, absolutely! Good points to be aware of; I should find | a way to add some warnings about this to the README. | | (earlier less-relevant comment was deleted) | jpeeler wrote: | Can boxxy make use of rules with regex? If not, consider this a | feature request. | notamy wrote: | It sadly can't. Regex paths are hard due to the way it's | implemented; if it was intercepting syscalls via ptrace then | regex would be a lot more viable, but since this is just | glorified collection of bind mounts in the end, I'm unsure how | I'd implement that nicely... | jpeeler wrote: | Okay understood. Consider adding a way to query all files | written by a boxed application. If it generated a config file | based on this info that would be super useful. Thanks for | considering! | nmstoker wrote: | Maybe I've misunderstood, but it seems like this would only help | for files the program puts in places itself. Thus it wouldn't | help with files placed by the installer would it? | aendruk wrote: | The package manager already installs the program into the right | place. | notamy wrote: | It could, you would just have to then run the installer itself | under boxxy and write the rules for it. | adhoc_slime wrote: | Hah I was literally just complaining about applications not | following the XDG directory spec today. | | there's a non-exhaustive list of applications on the archwiki [0] | that put their config/data in dotfiles in the home directory. | surprisingly, there's also lots of pushback from maintainers of | projects who don't want to change this, for whatever excuse they | can produce. a Reddit thread has some list of issues where the | change is brought up [1]. | | Anyway, I'll look forward to testing this out. | | [0] https://wiki.archlinux.org/title/XDG_Base_Directory | | [1] | https://www.reddit.com/r/linux/comments/971m0z/im_tired_of_f... | joshuaissac wrote: | Some of these programs also spam the home folder on Windows | instead of using the path specified in the %APPDATA% | environment variable. | NoboruWataya wrote: | Yep, this does my head in. I really feel like there's no excuse | for it in 2023. | inanutshellus wrote: | Can I also soapbox about the XDG_CONFIG_HOME (~/.config) folder | having gigs of temp data in it? | | (I'm looking at you, _Slack_!) | | How awesome would it be to be able to back up my custom app | configs just by copying around one tiny folder? Or throwing it | in a git repo and knowing what config changed when? :\ | vngzs wrote: | $ du -sch ~/.config/Slack 846M $HOME/.config/Slack | 846M total | | ... this is on a two day old machine. WTF, Slack? Junk cached | data belongs in ~/.local/share ($XDG_DATA_HOME), not | ~/.config. | deadbunny wrote: | I think you mean `~/.cache`. | toastal wrote: | Should've kept Slack in a containered in a browser tab where | it belongs so it can't go messing with your system or prevent | you from blocking their tracking. ___________________________________________________________________ (page generated 2023-02-09 23:00 UTC)