Landdown: Simple Sandboxing for Shell Scripts(git.sr.ht)

2 pointsby fanf211 hours ago1 comment

bruck_10 hours ago
This is a really nice idea. The shebang-based approach makes it feel way more natural than wrapping everything in a separate command.
I like that it forces you to explicitly think about what a script actually needs (files, network, etc.). Most shell scripts run with way more access than they should.
Feels like a good middle ground between “no isolation” and heavier tools like bubblewrap or firejail.
- verdverm10 hours ago
  Stuff like this ignores all of the tooling we have for this already, like users, groups, and permissions
  That first example, it's a no-op for a regular users, they can't write those, use chmod/chown instead.
  What you don't see is that this sort of thing, permissions within the scripts, are (1) easy to change (2) hard to maintain