This is a really nice idea. The shebang-based approach makes it feel way more natural than wrapping everything in a separate command.
I like that it forces you to explicitly think about what a script actually needs (files, network, etc.). Most shell scripts run with way more access than they should.
Feels like a good middle ground between “no isolation” and heavier tools like bubblewrap or firejail.
This is a really nice idea. The shebang-based approach makes it feel way more natural than wrapping everything in a separate command.
I like that it forces you to explicitly think about what a script actually needs (files, network, etc.). Most shell scripts run with way more access than they should.
Feels like a good middle ground between “no isolation” and heavier tools like bubblewrap or firejail.
Stuff like this ignores all of the tooling we have for this already, like users, groups, and permissions
That first example, it's a no-op for a regular users, they can't write those, use chmod/chown instead.
What you don't see is that this sort of thing, permissions within the scripts, are (1) easy to change (2) hard to maintain