Storing executable files in unprotected areas is very dangerous. It requires that users can execute code from pretty random locations, with no portal, password prompt, signature verification or other security barrier.
This is an easy way to get malware.
The idea
Mount the home subvolume noexec
and move all wanted scripts and binaries to /usr/local/bin
aka. /var/usrlocal/bin
(on atomic desktops)
Separate users
It begins with having a user with no admin access, and another one in the wheel
group that you only use for rare admin tasks.
I will have to experiment with that, polkit and run0 should support it well, also solving flatpak install
issues occuring with su
.
Move all binaries and scripts
In KDE Dolphin and GNOME Files you can elevate a filemanager tab/process by entering admin:/
in the address bar. This uses polkit and allows you to move files without being using sudo or the terminal.
Problems
Python
What about python scripts and packages? These are normally
Unprivileged Containers
Containers stored in ~/.local/
, I imagine Distrobox, could cause issues here.
This could mean
- .local needs to be mounted separately
- it then needs to be protected, for example with selinux-confined-users
Shell configs
I have a lot of .fish scripts in my local config folder, that include different aliases and functions.
Where can these be placed, that is a system location?
Afaik for bash you can place them somewhere in /etc
.
Firefox binary
This affects all universal blue images, where they have blindly removed Firefox. If you use the tarball, there is an updater program that is only ran as the user. It would need to be patched to use a polkit prompt to place the updated firefox files in the privileged location.
Appimage, binaries etc.
Unlike Flatpaks or RPMs, these are normally placed in random locations.
Various Appimage managers use different approaches, you could use .local/bin but this is also an unprotected location.
Moving them manually to /usr/local/bin
can work, but likely breaks manager programs, updates etc. Especially am
would be a big loss, as the .zsync files and signatures are an important step ahead.
Gaps
You can run whatever scripts with bash scriptname.sh
. There are likely similar things for other interpreters like python or other used shells.
What would be a way to block this?
I know that SELinux confinement blocks piping but not this, and it can likely break a lot.