Could we gain security by mounting home with
nosuid [among other useful mount options])?
noexec help if one can use
bash ./script etc. does not require
./script being executable. It will work on any file even when setting
chmod -x ./script beforehand.
noexec might make most sense when combined with all the other stuff form
Related below tin this post?
lynis even recommended to prevent access to compilers such as gcc.
Keep shared folder vs
noexec in mind too.
Tor Browser is in user home folder. (Details of this mess: https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Tor_Browser_Update:_Technical_Details) And needs some files being executable.
So it may not be possible to mount home with noexec for all VMs. But let’s overlook Tor Browser for a moment. Maybe a solution could be found. (Such as a wrapper.) Edit: created Where should the Tor Browser folder be placed? for it.
Either way this could at least be an easy opt-in with most things shipped by default but not enabled by default if not a good idea.
- Restrict root access
- Disable SUID Binaries
- walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode
- Where should the Tor Browser folder be placed?
- multiple boot modes for better security: persistent + root | persistent + noroot | live + root | live + noroot
I also had in mind various boot modes:
- persistent + root
- persistent + noroot
- live + root
- live + noroot
Not all might make sense.
Or think of
noroot has “hardening” where we can do stuff like noexec, nosuid, no root/sudo possible at all.
But various boot modes is best discussed in a separate thread. Please quote me on this in a different thread. Just wanted to briefly mention the idea here so that something that isn’t great as a default for everyone all the time must not necessarily block alternative configurations / boot options. Created: