(re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?

Could we gain security by mounting home with with noexec (and nosuid [among other useful mount options])?

How does noexec help if one can use bash ./script/sh ./script/python ./script` etc.?

noexec might make most sense when combined with all the other stuff form Related below tin this post?

lynis even recommended to prevent access to compilers such as gcc.

Tor Browser is in user home folder. (Details of this mess: https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Tor_Browser_Update:_Technical_Details) And needs some files being executable.

So it may not be possible to mount home with noexec for all VMs. But let’s overlook Tor Browser for a moment. Maybe a solution could be found. (Such as a wrapper.)

Either way this could at least be an easy opt-in with most things shipped by default but not enabled by default if not a good idea.


I also had in mind various boot modes:

  • persistent + root
  • persistent + noroot
  • live + root
  • live + noroot

Not all might make sense.

Or think of noroot has “hardening” where we can do stuff like noexec, nosuid, no root/sudo possible at all.

But various boot modes is best discussed in a separate thread. Please quote me on this in a different thread. Just wanted to briefly mention the idea here so that something that isn’t great as a default for everyone all the time must not necessarily block alternative configurations / boot options. Created:

1 Like

noexec might prevent those from being run but I’m not sure.

That would give a very minimal security gain and is mostly useless. An attacker could easily just pre-compile their stuff or bring their own compilers.

It could be moved elsewhere. Shouldn’t be too hard.

There’s a RHEL hardening presentation that gives a good idea of what mount options to use and where to use them.

The mount options are at page 15.

Noexec on everything possible

Nodev everywhere except / and chroot partitions

Nosetuid everywhere except /

There is also a section on the CentOS Protection guide and Arch Linux Security guide about this.