Could we gain security by mounting home with with
nosuid [among other useful mount options])?
noexec help if one can use
/python ./script` etc.?
noexec might make most sense when combined with all the other stuff form
Related below tin this post?
lynis even recommended to prevent access to compilers such as gcc.
Tor Browser is in user home folder. (Details of this mess: https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Tor_Browser_Update:_Technical_Details) And needs some files being executable.
So it may not be possible to mount home with noexec for all VMs. But let’s overlook Tor Browser for a moment. Maybe a solution could be found. (Such as a wrapper.)
Either way this could at least be an easy opt-in with most things shipped by default but not enabled by default if not a good idea.
- Restrict root access
- Disable SUID Binaries
- walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode
I also had in mind various boot modes:
- persistent + root
- persistent + noroot
- live + root
- live + noroot
Not all might make sense.
Or think of
noroot has “hardening” where we can do stuff like noexec, nosuid, no root/sudo possible at all.
But various boot modes is best discussed in a separate thread. Please quote me on this in a different thread. Just wanted to briefly mention the idea here so that something that isn’t great as a default for everyone all the time must not necessarily block alternative configurations / boot options. Created: