Tools and instructions to use noexec mount option on partitions containing user data, like $HOME, yet be able to run user's trusted programs. Also an udev config to make default noexec mounting of removable devices with udisks2.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Radosław-RPS 5f9bdfbbf5 clarified license info 11 months ago
99-mount-noexec.rules Initial commit 1 year ago
LICENSE Initial commit 1 year ago
README clarified license info 11 months ago
install_split-home.sh Initial commit 1 year ago
install_udisks-mount-noexec-rule.sh Initial commit 1 year ago
split-home Initial commit 1 year ago

README




Best way to protect against accidental running of untrusted/malicious program in user writable directories, like $HOME, is to mount the partition with "noexec" option. However then you have not possibility to run trusted software in your $HOME/bin, $HOME/.local/bin, or in other directories to which some software installs additional programs.

There is however the possibility to split $HOME into two directories, one for normal data and settings, and one for executables.
This is what "split-home" script in this repository does. It moves files and folders selected in config file, to another directory, and then creates links to those files/directories from whihin main $HOME directory. If you mount the partition with main $HOME noexec, and the second one with exec, you get the ability to run trusted programs installed as normal user or downloaded from network, and to prevent execution of all other programs in $HOME directory.



Installation of "split-home":

$ sudo ./install_split-home.sh



How to use "split-home":

First we need you need to create directory which will be the location for split homes. If this is for allowing executing trusted programs if the home is noexec, you need to create the directory on a partion mounted with "exec" option. Lets say it will be for example /home-exec...

$ sudo mkdir /home-exec


If you want to allow all users to use split-home, then change this directory permissions to 777 so everyone will be able to create its own directory here:

sudo chmod 777 /home-exec


Otherwise manually create directory for selected user(s):

sudo mkdir /home-exec/user
sudo chown user /home-exec/user



Now you are ready to use split-home. To create config file, use split-home command without any arguments.

$ split-home

Now edit the $HOME/.split-home.conf config file, comment/uncomment lines and add your own. THese are files dirs to move to split home dir.

After editing .split-home.conf, you are ready to split the home directory:

$ split-home --split /home-exec

This will create /home-exec/user directory, or reuse it if it already exists, Then it will copy all selected files/folders to /home-exec/user/, then remove those files/dirs in /home/user/ and finally it will create links in /home/user, pointing to new location of files/folders.


To reverse the process, and merge back /home/user and /home-exec/user, do:

$split-home --merge /home-exec


---------------------------------------------------------------------


There is also issue of mounting removable devices, with noexec option. If you use udisks2 and this is needed, you need to use special udev rule. It is located here in file "99-mount-noexec.rules". This requires udisks2 version 2.9.0 up.

To install it in correct place, use:

$ sudo ./install_udisks-mount-noexec-rule.sh


After doing it, the default mount options would include noexec,nodev,nosuid. You can remount the drive exec if you want with this commands:

udisksctl unmount -b /dev/sdxx

udisksctl mount -b /dev/sdxx --options exec


If you really want tot totally disable this possibility, remove "exec" from "ENV{UDISKS_MOUNT_OPTIONS_ALLOW}" line in /etc/udev/rules.d/99-mount-noexec.rules...


---------------------------------------------------------------------


Author: Radosław-RPS

This software is licensed under MIT (expat) License, see LICENSE file.