Should /home be mounted as noexec?

After reading about this piece of malware which basically gets launched after clicking on what appears to be a document Lazarus hackers now push Linux malware via fake job offers

I thought to myself why doesn’t /home get mounted during install as noexec? surely it would be much more secure, then if you click on any executable script or binary it simply won’t launch, this isn’t just an openSUSE thing, I believe no Linux distro’s do this by default.

And you could still mount ~/.local/share as exec by adding something like this to fstab
“/home/username/.local/share /home/username/.local/share none defaults,bind,user,exec,nofail 0 0”
So then Steam (and I assume flatpaks, though I don’t use them) will still work

Correct me if I’m wrong but I can’t see any real downside to doing this, assuming the user is informed about it, do we really need to ability to be executing scripts and binary’s from anywhere inside our /home directory?


That depends of course very much on the user. Some users will gaze puzzled at you and ask: “What is a script”? Others will say: “I am executing my own scripts and self created C programs all the time”.

So your question can hardly be answered by those who do not know your user population.

Yes, but I assume others will not know what encrypting you /home partition means either, but its usually an option on install, plus those who don’t know what a script is shouldn’t be effected, and those who do will know to execute them in ~/.local/share, or any other folder they want to designate as executable.

IMHO the obvious/default place for a user’s executables is in ~/bin. And a user may want to create some project which includes a whole tree from something like ~/project/ where executables may be spread all over that tree. But again only you know your users and how they will react on restrictions placed on them by you.

BTW, I do not quite get what you mean with the remark about encrypted /home. Either you, as system manager, starts the system and provides decryption passwords as needed, or the user starts the system and then should be provided with those passwords to enter them and you should learn them the trick.

The encryption remark was to point out that many people probably don’t know what encrypting your /home folder means, but its there as an option during install, hence I thought noexec could be there as an option during install, much like creating a separate /home partition is, so a user could choose between the standard /home setup, or the more secure noexec /home setup

I have my /home partition setup as noexec, and I have ~/.local/share/Steam and ~/.config/scripts (where I keep my scripts) mounted as exec

Edit: this is a general question/suggestion for adding to the openSUSE installer

That wasn’t quite clear. I read it as a invitation to elaborate on the pros and cons of such an approach.

I assume that when you are able to evaluate the pros and cons your self, you are able to use the partitioner at installation to add the mount parameter when you want it. For the more beginners on Linux it would only be a more bewildering option of which they would not be able to understand the consequences. This apart from the fact that on newer installations the default is to not even have a separate /home file system.

My bad, personally I think its a good idea to have it as an option, its more secure, we already have immutable options out there now, most beginners probably don’t go digging into the advanced options when installing, that’s one of the best things about the openSUSE installer for me is the ability to go deeper if you want and fine tune you install.

Again, my personal opinion (remember this is a user helping user forum, not a suggestion to the developers forum), I do not see how a user can make any directory (e.g. ~/bin, which is the usual one) allowing execution of programs inside it when it is part of the no-execute /home mounted file system.

And I do not know why you turn up every time with the obscure ~/.local/share, because that it is not obvious to me that a user would put his executables there (inside what is often called a “hidden” directory, thus one that the user should better forget about).

The ~/.local/share is to keep Steam working, but it doesn’t have to be the only directory, you can mount ~/bin as exec too, I have /home mounted as noexec, and I have ~/.local/share/Steam and ~/.config/scripts mounted as exec, I just have the following in fstab

/home/username/.local/share/Steam /home/username/.local/share/Steam none defaults,bind,user,exec,nofail 0 0
/home/username/.config/scripts /home/username/.config/scripts none defaults,bind,user,exec,nofail 0 0

I just posted the idea here to get people’s thoughts on the matter

Is that something the user can do (as you suggested earlier)?

You forget that telling about what “I” does is not very explaining. The system only knows users (and not you, or I, or me) and you should tell what user does or may do, or can do things. t least user root or end-user.

Not sure I follow, this whole post was really to ask people’s opinion on if the installer should have an option to mount /home as noexec for added security to avoid the malware issue I posted above, if the user ticks yes then the installer goes ahead and sets it up, mounting /home as noexec, and a couple of folders as exec, namely ~/.local/share, and maybe ~/bin

I would be sure about ~/bin, else it would be useless to have it. I am not sure about ~.local/share, because that contains, as far as I understand it, the local user overwriting configurations of what is system wide in /usr/share.

I understand that some Steam you use misuses that for storing programs?

~/.local/share/Steam is where your games and Steam data are downloaded and launched from, so if that’s not mounted as exec Steam won’t launch

Strange place. But as I am not using Steam (nor Oil) I do not care.