Setting noexec,nodev,nosuid mount parameters for /home partition

Upon reading the following in the ArchWiki I put the suggested parameters for mounting the home partition in fstab. After reboot, I lost obviously the ability to launch my appimages from a folder under home. I wanted to ask if it is alright to move the folder containing the appimages to a folder like /opt in the system partition and run the apps from there. Are there any downsides to this approach? Or is it possible to chmod the folder under home to let the images to be executable?

File systems

The kernel now prevents security issues related to hardlinks and symlinks if the fs.protected_hardlinks and fs.protected_symlinks sysctl switches are enabled, so there is no longer a major security benefit from separating out world-writable directories.

File systems containing world-writable directories can still be kept separate as a coarse way of limiting the damage from disk space exhaustion. However, filling /var or /tmp is enough to take down services. More flexible mechanisms for dealing with this concern exist (like quotas), and some file systems include related features themselves (Btrfs has quotas on subvolumes).

Mount options

Following the principle of least privilege, file systems should be mounted with the most restrictive mount options possible (without losing functionality).

Relevant mount options are:

  • nodev : Do not interpret character or block special devices on the file system.
  • nosuid : Do not allow set-user-identifier or set-group-identifier bits to take effect.
  • noexec : Do not allow direct execution of any binaries on the mounted file system.
    • Setting noexec on /home disallows executable scripts and breaks Wine*, Steam, PyCharm, etc.
    • Some packages (building nvidia-dkms for example) may require exec on /var .

Note: Wine does not need the exec flag for opening Windows executables. It is only needed when Wine itself is installed in /home .

File systems used for data should always be mounted with nodev , nosuid and noexec .

Potential file system mounts to consider:

  • /var
  • /home
  • /dev/shm
  • /tmp
  • /boot

Yes, you can do that.

Nothing major. Just convenience for the most part.

Not if you mount it as noexec

You could also make a symlink from the directory in /opt/ to your home folder. For example:

ln -s /opt/appimages /home/pebcak/Applications

Thanks @dalto for quick reply! In terms of security, will having noexec on home prevent any malicious executable to be able to run from home, if they somehow find their way into it? Are there any other advantages?

This sounds good! I think I could give this a try.

It should. I run executables from /home all the time so I have never had a reason to set that.

1 Like

Great! I think the symlink solution is the most convenient. I’ll go for that.
Thank you!