Enhanced Security via Mount Options and Compiler Restrictions
Upcoming security enhancements include mounting key directories with secure options and restricting compiler and interpreter access by default.
Upcoming Security Enhancements
Mounting Directories Securely
We are preparing to enhance system security by mounting important directories, such as
/home/user, with the following options by default:
These options are designed to prevent the execution of binaries and scripts within these directories, reducing the risk of unauthorized or malicious code execution.
Restricting Compiler and Interpreter Access
Access to compilers and interpreters will also be restricted to minimize the risk of malicious code compilation and execution. These restrictions are part of our proactive approach to security.
Impact on Users and Workflows
While these measures will provide greater security, they may affect advanced users who rely on script execution in their home directories. We understand the potential for disruption and of course will provide options to opt-out.
Instructions for users who prefer to opt out of these settings will be provided. Detailed documentation will be available on our wiki well before these changes are implemented. Should there be sufficient demand, we may also offer packages or scripts to simplify the opt-out process.
Integration with Security Initiatives
These security improvements are integral to our broader security strategy, including:
- Kicksecure Security Roadmap
- Strong Linux User Account Isolation
- SUID Disabler and Permission Hardener
- Interpreter and Compiler Lockdown
- Multiple Boot Modes for Better Security: an Implementation of Untrusted Root
The goal is to fortify Linux user accounts against malware, making it difficult for a compromised account to affect others or to escape the virtual machine (VM) environment.
Commitment to User Freedom
Our commitment to No Intentional User Freedom Restrictions remains firm. Users retain the freedom to configure their systems as they see fit, in line with our core principles.
For further details on these security measures and discussions around them, refer to:
- Discussion on Secure Mount Options