Poor man's SRP

How effective would it be as a desktop security measure to mount all user-writeable areas (/var, /tmp, /home, and /dev/shm covers it IIRC) with noexec? I know this doesn't prevent scripts from executing entirely (e.g. you can do 'sh foo.sh' and foo.sh will run), but it would probably put the kibosh on any theoretical drive-by install, wouldn't it? Or could it be easily circumvented?

 

I've seen setting /tmp and a few areas to no-exec as recommended before.

 

I'll note that /tmp as noexec unfortunately doesn't work on Debian, same with /var - dpkg needs to execute stuff from both areas.

 

I wouldn't really worry about it. What's the worst that can happen?

I think /tmp already has restrictions on it for reads/writes based on ownership.

 

Sort of. I know the sticky bit prevents deletion of files by anyone other than their owners, but I'm not sure about reading and execution. Anyway I'm thinking more of a drive-by install scenario - your browser downloads something nefarious to /tmp and executes it, etc. In practice this is unlikely because Linux has a minscule user base on the desktop. In theory I don't see why it couldn't be done.

 

It could be. Apparmor would prevent this though as profiles need explicit permission to execute.