5

I would like to enforce the security access of some files in my Home folder. My concern is about processes running with the same privileges as me having access to those files.

I've been wondering about this for some time, because the role based security in Linux is great but weak for things running in the same role. Particularly when it comes to an user account that is very active, every file laying inside the home folder is vulnerable to the user actions. For example, installing a malicious Firefox plug-in, the other parts of the OS won't be touched but all the files inside the home folder can be exposed and installing a Firefox plug-in is something any user could do with out any special privilege.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
S182
  • 387

2 Answers2

3

You will be probably best off with either a security framework implementing RBAC or MAC (grsecurity for the former, SELinux, AppArmor, Tomoyo Linux for the latter) which lets you define finer grained permissions per application.

Apart from that, recent Linux kernels offer namespaces which allow you to change the way different processes see the whole system. If you mount empty directory over say $HOME for the untrusted process, it won't be able to read your files.

peterph
  • 30,838
2

Probably the easiest is to setup some type of sandboxing software similar to Sandboxie (Windows only). If you check out alternativeto.net they list 2 such packages.

The Virtual Environment for secured and comfortable Web Browsing: On the basis of a “Browser-in-the-Box” concept a virtual machine is provided with a reduced operating system and a web browser encapsulated therein. Malware can’t thus penetrate the host operating system and a potential damage in the separated virtual machine will vanish with each start of the browser by returning to a certified starting point. All of that is fully transparent to the user. Protection against malware and data Leakage...

What is Cuckoo Sandbox?

In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

There is also this thread on SO that might be helpful:

Community
  • 1
slm
  • 369,824