{{Header}}
{{Title
|title=Enhanced Security via Mount Options and Compiler Restrictions
}}
{{#seo:
|description=Upcoming security enhancements include mounting key directories with secure options and restricting compiler and interpreter access by default.
}}
{{intro|
Upcoming security enhancements include mounting key directories with secure options and restricting compiler and interpreter access by default.
}}

== Upcoming Security Enhancements ==
=== Mounting Directories Securely ===
We are preparing to enhance system security by mounting important directories, such as <code>/home/user</code>, with the following options by default:
* <code>noexec</code>
* <code>nodev</code>
* <code>nosuid</code>

These options are designed to prevent the execution of binaries and scripts within these directories, reducing the risk of unauthorized or malicious code execution.

=== Restricting Compiler and Interpreter Access ===
Access to compilers and interpreters will also be restricted to minimize the risk of malicious code compilation and execution. These restrictions are part of our proactive approach to security.

== Impact on Users and Workflows ==
While these measures will provide greater security, they may affect advanced users who rely on script execution in their home directories. We understand the potential for disruption and of course will provide options to opt-out.

=== Opting Out ===
Instructions for users who prefer to opt out of these settings will be provided. Detailed documentation will be available on our wiki well before these changes are implemented. Should there be sufficient demand, we may also offer packages or scripts to simplify the opt-out process.

== Integration with Security Initiatives ==
These security improvements are integral to our broader security strategy, including:
* [[Security Roadmap|Kicksecure Security Roadmap]]
* [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
* [[SUID Disabler and Permission Hardener|SUID Disabler and Permission Hardener]]
* [https://phabricator.whonix.org/T941 Interpreter and Compiler Lockdown]
* [[Dev/boot_modes|Multiple Boot Modes for Better Security: an Implementation of Untrusted Root]]

The goal is to fortify Linux user accounts against malware, making it difficult for a compromised account to affect others or to escape the virtual machine (VM) environment.

== Commitment to User Freedom ==
Our commitment to [[Reasons_for_Freedom_Software#No_Intentional_User_Freedom_Restrictions|No Intentional User Freedom Restrictions]] remains firm. Users retain the freedom to configure their systems as they see fit, in line with our core principles.

== Additional Resources ==
For further details on these security measures and discussions around them, refer to:
* https://github.com/Kicksecure/security-misc/pull/139
* [[Dev/remount-secure]]
* [https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 Discussion on Secure Mount Options]

== References ==
{{reflist|close=1}}
{{Footer}}
[[Category:Design]]