Kicksecure ™

Download

On Computer USB Installation Debian morph to Kicksecure Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print VersionDebug Helper Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

/run/user/1000 bypass Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#.2Frun.2Fuser.2F1000_bypass Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#.2Frun.2Fuser.2F1000_bypass|/run/user/1000 bypass]]
Copy as Wikitext Click = Copy Copied to clipboard! [/run/user/1000 bypass](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#.2Frun.2Fuser.2F1000_bypass)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [/run/user/1000 bypass](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#.2Frun.2Fuser.2F1000_bypass)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#.2Frun.2Fuser.2F1000_bypass]/run/user/1000 bypass[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Quote madaidan:

/run/user/1000 bypasses /run's `noexec` as it is its own mount point. We might want to look into restricting that too.

Resources Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Resources Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#Resources|Resources]]
Copy as Wikitext Click = Copy Copied to clipboard! [Resources](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Resources)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Resources](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Resources)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Resources]Resources[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

• https://github.com/Whonix/security-misc/pull/68
• https://github.com/Whonix/security-misc/pull/69
• lock down interpreters / compilers (interpreter lock) (compiler lock)
• https://seifried.org/lasg/installation/

CLIP OS Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CLIP_OS Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#CLIP_OS|CLIP OS]]
Copy as Wikitext Click = Copy Copied to clipboard! [CLIP OS](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CLIP_OS)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [CLIP OS](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CLIP_OS)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CLIP_OS]CLIP OS[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

https://github.com/clipos/products_clipos/blob/master/core/configure.d/40_fstab.sh

RedHat Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#RedHat Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#RedHat|RedHat]]
Copy as Wikitext Click = Copy Copied to clipboard! [RedHat](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#RedHat)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [RedHat](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#RedHat)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#RedHat]RedHat[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Quote https://people.redhat.com/sgrubb/files/hardening-rhel5.pdf

Partitioning

Allow minimal privileges via mount options

• Noexec on everything possible
• Nodev everywhere except / and chroot partitions
• Nosetuid everywhere except /
• Consider making /var/tmp link to /tmp, or maybe mount –bind option

A reasonable /etc/fstab:

LABEL=/               /               ext3    defaults                      1 1
LABEL=/tmp            /tmp            ext3    defaults,nosuid,noexec,nodev  1 2
LABEL=/var/log/audit  /var/log/audit  ext3    defaults,nosuid,noexec,nodev  1 2
LABEL=/home           /home           ext3    defaults,nosuid,nodev         1 2
LABEL=/var            /var            ext3    defaults,nosuid               1 2
LABEL=/boot           /boot           ext3    defaults,nosuid,noexec,nodev  1 2
/tmp                  /var/tmp        ext3    defaults,bind,nosuid,noexec,nodev  1 2
tmpfs                 /dev/shm        tmpfs   defaults,nosuid,noexec,nodev  0 0
devpts                /dev/pts        devpts  gid=5,mode=620                0 0
sysfs                 /sys            sysfs   defaults                      0 0
proc                  /proc           proc    defaults                      0 0
LABEL=SWAP-sda6       swap            swap    defaults                      0 0

CentOS Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CentOS Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#CentOS|CentOS]]
Copy as Wikitext Click = Copy Copied to clipboard! [CentOS](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CentOS)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [CentOS](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CentOS)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#CentOS]CentOS[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Quote https://wiki.centos.org/HowTos/OS_Protection#Modifying_fstab

Modifying fstab

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:

/dev/VG_OS/lv_root          /        ext3      defaults     1 1
/dev/VG_OS/lv_tmp           /tmp     ext3      defaults,nosuid,noexec,nodev  1 2
/dev/VG_OS/lv_vartmp        /var/tmp ext3      defaults,nosuid,noexec,nodev 1 2
/dev/data_vol/lv_home       /home    ext3      defaults,nosuid,nodev  1 2
/dev/VG_OS/lv_var           /var     ext3      defaults,nosuid     1 2
/dev/data_vol/lv_web        /var/www ext3      defaults,nosuid,nodev  1 2
/dev/sda1                   /boot    ext3      defaults,nosuid,noexec,nodev  1 2
tmpfs                       /dev/shm tmpfs     defaults 0 0
devpts                      /dev/pts devpts    gid=5,mode=620 0 0
sysfs                       /sys     sysfs     defaults    0 0
proc                        /proc    proc      defaults    0 0
/dev/_VG_OS/lv_swap         swap     swap      defaults    0 0

Obviously you'll need to modify this example to suit your own system. LVM, volume names, labels etc are all subject to change. Please don't copy this example verbatim and expect it to work for you.

The webserver mount can also be set noexec, however this will impact cgi based applications, as well as server side includes which rely on the execute bit hack. If you're not using cgi applications, I would recommend at least testing noexec and using it if there are no negative side-effects.

Arch Linux Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Arch_Linux Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#Arch_Linux|Arch Linux]]
Copy as Wikitext Click = Copy Copied to clipboard! [Arch Linux](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Arch_Linux)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Arch Linux](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Arch_Linux)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Arch_Linux]Arch Linux[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Mount options

Following the principle of least privilege, file systems should be mounted with the most restrictive mount options possible (without losing functionality).

Relevant mount options are:

• nodev: Do not interpret character or block special devices on the file system.
• nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect.
• noexec: Do not allow direct execution of any binaries on the mounted file system.
  • Setting noexec on /home disallows executable scripts and breaks Wine* and Steam.
  • Some packages (building nvidia-dkms for example) may require exec on /var.

• Wine does not need the exec flag for opening Windows executables. It is only needed when Wine itself is installed in /home.

File systems used for data should always be mounted with nodev, nosuid and noexec.

Potential file system mounts to consider:

• /var
• /home
• /dev/shm
• /tmp
• /boot

Footnotes Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Footnotes Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure#Footnotes|Footnotes]]
Copy as Wikitext Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Footnotes)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Footnotes](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Footnotes)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513#Footnotes]Footnotes[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Kicksecure A secure by default operating system with the latest security research in place. Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513 Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[Dev%2Fremount-secure|Remount Secure]]
Copy as Wikitext Click = Copy Copied to clipboard! [Remount Secure](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [Remount Secure](https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/Dev%2Fremount-secure?direction=next&oldid=54513]Remount Secure[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!