Ask HN: How to protect your dotfiles from being stolen by nefarious scripts?
For example, the recent eslint NPM virus had full access to the local user's dotfiles, and uploaded their .npmrc file to a remote server. The virus could have accessed anything under the user's account, including ~/.aws/credentials, ~/.bashrc (often contains a lot of API keys and access tokens), ~/.ssh, etc.
What are some ways to protect yourself from illicit access by rogue installer scripts (npm, pip, gem, homebrew, etc.)?
5 comments
[ 2.6 ms ] story [ 26.2 ms ] threadCertainly don't have passwordless sudo.
If you must run dodgy scripts, run them as a separate user. We moved away from running everything as root decades ago, but many of us failed to realise (or mittigate for) that most of our important files are owned by our own user. I have to admit I hadn't even considered things like bash_history as an issue before.
Your ssh key should have a strong passphrase.
However if your platform has security flaws maybe you should reconsider.