Ask HN: How to protect your dotfiles from being stolen by nefarious scripts?

2 points by benwilber0 ↗ HN
For example, the recent eslint NPM virus had full access to the local user's dotfiles, and uploaded their .npmrc file to a remote server. The virus could have accessed anything under the user's account, including ~/.aws/credentials, ~/.bashrc (often contains a lot of API keys and access tokens), ~/.ssh, etc.

What are some ways to protect yourself from illicit access by rogue installer scripts (npm, pip, gem, homebrew, etc.)?

5 comments

[ 2.6 ms ] story [ 26.2 ms ] thread
SELinux. With SELinux you can set the permissions on these files so that only specific programs have access to them.
Don't run rogue installer scripts?

Certainly don't have passwordless sudo.

If you must run dodgy scripts, run them as a separate user. We moved away from running everything as root decades ago, but many of us failed to realise (or mittigate for) that most of our important files are owned by our own user. I have to admit I hadn't even considered things like bash_history as an issue before.

Your ssh key should have a strong passphrase.

Your advice boils down to "don't use Node for your application", which might not be feasible for OP.
Run it under an isolated user. You could even do it in a container and mount just the directories you want.

However if your platform has security flaws maybe you should reconsider.

This doesn't solve the eslint problem because npm needs to read .npmrc, and the malware was uploading that file to the attacker's server.