I am trying to secure my system by restricting home to be non-executable.
As Linux depends on code running from random locations, I will bind mount those with exec permission.
This makes things like antivirus scanning way easier, as only a controlled set of directories can even contain executable code, and only that has to be scanned.
KDE Plasma
Where does KDE store executable code? By default, the theme is reset to default, the desktop shows “there is no Desktop folder”
There was an issue with kde connect not being able to store a certificate .pem file
the start menu was empty and showed no applications
For now I will try allowing the entire .local and .config to execute (even though that is very broad)
I don’t think there should be much need (if any at all) for executables in $HOME.
I just ran find . -type f -executable in mine and I have a couple of entries in $HOME/.local/bin (mostly scripts I put there), a handful of app launcher icons in $HOME/Desktop and two AppImage files I have user-local instead of system wide.
All the other occurrences where from runtimes, e.g. Steam, Wine, Cargo, NPM.
I was thinking the same thing. The executables (KDE & other apps installed by a package manager) are typically located outside the home directory, in /usr/bin and /opt and owned by root
.var/app may also contain executable code if Flatpaks are installed at user level. Likewise snap for Snaps. Usually these would be programs and scripts that end up in the .local and/or .config directories once inside the sandbox.
Incidentally, while I’m not very familiar with bind mount, I wonder whether these errors you see are seeing relate to removing execute permissions from directories. Directories must be executable to access their contents.
