
Ask HN: How to protect your dotfiles from being stolen by nefarious scripts? - benwilber0
For example, the recent eslint NPM virus had full access to the local user&#x27;s dotfiles, and uploaded their .npmrc file to a remote server.  The virus could have accessed anything under the user&#x27;s account, including ~&#x2F;.aws&#x2F;credentials, ~&#x2F;.bashrc (often contains a lot of API keys and access tokens), ~&#x2F;.ssh, etc.<p>What are some ways to protect yourself from illicit access by rogue installer scripts (npm, pip, gem, homebrew, etc.)?
======
db48x
SELinux. With SELinux you can set the permissions on these files so that only
specific programs have access to them.

------
isostatic
Don't run rogue installer scripts?

Certainly don't have passwordless sudo.

If you must run dodgy scripts, run them as a separate user. We moved away from
running everything as root decades ago, but many of us failed to realise (or
mittigate for) that most of our important files are owned by our own user. I
have to admit I hadn't even considered things like bash_history as an issue
before.

Your ssh key should have a strong passphrase.

~~~
smt88
Your advice boils down to "don't use Node for your application", which might
not be feasible for OP.

~~~
isostatic
Run it under an isolated user. You could even do it in a container and mount
just the directories you want.

However if your platform has security flaws maybe you should reconsider.

~~~
smt88
This doesn't solve the eslint problem because npm needs to read .npmrc, and
the malware was uploading that file to the attacker's server.

