diff --git a/harden.sh b/harden.sh new file mode 100755 index 0000000..ccd80b3 --- /dev/null +++ b/harden.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# This will harden the security of these dotfiles, preventing +# unpriveleged users from editing system-level (root configuration) +# files maliciously + +# Run this inside of ~/.dotfiles (or whatever directory you installed +# the dotfiles to) + +# Run this as root! + +# BTW, this assumes your user account has a PID/GID of 1000 + +# After running this, the command `nix flake update` will require root + +if [ "$#" = 1 ]; then + dotfilesDir=$1; +else + dotfilesDir=$(pwd); +fi +pushd $dotfilesDir &> /dev/null; +chown -R root:root system; +chown -R root:root patches; +chown root:root flake.lock; +chown root:root flake.nix +chown root:root profiles/*/configuration.nix; +chown 1000:users **/README.org; +chown root:root harden.sh; +popd &> /dev/null; diff --git a/install.org b/install.org index f9c98ec..8b0e711 100644 --- a/install.org +++ b/install.org @@ -72,3 +72,9 @@ If it fails with something to the effect of "could not download {some image file I have included a script in the [[./themes][themes directory]] named [[./themes/background-test.sh][background-test.sh]] which performs a rough test on every theme background url, reporting which are broken. If you're having this error, navigate to the [[./flake.nix][flake.nix]] and select any theme with a good background wallpaper link. As long as it is able to download the new wallpaper, it should be able to build. + +*** Do I have to put the configuration files in =~/.dotfiles=? +No. You can put them in literally any directory you want. I just prefer to use =~/.dotfiles= as a convention. If you change the directory, do keep in mind that the above scripts must be modified, replacing =~/.dotfiles= with whatever directory you want to install them to. + +*** So I cloned these dotfiles into ~/.dotfiles, and now there are system-level files owned by my user account.. HOW IS THIS SECURE?! +If you're worried about someone modifying your system-level (root configuration) files as your unpriveleged user, see [[./harden.sh][harden.sh]].