Cleaning up the home directory

Taking all the necessary measures to have a clean $HOME

06 Sep 2019

Even though it is better than it was in the past, many apps still don't respect the XDG Base Directory specification. Your home directory is dirty. It's time you do something about it!

First, ask nicely

Some apps don't follow the specification by default, but can be configured to do so. The Arch Wiki has a comprehensive list of apps and how to make them behave.

Then, establish some rules

Make your home dir read-only:

chmod -200 ~

Fallback

Some apps might complain about the read-only directory or fail to start. For example, Arduino IDE returns this message:

Picked up JAVA_TOOL_OPTIONS:
Settings issues: Arduino cannot run because it could not
create a folder to store your settings.

So, you have to trick the app into thinking the home directory is elsewhere. There are many tricks that can work: changing the $HOME variable, changing the user.home system property (for Java apps), using a FUSE filesystem , using libetc (an unmaintained LD_PRELOAD-able shared library that intercepts file operations), and potentially more. But none of those work universally, if at all, and they are a hassle to set up on a per-app basis.

The most versatile solution I found is using Firejail. 

# temporary change $HOME permissions and create ~/fjHome (short for Firejail Home)
chmod +200 ~ && mkdir ~/fjHome; chmod -200 ~
# use ~/fjHome as your home directory
firejail --private=~/fjHome arduino

You can also add private ~/fjHome to ~/.config/firejail/globals.local to use it by default.

echo "private ~/fjHome" > ~/.config/firejail/globals.local
# Now run firejail without setting --private=~/fjHome
firejail arduino

If you want to run arduino in firejail by default, symlink /usr/local/bin/arduino to /usr/bin/firejail.

sudo ln -s /usr/bin/firejail /usr/local/bin/arduino
# Now you can run your app directly
arduino

Keep in mind that firejail comes with default profiles that may restrict what your app can access. Using arduino as an example, /etc/firejail/arduino.profile is loaded by default. If you do not care about security and only want to keep your $HOME clean, create a local profile that only includes globals.local.

echo "include globals.local" > ~/.config/firejail/arduino.profile

Conclusion

Running apps that don't respect a decade-old standard inside a sandbox seems to be the only solution for a clean $HOME. Keeping your home directory read-only ensures no new unwanted files are created and allows you to delete all unnecessary junk.