ssh: move auth socket blacklist to disable-common.inc

That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").

Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc.  Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.

Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.

2 files changed, 3 insertions, 1 deletions

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 0de539d57..eeafe3ec4 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
+# prevent access to ssh-agent
+blacklist /tmp/ssh-*
+
 # top secret
 blacklist ${HOME}/*.kdb
 blacklist ${HOME}/*.kdbx
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 74cbfbcbe..2ef40b23a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -856,7 +856,6 @@ blacklist ${HOME}/.yarncache
 blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
-blacklist /tmp/ssh-*
 blacklist /tmp/.wine-*
 blacklist /var/games/nethack
 blacklist /var/games/slashem