disable-common.inc: add missing openssh paths

The paths are taken from ssh(1) and sshd(8).

    $ pacman -Q openssh
    openssh 8.4p1-2

These are only used by sshd(8), so always blacklist them:

* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
  the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts

Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.

Note2: From sshd(8):

> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.

So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.

This file is actually used by ssh(1), so just mark it read-only:

* ~/.ssh/config: allows arbitrary command execution on the remote
  machine (with e.g.: RemoteCommand) and also defines the connection
  strength

Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2].  This is the conventional
path for storing them[3], so mark it read-only:

* ~/.ssh/config.d: same as above

P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.

[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813

0 files changed, 0 insertions, 0 deletions