diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-10-01 11:23:56 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-07-14 08:08:47 -0300 |
commit | 580283d74b4e6cd425960d336cb0a5296ae36a68 (patch) | |
tree | 828ec892bad07c4ae166637bccdc371e9715d594 /etc/inc | |
parent | Merge pull request #5881 from glitsj16/rssguard (diff) | |
download | firejail-580283d74b4e6cd425960d336cb0a5296ae36a68.tar.gz firejail-580283d74b4e6cd425960d336cb0a5296ae36a68.tar.zst firejail-580283d74b4e6cd425960d336cb0a5296ae36a68.zip |
disable-common.inc: blacklist sudo/doas paths in /etc
Commands used to find the relevant paths in /etc:
$ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort
/etc/pam.d/ is owned by sudo 1.9.14.p1-1
/etc/sudo.conf is owned by sudo 1.9.14.p1-1
/etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1
/etc/sudoers is owned by sudo 1.9.14.p1-1
/etc/sudoers.d/ is owned by sudo 1.9.14.p1-1
Environment: Artix Linux.
Also, add missing paths sudo/doas to etc/ids.config and jailcheck.
See also commit dbebd71db ("disable-common.inc: blacklist doas binary",
2022-10-05).
Relates to #5385.
Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/disable-common.inc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 4277100ce..ce4f08958 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -416,6 +416,7 @@ blacklist /tmp/ssh-* | |||
416 | # top secret | 416 | # top secret |
417 | blacklist /.fscrypt | 417 | blacklist /.fscrypt |
418 | blacklist /etc/davfs2/secrets | 418 | blacklist /etc/davfs2/secrets |
419 | blacklist /etc/doas.conf | ||
419 | blacklist /etc/group+ | 420 | blacklist /etc/group+ |
420 | blacklist /etc/group- | 421 | blacklist /etc/group- |
421 | blacklist /etc/gshadow | 422 | blacklist /etc/gshadow |
@@ -428,6 +429,8 @@ blacklist /etc/shadow+ | |||
428 | blacklist /etc/shadow- | 429 | blacklist /etc/shadow- |
429 | blacklist /etc/ssh | 430 | blacklist /etc/ssh |
430 | blacklist /etc/ssh/* | 431 | blacklist /etc/ssh/* |
432 | blacklist /etc/sudo*.conf | ||
433 | blacklist /etc/sudoers* | ||
431 | blacklist /home/.ecryptfs | 434 | blacklist /home/.ecryptfs |
432 | blacklist /home/.fscrypt | 435 | blacklist /home/.fscrypt |
433 | blacklist ${HOME}/*.kdb | 436 | blacklist ${HOME}/*.kdb |