diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-21 10:21:11 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-21 10:41:47 -0300 |
commit | 5ba5ed07640eae8f94e8bcdaff1573a5161339e3 (patch) | |
tree | 137aef9dfcdcee2ec75736687a9646c10dbc5bad /etc/inc | |
parent | tests: fix error when /dev/kmsg is missing (diff) | |
download | firejail-5ba5ed07640eae8f94e8bcdaff1573a5161339e3.tar.gz firejail-5ba5ed07640eae8f94e8bcdaff1573a5161339e3.tar.zst firejail-5ba5ed07640eae8f94e8bcdaff1573a5161339e3.zip |
profiles: restore entries for ssh-related paths
This partially reverts commit d94f54736 ("disable all ssh utilities in
disable-common.inc", 2023-08-20).
Certain files in ~/.ssh are only used by sshd (not by ssh), so always
blacklist them.
Also, ssh itself does not need write access to the configuration files,
so make them read-only by default.
For details, see commit 2ec3f3a96 ("disable-common.inc: add missing
openssh paths", 2021-01-09) / PR #3885.
Cc: @netblue30
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/disable-common.inc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index faed10008..010cb05b6 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -319,9 +319,13 @@ read-only ${HOME}/.zshenv | |||
319 | read-only ${HOME}/.zshrc | 319 | read-only ${HOME}/.zshrc |
320 | read-only ${HOME}/.zshrc.local | 320 | read-only ${HOME}/.zshrc.local |
321 | 321 | ||
322 | # Remote access - ${HOME}/.ssh directory blacklisted in top secret section below | 322 | # Remote access (used only by sshd; should always be blacklisted) |
323 | blacklist ${HOME}/.rhosts | 323 | blacklist ${HOME}/.rhosts |
324 | blacklist ${HOME}/.shosts | 324 | blacklist ${HOME}/.shosts |
325 | blacklist ${HOME}/.ssh/authorized_keys | ||
326 | blacklist ${HOME}/.ssh/authorized_keys2 | ||
327 | blacklist ${HOME}/.ssh/environment | ||
328 | blacklist ${HOME}/.ssh/rc | ||
325 | blacklist /etc/hosts.equiv | 329 | blacklist /etc/hosts.equiv |
326 | 330 | ||
327 | # Initialization files that allow arbitrary command execution | 331 | # Initialization files that allow arbitrary command execution |
@@ -354,6 +358,8 @@ read-only ${HOME}/.nanorc | |||
354 | read-only ${HOME}/.npmrc | 358 | read-only ${HOME}/.npmrc |
355 | read-only ${HOME}/.pythonrc.py | 359 | read-only ${HOME}/.pythonrc.py |
356 | read-only ${HOME}/.reportbugrc | 360 | read-only ${HOME}/.reportbugrc |
361 | read-only ${HOME}/.ssh/config | ||
362 | read-only ${HOME}/.ssh/config.d | ||
357 | read-only ${HOME}/.tmux.conf | 363 | read-only ${HOME}/.tmux.conf |
358 | read-only ${HOME}/.vim | 364 | read-only ${HOME}/.vim |
359 | read-only ${HOME}/.viminfo | 365 | read-only ${HOME}/.viminfo |