diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2021-01-30 00:37:01 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-30 00:37:01 +0000 |
commit | dbd8925fd98036647db04dcf902f5585752c8289 (patch) | |
tree | d337d510897cf1c2dc19f246e68e952d2c765af4 /etc/inc | |
parent | Fix #3925 -- telegram-desktop launch browser for … (diff) | |
parent | disable-common.inc: add missing openssh paths (diff) | |
download | firejail-dbd8925fd98036647db04dcf902f5585752c8289.tar.gz firejail-dbd8925fd98036647db04dcf902f5585752c8289.tar.zst firejail-dbd8925fd98036647db04dcf902f5585752c8289.zip |
Merge pull request #3885 from kmk3/fix-ssh
ssh: Refactor, fix bugs & harden
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/allow-ssh.inc | 8 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 14 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 1 |
3 files changed, 21 insertions, 2 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc new file mode 100644 index 000000000..67c78a483 --- /dev/null +++ b/etc/inc/allow-ssh.inc | |||
@@ -0,0 +1,8 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-ssh.local | ||
4 | |||
5 | noblacklist ${HOME}/.ssh | ||
6 | noblacklist /etc/ssh | ||
7 | noblacklist /etc/ssh/ssh_config | ||
8 | noblacklist /tmp/ssh-* | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 0de539d57..d724e3b52 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc | |||
291 | read-only ${HOME}/.zshrc.local | 291 | read-only ${HOME}/.zshrc.local |
292 | 292 | ||
293 | # Remote access | 293 | # Remote access |
294 | read-only ${HOME}/.ssh/authorized_keys | 294 | blacklist ${HOME}/.rhosts |
295 | blacklist ${HOME}/.shosts | ||
296 | blacklist ${HOME}/.ssh/authorized_keys | ||
297 | blacklist ${HOME}/.ssh/authorized_keys2 | ||
298 | blacklist ${HOME}/.ssh/environment | ||
299 | blacklist ${HOME}/.ssh/rc | ||
300 | blacklist /etc/hosts.equiv | ||
301 | read-only ${HOME}/.ssh/config | ||
302 | read-only ${HOME}/.ssh/config.d | ||
295 | 303 | ||
296 | # Initialization files that allow arbitrary command execution | 304 | # Initialization files that allow arbitrary command execution |
297 | read-only ${HOME}/.caffrc | 305 | read-only ${HOME}/.caffrc |
@@ -347,6 +355,9 @@ read-only ${HOME}/.local/share/mime | |||
347 | # Write-protection for thumbnailer dir | 355 | # Write-protection for thumbnailer dir |
348 | read-only ${HOME}/.local/share/thumbnailers | 356 | read-only ${HOME}/.local/share/thumbnailers |
349 | 357 | ||
358 | # prevent access to ssh-agent | ||
359 | blacklist /tmp/ssh-* | ||
360 | |||
350 | # top secret | 361 | # top secret |
351 | blacklist ${HOME}/*.kdb | 362 | blacklist ${HOME}/*.kdb |
352 | blacklist ${HOME}/*.kdbx | 363 | blacklist ${HOME}/*.kdbx |
@@ -393,6 +404,7 @@ blacklist /etc/shadow | |||
393 | blacklist /etc/shadow+ | 404 | blacklist /etc/shadow+ |
394 | blacklist /etc/shadow- | 405 | blacklist /etc/shadow- |
395 | blacklist /etc/ssh | 406 | blacklist /etc/ssh |
407 | blacklist /etc/ssh/* | ||
396 | blacklist /home/.ecryptfs | 408 | blacklist /home/.ecryptfs |
397 | blacklist /home/.fscrypt | 409 | blacklist /home/.fscrypt |
398 | blacklist /var/backup | 410 | blacklist /var/backup |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 153ced0f4..5910d3543 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -860,7 +860,6 @@ blacklist ${HOME}/.yarncache | |||
860 | blacklist ${HOME}/.yarnrc | 860 | blacklist ${HOME}/.yarnrc |
861 | blacklist ${HOME}/.zoom | 861 | blacklist ${HOME}/.zoom |
862 | blacklist /tmp/akonadi-* | 862 | blacklist /tmp/akonadi-* |
863 | blacklist /tmp/ssh-* | ||
864 | blacklist /tmp/.wine-* | 863 | blacklist /tmp/.wine-* |
865 | blacklist /var/games/nethack | 864 | blacklist /var/games/nethack |
866 | blacklist /var/games/slashem | 865 | blacklist /var/games/slashem |