aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2021-01-30 00:37:01 +0000
committerLibravatar GitHub <noreply@github.com>2021-01-30 00:37:01 +0000
commitdbd8925fd98036647db04dcf902f5585752c8289 (patch)
treed337d510897cf1c2dc19f246e68e952d2c765af4 /etc/inc
parentFix #3925 -- telegram-desktop launch browser for … (diff)
parentdisable-common.inc: add missing openssh paths (diff)
downloadfirejail-dbd8925fd98036647db04dcf902f5585752c8289.tar.gz
firejail-dbd8925fd98036647db04dcf902f5585752c8289.tar.zst
firejail-dbd8925fd98036647db04dcf902f5585752c8289.zip
Merge pull request #3885 from kmk3/fix-ssh
ssh: Refactor, fix bugs & harden
Diffstat (limited to 'etc/inc')
-rw-r--r--etc/inc/allow-ssh.inc8
-rw-r--r--etc/inc/disable-common.inc14
-rw-r--r--etc/inc/disable-programs.inc1
3 files changed, 21 insertions, 2 deletions
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
new file mode 100644
index 000000000..67c78a483
--- /dev/null
+++ b/etc/inc/allow-ssh.inc
@@ -0,0 +1,8 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include allow-ssh.local
4
5noblacklist ${HOME}/.ssh
6noblacklist /etc/ssh
7noblacklist /etc/ssh/ssh_config
8noblacklist /tmp/ssh-*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 0de539d57..d724e3b52 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc
291read-only ${HOME}/.zshrc.local 291read-only ${HOME}/.zshrc.local
292 292
293# Remote access 293# Remote access
294read-only ${HOME}/.ssh/authorized_keys 294blacklist ${HOME}/.rhosts
295blacklist ${HOME}/.shosts
296blacklist ${HOME}/.ssh/authorized_keys
297blacklist ${HOME}/.ssh/authorized_keys2
298blacklist ${HOME}/.ssh/environment
299blacklist ${HOME}/.ssh/rc
300blacklist /etc/hosts.equiv
301read-only ${HOME}/.ssh/config
302read-only ${HOME}/.ssh/config.d
295 303
296# Initialization files that allow arbitrary command execution 304# Initialization files that allow arbitrary command execution
297read-only ${HOME}/.caffrc 305read-only ${HOME}/.caffrc
@@ -347,6 +355,9 @@ read-only ${HOME}/.local/share/mime
347# Write-protection for thumbnailer dir 355# Write-protection for thumbnailer dir
348read-only ${HOME}/.local/share/thumbnailers 356read-only ${HOME}/.local/share/thumbnailers
349 357
358# prevent access to ssh-agent
359blacklist /tmp/ssh-*
360
350# top secret 361# top secret
351blacklist ${HOME}/*.kdb 362blacklist ${HOME}/*.kdb
352blacklist ${HOME}/*.kdbx 363blacklist ${HOME}/*.kdbx
@@ -393,6 +404,7 @@ blacklist /etc/shadow
393blacklist /etc/shadow+ 404blacklist /etc/shadow+
394blacklist /etc/shadow- 405blacklist /etc/shadow-
395blacklist /etc/ssh 406blacklist /etc/ssh
407blacklist /etc/ssh/*
396blacklist /home/.ecryptfs 408blacklist /home/.ecryptfs
397blacklist /home/.fscrypt 409blacklist /home/.fscrypt
398blacklist /var/backup 410blacklist /var/backup
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 153ced0f4..5910d3543 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -860,7 +860,6 @@ blacklist ${HOME}/.yarncache
860blacklist ${HOME}/.yarnrc 860blacklist ${HOME}/.yarnrc
861blacklist ${HOME}/.zoom 861blacklist ${HOME}/.zoom
862blacklist /tmp/akonadi-* 862blacklist /tmp/akonadi-*
863blacklist /tmp/ssh-*
864blacklist /tmp/.wine-* 863blacklist /tmp/.wine-*
865blacklist /var/games/nethack 864blacklist /var/games/nethack
866blacklist /var/games/slashem 865blacklist /var/games/slashem
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 11:12:06 +0000