disable-common.inc: read-only access to ~/.ssh/authorized_keys - firejail - Mirror of https://github.com/netblue30/firejail

diff options

author	Alexander GQ Gerasiov <gq@cs.msu.su>	2017-12-22 14:00:17 +0300
committer	Alexander GQ Gerasiov <gq@cs.msu.su>	2017-12-22 14:00:21 +0300
commit	b5542fc94863a4f0fd016c6ea3ab81c14890ff7b (patch)
tree	2a6834a65d687039a7a7967c06d5263d6d38d482 /etc/profile-m-z
parent	firemon fixes (diff)
download	firejail-b5542fc94.tar.gz firejail-b5542fc94.tar.zst firejail-b5542fc94.zip

disable-common.inc: read-only access to ~/.ssh/authorized_keys

disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh) unblacklists it to allow git over ssh with public key auth. But this creates security hole, since firejailed app could modify ~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd installed (e.g. ssh localhost and run any program) or even open backdoor for remote attacker. This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was unblacklisted. Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su>

Diffstat (limited to 'etc/profile-m-z')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: