diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-09 18:20:38 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
commit | 2ec3f3a96508bef3fd8b6b4788557ee19589db05 (patch) | |
tree | 6f8eacb365e22cbb063cc13d5b899ad04195fec9 /etc/profile-m-z | |
parent | allow-ssh.inc: allow access to ssh-agent(1) (diff) | |
download | firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.tar.gz firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.tar.zst firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.zip |
disable-common.inc: add missing openssh paths
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
Diffstat (limited to 'etc/profile-m-z')
0 files changed, 0 insertions, 0 deletions