aboutsummaryrefslogtreecommitdiffstats
path: root/etc/profile-m-z
diff options
context:
space:
mode:
authorLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2021-01-11 02:54:28 -0300
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2021-01-27 18:18:39 -0300
commit90f2d736948ae069fc8d43d2fe5566b0c2c70b59 (patch)
tree26a15a4e30ae3792992a859b027a11ac35cb5b2b /etc/profile-m-z
parentssh: deny access to the rest of /etc/ssh/* (diff)
downloadfirejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.gz
firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.tar.zst
firejail-90f2d736948ae069fc8d43d2fe5566b0c2c70b59.zip
allow-ssh.inc: allow access to ssh-agent(1)
Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r--etc/profile-m-z/seahorse.profile1
-rw-r--r--etc/profile-m-z/ssh-agent.profile2
-rw-r--r--etc/profile-m-z/ssh.profile1
3 files changed, 0 insertions, 4 deletions
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 0f91c79ec..065409e78 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -9,7 +9,6 @@ include globals.local
9blacklist /tmp/.X11-unix 9blacklist /tmp/.X11-unix
10 10
11noblacklist ${HOME}/.gnupg 11noblacklist ${HOME}/.gnupg
12noblacklist /tmp/ssh-*
13 12
14# Allow ssh (blacklisted by disable-common.inc) 13# Allow ssh (blacklisted by disable-common.inc)
15include allow-ssh.inc 14include allow-ssh.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 60c7b510c..5802299a3 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -6,8 +6,6 @@ include ssh-agent.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist /tmp/ssh-*
10
11# Allow ssh (blacklisted by disable-common.inc) 9# Allow ssh (blacklisted by disable-common.inc)
12include allow-ssh.inc 10include allow-ssh.inc
13 11
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 3ddd96df4..641c3a79d 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -7,7 +7,6 @@ include ssh.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10noblacklist /tmp/ssh-*
11# nc can be used as ProxyCommand, e.g. when using tor 10# nc can be used as ProxyCommand, e.g. when using tor
12noblacklist ${PATH}/nc 11noblacklist ${PATH}/nc
13noblacklist ${PATH}/ncat 12noblacklist ${PATH}/ncat
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-30 17:24:03 +0000