diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-09 18:20:38 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-01-27 18:18:39 -0300 |
| commit | 2ec3f3a96508bef3fd8b6b4788557ee19589db05 (patch) | |
| tree | 6f8eacb365e22cbb063cc13d5b899ad04195fec9 /etc | |
| parent | allow-ssh.inc: allow access to ssh-agent(1) (diff) | |
| download | firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.tar.gz firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.tar.zst firejail-2ec3f3a96508bef3fd8b6b4788557ee19589db05.zip | |
disable-common.inc: add missing openssh paths
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/disable-common.inc | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index e1c930b43..d724e3b52 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
| @@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc | |||
| 291 | read-only ${HOME}/.zshrc.local | 291 | read-only ${HOME}/.zshrc.local |
| 292 | 292 | ||
| 293 | # Remote access | 293 | # Remote access |
| 294 | read-only ${HOME}/.ssh/authorized_keys | 294 | blacklist ${HOME}/.rhosts |
| 295 | blacklist ${HOME}/.shosts | ||
| 296 | blacklist ${HOME}/.ssh/authorized_keys | ||
| 297 | blacklist ${HOME}/.ssh/authorized_keys2 | ||
| 298 | blacklist ${HOME}/.ssh/environment | ||
| 299 | blacklist ${HOME}/.ssh/rc | ||
| 300 | blacklist /etc/hosts.equiv | ||
| 301 | read-only ${HOME}/.ssh/config | ||
| 302 | read-only ${HOME}/.ssh/config.d | ||
| 295 | 303 | ||
| 296 | # Initialization files that allow arbitrary command execution | 304 | # Initialization files that allow arbitrary command execution |
| 297 | read-only ${HOME}/.caffrc | 305 | read-only ${HOME}/.caffrc |