profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#6479)

Based on the report by @Saren-Arterius[1]: Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and `ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp. Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount with nautilus will fail with a meaningless error message shown in the UI. Steps to reproduce[1]: Prepare ssh server or localhost, then run: ssh -o"ForwardX11 no" -o"ForwardAgent no" \ -o"PermitLocalCommand no" -o"ClearAllForwardings yes" \ -o"NoHostAuthenticationForLocalhost yes" \ -o"ControlMaster auto" \ -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \ -s {SSH_HOST} sftp stderr shows: unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory And ssh exits with error code 255. Fixes #5816. [1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931 Reported-by: @Saren-Arterius Suggested-by: @Saren-Arterius Reported-by: @Alex-Farol Reported-by: @mirko
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-09-19 10:55:35 +0000
committer: GitHub <noreply@github.com> 2024-09-19 10:55:35 +0000
commit: 271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7 (patch)
tree: 496808a5aec17a4698c7765e06b977aff9164e63 /etc
parent: profiles: ssh: sort entries (diff)
download: firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.gz
firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.zst
firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 018e05230..96839d082 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -21,6 +21,7 @@ include disable-programs.inc
 whitelist ${RUNUSER}/gcr/ssh
 whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup
 whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup
+whitelist ${RUNUSER}/gvfsd-sftp
 whitelist ${RUNUSER}/keyring/ssh
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-09-19 10:55:35 +0000
committer	GitHub <noreply@github.com>	2024-09-19 10:55:35 +0000
commit	271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7 (patch)
tree	496808a5aec17a4698c7765e06b977aff9164e63 /etc
parent	profiles: ssh: sort entries (diff)
download	firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.gz firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.zst firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.zip

diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 018e05230..96839d082 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile
@@ -21,6 +21,7 @@ include disable-programs.inc
21	whitelist ${RUNUSER}/gcr/ssh	21	whitelist ${RUNUSER}/gcr/ssh
22	whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup	22	whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup
23	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup	23	whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup
		24	whitelist ${RUNUSER}/gvfsd-sftp
24	whitelist ${RUNUSER}/keyring/ssh	25	whitelist ${RUNUSER}/keyring/ssh
25	include whitelist-runuser-common.inc	26	include whitelist-runuser-common.inc
26	include whitelist-usr-share-common.inc	27	include whitelist-usr-share-common.inc