diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-09-19 10:55:35 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-09-19 10:55:35 +0000 |
commit | 271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7 (patch) | |
tree | 496808a5aec17a4698c7765e06b977aff9164e63 /etc | |
parent | profiles: ssh: sort entries (diff) | |
download | firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.gz firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.tar.zst firejail-271fb1bfc73c20fb3ffbe812cafdea4bb32f71d7.zip |
profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#6479)
Based on the report by @Saren-Arterius[1]:
Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and
`ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp.
Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount
with nautilus will fail with a meaningless error message shown in the
UI.
Steps to reproduce[1]:
Prepare ssh server or localhost, then run:
ssh -o"ForwardX11 no" -o"ForwardAgent no" \
-o"PermitLocalCommand no" -o"ClearAllForwardings yes" \
-o"NoHostAuthenticationForLocalhost yes" \
-o"ControlMaster auto" \
-o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \
-s {SSH_HOST} sftp
stderr shows:
unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory
And ssh exits with error code 255.
Fixes #5816.
[1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931
Reported-by: @Saren-Arterius
Suggested-by: @Saren-Arterius
Reported-by: @Alex-Farol
Reported-by: @mirko
Diffstat (limited to 'etc')
-rw-r--r-- | etc/profile-m-z/ssh.profile | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 018e05230..96839d082 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -21,6 +21,7 @@ include disable-programs.inc | |||
21 | whitelist ${RUNUSER}/gcr/ssh | 21 | whitelist ${RUNUSER}/gcr/ssh |
22 | whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup | 22 | whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh # custom gpg homedir setup |
23 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup | 23 | whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh # default gpg homedir setup |
24 | whitelist ${RUNUSER}/gvfsd-sftp | ||
24 | whitelist ${RUNUSER}/keyring/ssh | 25 | whitelist ${RUNUSER}/keyring/ssh |
25 | include whitelist-runuser-common.inc | 26 | include whitelist-runuser-common.inc |
26 | include whitelist-usr-share-common.inc | 27 | include whitelist-usr-share-common.inc |