aboutsummaryrefslogtreecommitdiffstats
path: root/etc/inc/allow-ssh.inc
Commit message (Collapse)AuthorAge
* disable all ssh utilities in disable-common.incLibravatar netblue302023-08-20
|
* Make /etc/ssh/ssh_config.d visible for ssh (#5353)Libravatar slowpeek2022-09-02
|
* add Fedora fixesLibravatar glitsj162021-11-10
| | | Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
* fixes for sshLibravatar glitsj162021-11-10
| | | After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.
* disable-common.inc: fix sshLibravatar netblue302021-11-09
|
* disable-common.inc: blacklist sshLibravatar netblue302021-11-09
|
* Revert "move whitelist/blacklist to allow/deny"Libravatar Kelvin M. Klann2021-07-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit fe0f975f447d59977d90c3226cc8c623b31b20b3. Note: This only reverts the changes from etc. The 4 aliases introduced on commit 45f2ba544 are mere, well, aliases. That is, they fail to address the different usability problems discussed on [#3447][3447] and in fact only make things more confusing (as has already been mentioned on [this][4379] and later comments). The main reason is that the aliases do not meaningfully map to the original commands. For example, the commands from each pair below seem like they would do the exact same thing: * `allow` and `nodeny` * `deny` and `noallow` Additionally, if these aliases are not the final commands, but only a test/work-in-progress, then keeping the wide-scale search/replace changes made on commit fe0f975f4 would only serve to cause confusion, as users of firejail-git, contributors and downstream projects might start changing the commands used on their profiles, only to later have to change them again, potentially to completely different commands. The sooner this is undone the better, as (besides the above reasons) the more profile changes there are between the original commit and the revert, the harder it is to e.g.: `git diff` versions of files across the following revision ranges: before the commit, after the commit but before the revert and after the revert. Note: This is still the case even if a commit is [ignored by `git blame`][4390]. So let us revert fe0f975f4 and only reapply similar large-scale changes once we have discussed and settled on better commands. How the revert was applied: Despite using the auto-generated message from `git revert`, to ensure correctness and to avoid conflicts the changes were reverted in different steps: Firstly, revert the files which can be safely reverted directly ("filestorevert"): # Find out which files have been changed on fe0f975f44, but have not # been changed afterwards and list them on "filestorevert" git show --pretty='' --name-only fe0f975f44 -- etc | LC_ALL=C sort >allfiles git diff --name-only fe0f975f44..master -- etc | LC_ALL=C sort >filestoignore comm -2 -3 allfiles filestoignore >filestorevert # Note: There are 3 extra files on filestoignore because they were # added after commit fe0f975f44 wc -l allfiles filestoignore filestorevert | head -n 3 # 797 allfiles # 8 filestoignore # 792 filestorevert # Automatically revert files in "filestorevert" # See https://stackoverflow.com/a/23401018/10095231 tr '\n' '\000' <filestorevert | xargs -0 git show fe0f975f44 -- | git apply --reverse printf 'Total files reverted:\n' git diff --name-only | wc -l # 792 Secondly, do some search/replace on the rest: tr '\n' '\000' <filestoignore | xargs -0 sed -i.bak \ -e 's/allow /whitelist /' -e 's/noallow /nowhitelist /' \ -e 's/deny /blacklist /' -e 's/nodeny /noblacklist /' \ -e 's/deny-nolog /blacklist-nolog /' find etc -name '*.bak' -print0 | xargs -0 rm Thirdly, verify the result. The following command shows the difference between all the changes in etc from before fe0f975f44 and this commit (inclusive): git diff fe0f975f44~1 -- etc From the output, it looks like all alias changes are fully reverted and that the other changes to etc (from after fe0f975f44) remain, so the revert seems to be done correctly. [3447]: https://github.com/netblue30/firejail/issues/3447 [4379]: https://github.com/netblue30/firejail/issues/4379#issuecomment-876460222 [4390]: https://github.com/netblue30/firejail/issues/4390
* move whitelist/blacklist to allow/denyLibravatar netblue302021-07-05
|
* allow-ssh.inc: allow access to ssh-agent(1)Libravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh
* allow-ssh.inc: allow /etc/ssh/ssh_configLibravatar Kelvin M. Klann2021-01-27
| | | | | | | | | | | | | | | This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh.
* etc: add allow-ssh.incLibravatar Kelvin M. Klann2021-01-27
And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031