| Commit message (Collapse) | Author | Age |
|\
| |
| | |
follow-up fixes for #3914
|
| |
| |
| |
| | |
https://github.com/netblue30/firejail/commit/43aa71f8c608ec5bd92fd2c7323c603fa37f6d30
|
|\ \
| | |
| | | |
ssh: Refactor, fix bugs & harden
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The paths are taken from ssh(1) and sshd(8).
$ pacman -Q openssh
openssh 8.4p1-2
These are only used by sshd(8), so always blacklist them:
* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts
Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.
Note2: From sshd(8):
> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.
So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.
This file is actually used by ssh(1), so just mark it read-only:
* ~/.ssh/config: allows arbitrary command execution on the remote
machine (with e.g.: RemoteCommand) and also defines the connection
strength
Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2]. This is the conventional
path for storing them[3], so mark it read-only:
* ~/.ssh/config.d: same as above
P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.
[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Leaving it limited to only ssh, ssh-agent and seahorse by default seems
unnecessarily restrictive.
From ssh(1):
> The most convenient way to use public key or certificate
> authentication may be with an authentication agent. See ssh-agent(1)
> and (optionally) the AddKeysToAgent directive in ssh_config(5) for
> more information.
$ pacman -Q openssh
openssh 8.4p1-2
With ssh-agent(1) running in the background (and with the private key(s)
loaded through ssh-add(1)), ssh(1) doesn't need direct access to the
actual key pair(s), so you could probably get away with this on
allow-ssh.local:
ignore noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/config
noblacklist ${HOME}/.ssh/config.d
noblacklist ${HOME}/.ssh/known_hosts
And then this on the profiles of ssh key pair managers, such as
seahorse.local:
noblacklist ${HOME}/.ssh
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that
is used by ssh(1). The other paths are only used by sshd(8), so stop
allowing them on ssh.profile and ssh-agent.profile. Path examples from
sshd(8):
* /etc/ssh/moduli
* /etc/ssh/ssh_host_ecdsa_key
* /etc/ssh/ssh_host_ecdsa_key.pub
* /etc/ssh/ssh_known_hosts
* /etc/ssh/sshd_config
* /etc/ssh/sshrc
$ pacman -Q openssh
openssh 8.4p1-2
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is the system-wide equivalent of ~/.ssh/config.
$ pacman -Q openssh
openssh 8.4p1-2
Reasons for blacklisting both /etc/ssh and /etc/ssh/* on
disable-common.inc:
Leave /etc/ssh that way so that profiles without allow-ssh.inc remain
unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that
profiles with allow-ssh.inc are able to access only nonblacklisted files
inside of /etc/ssh.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
And move the scattered `noblacklist ${HOME}/.ssh` entries into it.
Command used to find the relevant files:
$ grep -Fnr 'noblacklist ${HOME}/.ssh' etc
Also, add it to profile.template, as reminded by @rusty-snake at
https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031
|
| | |
| | |
| | |
| | | |
See etc/templates/profile.template.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That was added on the commit e93fbf3bd ("disable ssh-agent sockets in
disable-programs.inc").
Currently, it's the only ssh-related entry on disable-programs.inc.
Further, it seems that all the other socket blacklists live on
disable-common.inc. Also, even though this socket does not necessarily
allow arbitrary command execution on the local machine (like some paths
on disable-common.inc do), it could still do so for remote systems.
Put it above the "top secret" section, like the terminal sockets are
above the terminal server section.
|
| | |
| | |
| | |
| | | |
…open URL (after update to 0.9.64.2)
|
| |/
|/| |
|
|\ \
| | |
| | | |
Update telegram.profile
|
| | | |
|
| | | |
|
| | |
| | |
| | | |
Optimized "include whitelist-common.inc"
|
| | |
| | |
| | | |
Allow Telegram ONLY in .TelegramDesktop, .local/share/TelegramDesktop and Downloads
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add comment: allow python
* add comment: allow python
* reorder allow comments
* fix perl allow comment
* add comment: allow python
* add comment: allow lua, perl & python
* reorder allow comments
* add comment: allow python
* add comment: allow python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow python
* add comment: allow python
* fix spacing in comments
* add comment: allow python
* add comment: allow python
* fix comment
* add comment: allow perl & python
* add comment: allow lua & python
* add comment: allow lua, perl & python
* fix allow comments
* add comment: allow perl & python
* streamline allow python comments
|
| | | |
|
|\ \ \
| | | |
| | | | |
New profile for CoyIM
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Create nolocal6.net
|
| | |/ /
| |/| | |
|
|\ \ \ \
| | | | |
| | | | | |
Add profile for kdiff3
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
|/ / / / |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* Update vmware.profile
`private-etc` can be uncommented.
* Update vmware.profile
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* fix comment in blackbox.profile
* fix comment in fluxbox.profile
* fix comment in i3.profile
* fix comment in krunner.profile
* fix comment in openbox.profile
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* refactor google-earth{-pro} blacklisting
* fix google-earth-pro.profile
I've included all binaries found in the Arch Linux AUR package to private-bin. But I also added a note on ignoring private-bin because I'm not sure what google-earth is doing on other distro's.
* unbreak google-earth.profile
Not sure why we need grep, ls and sed in private-bin exactly but keeping them around wouldn't hurt too much I guess.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To solve issue#3907, doc directory of the bibletime has to be
whitelisted. Otherwise, it always fails to start.
Co-authored-by: hhnb <hhnb@nanenient.cc>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* add pkglog to new profiles
* Create pkglog.profile
* Update README.md
* fix ordering in pkglog.profile
* drop extra whitespace in pkglog.profile
|
| | | | |
|
| | | | |
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | | |
hardening: wusc + wruc
fix: settings was immutable
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
/bin/sh is usually just a symlink to bash. However this is not the case
for every distro, debian for example uses dash. bash,dash and sh have a
blacklist command in disable-shell.inc. An own allow-*.inc for it
enusres usage of all necessary nolacklists.
For private-bin sh is enough because it follows symlinks.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* newsboat: add lynx support
* newsboat: fix using sort.py
* newsboat: remove unneeded perms
|
| | |
| | |
| | | |
Thanks @rusty-snake for [spotting](https://github.com/netblue30/firejail/commit/662ebd214b0a7874072381f5aaf3fbd322f0e460) this!
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* add new profile: qnapi
* add new profile: qnapi
* Create qnapi.profile
* add qnapi configs
* Update README.md
* Update README.md
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* new profile: shotwell
* Create shotwell.profile
* new profile: shotwell
* add shotwell blacklists
|
| | |
| | |
| | |
| | |
| | | |
* add new profile: mdr
* Create mdr.profile
|
| | |
| | |
| | |
| | |
| | | |
* Create agetpkg.profile
* new profile: agetpkg
|
| |/
|/|
| |
| |
| |
| |
| | |
* Create lsar.profile
* Create unar.profile
* new profiles lsar & unar
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
|