From d681e0e2d9548c56bf67131b9fe4a75d8e1b9060 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 4 Nov 2021 14:35:08 -0400 Subject: adding more SUID executables to disable-common.inc --- etc/inc/disable-common.inc | 8 +++++++- etc/profile-m-z/ssh-agent.profile | 1 + etc/profile-m-z/ssh.profile | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index ae84ee38a..f3d685d18 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -458,7 +458,7 @@ blacklist /sbin blacklist /usr/local/sbin blacklist /usr/sbin -# system management +# system management and various SUID executables blacklist ${PATH}/at blacklist ${PATH}/busybox blacklist ${PATH}/chage @@ -493,6 +493,12 @@ blacklist ${PATH}/umount blacklist ${PATH}/unix_chkpwd blacklist ${PATH}/xev blacklist ${PATH}/xinput +blacklist /usr/lib/openssh/ssh-keysign +blacklist ${PATH}/passwd +blacklist /usr/lib/xorg/Xorg.wrap +blacklist /usr/lib/policykit-1/polkit-agent-helper-1 +blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper +blacklist /usr/lib/eject/dmcrypt-get-device # other SUID binaries blacklist /usr/lib/virtualbox diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 11723664f..9d3fe9637 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -11,6 +11,7 @@ include allow-ssh.inc blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +noblacklist /usr/lib/openssh/ssh-keysign include disable-common.inc include disable-programs.inc diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 9295013e7..194b2082c 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -10,6 +10,7 @@ include globals.local # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat +noblacklist /usr/lib/openssh/ssh-keysign # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -- cgit v1.2.3-70-g09d2