From add6ee8c23bc500c27ba9e4258be8d0f7a26945e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 21 Jan 2021 04:37:34 -0300 Subject: ssh: move auth socket blacklist to disable-common.inc That was added on the commit e93fbf3bd ("disable ssh-agent sockets in disable-programs.inc"). Currently, it's the only ssh-related entry on disable-programs.inc. Further, it seems that all the other socket blacklists live on disable-common.inc. Also, even though this socket does not necessarily allow arbitrary command execution on the local machine (like some paths on disable-common.inc do), it could still do so for remote systems. Put it above the "top secret" section, like the terminal sockets are above the terminal server section. --- etc/inc/disable-common.inc | 3 +++ etc/inc/disable-programs.inc | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 0de539d57..eeafe3ec4 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -347,6 +347,9 @@ read-only ${HOME}/.local/share/mime # Write-protection for thumbnailer dir read-only ${HOME}/.local/share/thumbnailers +# prevent access to ssh-agent +blacklist /tmp/ssh-* + # top secret blacklist ${HOME}/*.kdb blacklist ${HOME}/*.kdbx diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 74cbfbcbe..2ef40b23a 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -856,7 +856,6 @@ blacklist ${HOME}/.yarncache blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom blacklist /tmp/akonadi-* -blacklist /tmp/ssh-* blacklist /tmp/.wine-* blacklist /var/games/nethack blacklist /var/games/slashem -- cgit v1.2.3-70-g09d2 From e607096c7548f9ba3fff816191f5ecef238fa89f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 27 Jan 2021 17:56:46 -0300 Subject: git-cola.profile: add missing python template comment See etc/templates/profile.template. --- etc/profile-a-l/git-cola.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 4708078dd..84e6fc486 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -18,6 +18,7 @@ noblacklist ${HOME}/.config/git-cola # Put your editor,diff viewer config path below and uncomment to load settings # noblacklist ${HOME}/ +# Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc -- cgit v1.2.3-70-g09d2 From 83ac0239722f85ffed15e3b6b6088bfff547ac1b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 9 Jan 2021 21:41:43 -0300 Subject: etc: add allow-ssh.inc And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031 --- etc/inc/allow-ssh.inc | 5 +++++ etc/profile-a-l/android-studio.profile | 4 +++- etc/profile-a-l/aosp.profile | 4 +++- etc/profile-a-l/clion.profile | 4 +++- etc/profile-a-l/filezilla.profile | 4 +++- etc/profile-a-l/git-cola.profile | 4 +++- etc/profile-a-l/git.profile | 4 +++- etc/profile-a-l/gitg.profile | 4 +++- etc/profile-a-l/idea.sh.profile | 4 +++- etc/profile-m-z/meld.profile | 4 +++- etc/profile-m-z/remmina.profile | 4 +++- etc/profile-m-z/seahorse.profile | 4 +++- etc/profile-m-z/ssh-agent.profile | 4 +++- etc/profile-m-z/ssh.profile | 4 +++- etc/profile-m-z/webstorm.profile | 4 +++- etc/profile-m-z/x2goclient.profile | 4 +++- etc/templates/profile.template | 3 +++ 17 files changed, 53 insertions(+), 15 deletions(-) create mode 100644 etc/inc/allow-ssh.inc diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc new file mode 100644 index 000000000..2e864ad64 --- /dev/null +++ b/etc/inc/allow-ssh.inc @@ -0,0 +1,5 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-ssh.local + +noblacklist ${HOME}/.ssh diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile index 2e4e564dd..2cdd3a90c 100644 --- a/etc/profile-a-l/android-studio.profile +++ b/etc/profile-a-l/android-studio.profile @@ -10,12 +10,14 @@ noblacklist ${HOME}/.android noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile index a5b1ba9f1..e7b09283e 100644 --- a/etc/profile-a-l/aosp.profile +++ b/etc/profile-a-l/aosp.profile @@ -11,12 +11,14 @@ noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.repo_.gitconfig.json noblacklist ${HOME}/.repoconfig -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile index b27d93684..09246ccbc 100644 --- a/etc/profile-a-l/clion.profile +++ b/etc/profile-a-l/clion.profile @@ -11,9 +11,11 @@ noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile index 43e877fd0..728929638 100644 --- a/etc/profile-a-l/filezilla.profile +++ b/etc/profile-a-l/filezilla.profile @@ -8,12 +8,14 @@ include globals.local noblacklist ${HOME}/.config/filezilla noblacklist ${HOME}/.filezilla -noblacklist ${HOME}/.ssh # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-interpreters.inc diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index 84e6fc486..312655b9b 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile @@ -11,7 +11,6 @@ ignore noexec ${HOME} noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion noblacklist ${HOME}/.config/git noblacklist ${HOME}/.config/git-cola @@ -22,6 +21,9 @@ noblacklist ${HOME}/.config/git-cola include allow-python2.inc include allow-python3.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile index e5a2f3985..aefb2917d 100644 --- a/etc/profile-a-l/git.profile +++ b/etc/profile-a-l/git.profile @@ -15,10 +15,12 @@ noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gnupg noblacklist ${HOME}/.nanorc -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.vim noblacklist ${HOME}/.viminfo +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 3d80c1ed2..93b90eb9e 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile @@ -10,7 +10,9 @@ noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/gitg -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile index a7d0d531f..0a048a38a 100644 --- a/etc/profile-a-l/idea.sh.profile +++ b/etc/profile-a-l/idea.sh.profile @@ -10,12 +10,14 @@ noblacklist ${HOME}/.android noblacklist ${HOME}/.jack-server noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile index 6ceeb867f..a5c74047a 100644 --- a/etc/profile-m-z/meld.profile +++ b/etc/profile-m-z/meld.profile @@ -18,7 +18,6 @@ noblacklist ${HOME}/.config/git noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.local/share/meld -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.subversion # Allow python (blacklisted by disable-interpreters.inc) @@ -27,6 +26,9 @@ include allow-python3.inc # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. #include allow-python2.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. #include disable-common.inc include disable-devel.inc diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6311c91df..d4c7bdf31 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile @@ -9,7 +9,9 @@ include globals.local noblacklist ${HOME}/.remmina noblacklist ${HOME}/.config/remmina noblacklist ${HOME}/.local/share/remmina -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc include disable-common.inc include disable-devel.inc diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 8bb1f53a7..0f91c79ec 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -9,9 +9,11 @@ include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.gnupg -noblacklist ${HOME}/.ssh noblacklist /tmp/ssh-* +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3ce..d2e2b3408 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -8,7 +8,9 @@ include globals.local noblacklist /etc/ssh noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index e3e2b4541..efdf63976 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -9,11 +9,13 @@ include globals.local noblacklist /etc/ssh noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-exec.inc include disable-passwdmgr.inc diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index fc4e8e571..a4adf2896 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile @@ -8,12 +8,14 @@ include globals.local noblacklist ${HOME}/.WebStorm* noblacklist ${HOME}/.android noblacklist ${HOME}/.local/share/JetBrains -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.tooling # Allows files commonly used by IDEs include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + noblacklist ${PATH}/node noblacklist ${HOME}/.nvm diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile index bc9603835..6146016b2 100644 --- a/etc/profile-m-z/x2goclient.profile +++ b/etc/profile-m-z/x2goclient.profile @@ -6,10 +6,12 @@ include x2goclient.local # Persistent global definitions include globals.local -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.x2go noblacklist ${HOME}/.x2goclient +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 3d37fc827..9435fffae 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -103,6 +103,9 @@ include globals.local # Allows files commonly used by IDEs #include allow-common-devel.inc +# Allow ssh (blacklisted by disable-common.inc) +#include allow-ssh.inc + #include disable-common.inc #include disable-devel.inc #include disable-exec.inc -- cgit v1.2.3-70-g09d2 From 3849e1201d4e076af4039a1400e05be2006630e5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 9 Jan 2021 21:43:57 -0300 Subject: allow-ssh.inc: allow /etc/ssh/ssh_config This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh. --- etc/inc/allow-ssh.inc | 2 ++ etc/inc/disable-common.inc | 1 + etc/profile-m-z/ssh-agent.profile | 2 +- etc/profile-m-z/ssh.profile | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 2e864ad64..48b1f91ba 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc @@ -3,3 +3,5 @@ include allow-ssh.local noblacklist ${HOME}/.ssh +noblacklist /etc/ssh +noblacklist /etc/ssh/ssh_config diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index eeafe3ec4..e1c930b43 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -396,6 +396,7 @@ blacklist /etc/shadow blacklist /etc/shadow+ blacklist /etc/shadow- blacklist /etc/ssh +blacklist /etc/ssh/* blacklist /home/.ecryptfs blacklist /home/.fscrypt blacklist /var/backup diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index d2e2b3408..0b7caed7d 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,7 +6,7 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /etc/ssh +noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index efdf63976..eb7bc3ec5 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,7 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /etc/ssh +noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc -- cgit v1.2.3-70-g09d2 From f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 10 Jan 2021 14:29:14 -0300 Subject: ssh: deny access to the rest of /etc/ssh/* ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that is used by ssh(1). The other paths are only used by sshd(8), so stop allowing them on ssh.profile and ssh-agent.profile. Path examples from sshd(8): * /etc/ssh/moduli * /etc/ssh/ssh_host_ecdsa_key * /etc/ssh/ssh_host_ecdsa_key.pub * /etc/ssh/ssh_known_hosts * /etc/ssh/sshd_config * /etc/ssh/sshrc $ pacman -Q openssh openssh 8.4p1-2 --- etc/profile-m-z/ssh-agent.profile | 1 - etc/profile-m-z/ssh.profile | 1 - 2 files changed, 2 deletions(-) diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 0b7caed7d..60c7b510c 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,7 +6,6 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index eb7bc3ec5..3ddd96df4 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,6 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc -- cgit v1.2.3-70-g09d2 From 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 11 Jan 2021 02:54:28 -0300 Subject: allow-ssh.inc: allow access to ssh-agent(1) Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh --- etc/inc/allow-ssh.inc | 1 + etc/profile-m-z/seahorse.profile | 1 - etc/profile-m-z/ssh-agent.profile | 2 -- etc/profile-m-z/ssh.profile | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 48b1f91ba..67c78a483 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc @@ -5,3 +5,4 @@ include allow-ssh.local noblacklist ${HOME}/.ssh noblacklist /etc/ssh noblacklist /etc/ssh/ssh_config +noblacklist /tmp/ssh-* diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 0f91c79ec..065409e78 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -9,7 +9,6 @@ include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.gnupg -noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 60c7b510c..5802299a3 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,8 +6,6 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /tmp/ssh-* - # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 3ddd96df4..641c3a79d 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,6 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat -- cgit v1.2.3-70-g09d2 From 2ec3f3a96508bef3fd8b6b4788557ee19589db05 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 9 Jan 2021 18:20:38 -0300 Subject: disable-common.inc: add missing openssh paths The paths are taken from ssh(1) and sshd(8). $ pacman -Q openssh openssh 8.4p1-2 These are only used by sshd(8), so always blacklist them: * ~/.rhosts: controls remote access to the local machine * ~/.shosts: same as above * ~/.ssh/authorized_keys: same as above * ~/.ssh/authorized_keys2: same as above * ~/.ssh/environment: potentially allows arbitrary command execution on the local machine * ~/.ssh/rc: allows arbitrary command execution on the local machine * /etc/hosts.equiv: system-wide equivalent of ~/.rhosts Note: There are files in /etc/ssh that are equivalent to some of the above ones, but they are already blocked by `blacklist /etc/ssh/*`. Note2: From sshd(8): > If the file ~/.ssh/rc exists, sh(1) runs it after reading the > environment files but before starting the user's shell or command. So even if the user shell is set to /usr/bin/firejail and disable-common.inc is loaded, this patch shouldn't interfere with sshd. This file is actually used by ssh(1), so just mark it read-only: * ~/.ssh/config: allows arbitrary command execution on the remote machine (with e.g.: RemoteCommand) and also defines the connection strength Since version 7.3p1 (released on 2016-08-01), openssh supports including other config files on ssh_config(5)[1][2]. This is the conventional path for storing them[3], so mark it read-only: * ~/.ssh/config.d: same as above P.S. See also the explanation on the commit b5542fc94 ("disable-common.inc: read-only access to ~/.ssh/authorized_keys"), which last touched/added the "Remote access" section. [1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37 [2]: https://www.openssh.com/txt/release-7.3 [3]: https://superuser.com/a/1142813 --- etc/inc/disable-common.inc | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index e1c930b43..d724e3b52 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc read-only ${HOME}/.zshrc.local # Remote access -read-only ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.rhosts +blacklist ${HOME}/.shosts +blacklist ${HOME}/.ssh/authorized_keys +blacklist ${HOME}/.ssh/authorized_keys2 +blacklist ${HOME}/.ssh/environment +blacklist ${HOME}/.ssh/rc +blacklist /etc/hosts.equiv +read-only ${HOME}/.ssh/config +read-only ${HOME}/.ssh/config.d # Initialization files that allow arbitrary command execution read-only ${HOME}/.caffrc -- cgit v1.2.3-70-g09d2