From 437043c9ddb812d6c4c31b9d373443ec003f7dc4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 10 Nov 2021 10:24:15 +0000 Subject: fixes for ssh After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths. --- etc/inc/allow-ssh.inc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'etc/inc') diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index a78798a18..8995e5a74 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc @@ -5,6 +5,9 @@ include allow-ssh.local noblacklist ${HOME}/.ssh noblacklist /etc/ssh noblacklist /etc/ssh/ssh_config -noblacklist /tmp/ssh-* noblacklist ${PATH}/ssh -noblacklist /usr/lib/openssh/ssh-keysign +noblacklist /tmp/ssh-* +# Debian/Ubuntu and derivatives +noblacklist /usr/lib/openssh +# Arch Linux and derivatives +noblacklist /usr/lib/ssh -- cgit v1.2.3-70-g09d2