From 741dac237cebcf144baee5274df18741558c55c4 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 11 Oct 2023 07:18:04 -0300 Subject: disable-common.inc: sort suid section --- etc/inc/disable-common.inc | 68 +++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 34 deletions(-) (limited to 'etc/inc') diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 8dae97fe9..d42ec5964 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -504,6 +504,7 @@ blacklist /usr/sbin # system management and various SUID executables blacklist ${PATH}/at +blacklist ${PATH}/bmon blacklist ${PATH}/busybox blacklist ${PATH}/chage blacklist ${PATH}/chfn @@ -512,71 +513,70 @@ blacklist ${PATH}/crontab blacklist ${PATH}/doas blacklist ${PATH}/evtest blacklist ${PATH}/expiry +blacklist ${PATH}/fping +blacklist ${PATH}/fping6 blacklist ${PATH}/fusermount blacklist ${PATH}/gksu blacklist ${PATH}/gksudo blacklist ${PATH}/gpasswd +blacklist ${PATH}/hostname +#blacklist ${PATH}/ip # breaks --ip=dhcp blacklist ${PATH}/kdesudo blacklist ${PATH}/ksu blacklist ${PATH}/mount blacklist ${PATH}/mount.ecryptfs_private blacklist ${PATH}/mountpoint +blacklist ${PATH}/mtr +blacklist ${PATH}/mtr-packet blacklist ${PATH}/nc -blacklist ${PATH}/nc.traditional blacklist ${PATH}/nc.openbsd +blacklist ${PATH}/nc.traditional blacklist ${PATH}/ncat -blacklist ${PATH}/nmap +blacklist ${PATH}/netstat +blacklist ${PATH}/networkctl blacklist ${PATH}/newgidmap blacklist ${PATH}/newgrp blacklist ${PATH}/newuidmap +blacklist ${PATH}/nm-online +blacklist ${PATH}/nmap +blacklist ${PATH}/nmcli +blacklist ${PATH}/nmtui +blacklist ${PATH}/nmtui-connect +blacklist ${PATH}/nmtui-edit +blacklist ${PATH}/nmtui-hostname blacklist ${PATH}/ntfs-3g +blacklist ${PATH}/passwd +blacklist ${PATH}/physlock blacklist ${PATH}/pkexec +blacklist ${PATH}/pmount blacklist ${PATH}/procmail +blacklist ${PATH}/pumount +blacklist ${PATH}/schroot blacklist ${PATH}/sg +blacklist ${PATH}/slock +blacklist ${PATH}/ss blacklist ${PATH}/strace blacklist ${PATH}/su blacklist ${PATH}/sudo +blacklist ${PATH}/suexec blacklist ${PATH}/tcpdump +blacklist ${PATH}/traceroute blacklist ${PATH}/umount blacklist ${PATH}/unix_chkpwd +blacklist ${PATH}/wshowkeys blacklist ${PATH}/xev blacklist ${PATH}/xinput -blacklist /usr/lib/openssh -blacklist /usr/lib/ssh -blacklist /usr/libexec/openssh -blacklist ${PATH}/passwd -blacklist /usr/lib/xorg/Xorg.wrap -blacklist /usr/lib/policykit-1/polkit-agent-helper-1 +blacklist /usr/lib/chromium/chrome-sandbox blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper blacklist /usr/lib/eject/dmcrypt-get-device -blacklist /usr/lib/chromium/chrome-sandbox +blacklist /usr/lib/openssh blacklist /usr/lib/opera/opera_sandbox -blacklist /usr/lib/vmware -blacklist ${PATH}/suexec +blacklist /usr/lib/policykit-1/polkit-agent-helper-1 blacklist /usr/lib/squid/basic_pam_auth -blacklist ${PATH}/slock -blacklist ${PATH}/physlock -blacklist ${PATH}/schroot -blacklist ${PATH}/wshowkeys -blacklist ${PATH}/pmount -blacklist ${PATH}/pumount -blacklist ${PATH}/bmon -blacklist ${PATH}/fping -blacklist ${PATH}/fping6 -blacklist ${PATH}/hostname -#blacklist ${PATH}/ip # breaks --ip=dhcp -blacklist ${PATH}/mtr -blacklist ${PATH}/mtr-packet -blacklist ${PATH}/netstat -blacklist ${PATH}/nm-online -blacklist ${PATH}/nmcli -blacklist ${PATH}/nmtui -blacklist ${PATH}/nmtui-connect -blacklist ${PATH}/nmtui-edit -blacklist ${PATH}/nmtui-hostname -blacklist ${PATH}/networkctl -blacklist ${PATH}/ss -blacklist ${PATH}/traceroute +blacklist /usr/lib/ssh +blacklist /usr/lib/vmware +blacklist /usr/lib/xorg/Xorg.wrap +blacklist /usr/libexec/openssh # since firejail version 0.9.73 blacklist ${PATH}/dpkg* blacklist ${PATH}/apt* -- cgit v1.2.3-70-g09d2 From c4f5a07d20d989c1155fcd0fb863bbaa5d6ab36a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 11 Oct 2023 07:20:04 -0300 Subject: disable-common.inc: add more suid programs Programs: $ pacman -Qo fusermount3 groupmems mount.cifs wall write /usr/bin/fusermount3 is owned by fuse3 3.16.1-1 /usr/bin/groupmems is owned by shadow 4.14.0-4 /usr/bin/mount.cifs is owned by cifs-utils 7.0-3 /usr/bin/wall is owned by util-linux 2.39.2-1 /usr/bin/write is owned by util-linux 2.39.2-1 --- etc/inc/disable-common.inc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'etc/inc') diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d42ec5964..021c5bd20 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -515,16 +515,17 @@ blacklist ${PATH}/evtest blacklist ${PATH}/expiry blacklist ${PATH}/fping blacklist ${PATH}/fping6 -blacklist ${PATH}/fusermount +blacklist ${PATH}/fusermount* blacklist ${PATH}/gksu blacklist ${PATH}/gksudo blacklist ${PATH}/gpasswd +blacklist ${PATH}/groupmems blacklist ${PATH}/hostname #blacklist ${PATH}/ip # breaks --ip=dhcp blacklist ${PATH}/kdesudo blacklist ${PATH}/ksu blacklist ${PATH}/mount -blacklist ${PATH}/mount.ecryptfs_private +blacklist ${PATH}/mount.* blacklist ${PATH}/mountpoint blacklist ${PATH}/mtr blacklist ${PATH}/mtr-packet @@ -563,6 +564,8 @@ blacklist ${PATH}/tcpdump blacklist ${PATH}/traceroute blacklist ${PATH}/umount blacklist ${PATH}/unix_chkpwd +blacklist ${PATH}/wall +blacklist ${PATH}/write blacklist ${PATH}/wshowkeys blacklist ${PATH}/xev blacklist ${PATH}/xinput -- cgit v1.2.3-70-g09d2