From 83ac0239722f85ffed15e3b6b6088bfff547ac1b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 9 Jan 2021 21:41:43 -0300 Subject: etc: add allow-ssh.inc And move the scattered `noblacklist ${HOME}/.ssh` entries into it. Command used to find the relevant files: $ grep -Fnr 'noblacklist ${HOME}/.ssh' etc Also, add it to profile.template, as reminded by @rusty-snake at https://github.com/netblue30/firejail/pull/3885#pullrequestreview-567527031 --- etc/profile-m-z/ssh-agent.profile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc/profile-m-z/ssh-agent.profile') diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 01b63d3ce..d2e2b3408 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -8,7 +8,9 @@ include globals.local noblacklist /etc/ssh noblacklist /tmp/ssh-* -noblacklist ${HOME}/.ssh + +# Allow ssh (blacklisted by disable-common.inc) +include allow-ssh.inc blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* -- cgit v1.2.3-54-g00ecf From 3849e1201d4e076af4039a1400e05be2006630e5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 9 Jan 2021 21:43:57 -0300 Subject: allow-ssh.inc: allow /etc/ssh/ssh_config This is the system-wide equivalent of ~/.ssh/config. $ pacman -Q openssh openssh 8.4p1-2 Reasons for blacklisting both /etc/ssh and /etc/ssh/* on disable-common.inc: Leave /etc/ssh that way so that profiles without allow-ssh.inc remain unable to see inside of /etc/ssh. And blacklist /etc/ssh/* so that profiles with allow-ssh.inc are able to access only nonblacklisted files inside of /etc/ssh. --- etc/inc/allow-ssh.inc | 2 ++ etc/inc/disable-common.inc | 1 + etc/profile-m-z/ssh-agent.profile | 2 +- etc/profile-m-z/ssh.profile | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) (limited to 'etc/profile-m-z/ssh-agent.profile') diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 2e864ad64..48b1f91ba 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc @@ -3,3 +3,5 @@ include allow-ssh.local noblacklist ${HOME}/.ssh +noblacklist /etc/ssh +noblacklist /etc/ssh/ssh_config diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index eeafe3ec4..e1c930b43 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -396,6 +396,7 @@ blacklist /etc/shadow blacklist /etc/shadow+ blacklist /etc/shadow- blacklist /etc/ssh +blacklist /etc/ssh/* blacklist /home/.ecryptfs blacklist /home/.fscrypt blacklist /var/backup diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index d2e2b3408..0b7caed7d 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,7 +6,7 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /etc/ssh +noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index efdf63976..eb7bc3ec5 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,7 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /etc/ssh +noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc -- cgit v1.2.3-54-g00ecf From f8df786908bb9e4c8a5ec6b65e4a7b0b178954e1 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 10 Jan 2021 14:29:14 -0300 Subject: ssh: deny access to the rest of /etc/ssh/* ssh_config (allowed on allow-ssh.inc) is the only file in /etc/ssh that is used by ssh(1). The other paths are only used by sshd(8), so stop allowing them on ssh.profile and ssh-agent.profile. Path examples from sshd(8): * /etc/ssh/moduli * /etc/ssh/ssh_host_ecdsa_key * /etc/ssh/ssh_host_ecdsa_key.pub * /etc/ssh/ssh_known_hosts * /etc/ssh/sshd_config * /etc/ssh/sshrc $ pacman -Q openssh openssh 8.4p1-2 --- etc/profile-m-z/ssh-agent.profile | 1 - etc/profile-m-z/ssh.profile | 1 - 2 files changed, 2 deletions(-) (limited to 'etc/profile-m-z/ssh-agent.profile') diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 0b7caed7d..60c7b510c 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,7 +6,6 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index eb7bc3ec5..3ddd96df4 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,6 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /etc/ssh/* noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc -- cgit v1.2.3-54-g00ecf From 90f2d736948ae069fc8d43d2fe5566b0c2c70b59 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 11 Jan 2021 02:54:28 -0300 Subject: allow-ssh.inc: allow access to ssh-agent(1) Leaving it limited to only ssh, ssh-agent and seahorse by default seems unnecessarily restrictive. From ssh(1): > The most convenient way to use public key or certificate > authentication may be with an authentication agent. See ssh-agent(1) > and (optionally) the AddKeysToAgent directive in ssh_config(5) for > more information. $ pacman -Q openssh openssh 8.4p1-2 With ssh-agent(1) running in the background (and with the private key(s) loaded through ssh-add(1)), ssh(1) doesn't need direct access to the actual key pair(s), so you could probably get away with this on allow-ssh.local: ignore noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/config noblacklist ${HOME}/.ssh/config.d noblacklist ${HOME}/.ssh/known_hosts And then this on the profiles of ssh key pair managers, such as seahorse.local: noblacklist ${HOME}/.ssh --- etc/inc/allow-ssh.inc | 1 + etc/profile-m-z/seahorse.profile | 1 - etc/profile-m-z/ssh-agent.profile | 2 -- etc/profile-m-z/ssh.profile | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) (limited to 'etc/profile-m-z/ssh-agent.profile') diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc index 48b1f91ba..67c78a483 100644 --- a/etc/inc/allow-ssh.inc +++ b/etc/inc/allow-ssh.inc @@ -5,3 +5,4 @@ include allow-ssh.local noblacklist ${HOME}/.ssh noblacklist /etc/ssh noblacklist /etc/ssh/ssh_config +noblacklist /tmp/ssh-* diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 0f91c79ec..065409e78 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -9,7 +9,6 @@ include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.gnupg -noblacklist /tmp/ssh-* # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 60c7b510c..5802299a3 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile @@ -6,8 +6,6 @@ include ssh-agent.local # Persistent global definitions include globals.local -noblacklist /tmp/ssh-* - # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 3ddd96df4..641c3a79d 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile @@ -7,7 +7,6 @@ include ssh.local # Persistent global definitions include globals.local -noblacklist /tmp/ssh-* # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat -- cgit v1.2.3-54-g00ecf