From 2ec3f3a96508bef3fd8b6b4788557ee19589db05 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sat, 9 Jan 2021 18:20:38 -0300
Subject: disable-common.inc: add missing openssh paths

The paths are taken from ssh(1) and sshd(8).

    $ pacman -Q openssh
    openssh 8.4p1-2

These are only used by sshd(8), so always blacklist them:

* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
  the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts

Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.

Note2: From sshd(8):

> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.

So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.

This file is actually used by ssh(1), so just mark it read-only:

* ~/.ssh/config: allows arbitrary command execution on the remote
  machine (with e.g.: RemoteCommand) and also defines the connection
  strength

Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2].  This is the conventional
path for storing them[3], so mark it read-only:

* ~/.ssh/config.d: same as above

P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.

[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
---
 etc/inc/disable-common.inc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index e1c930b43..d724e3b52 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
 # Remote access
-read-only ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.rhosts
+blacklist ${HOME}/.shosts
+blacklist ${HOME}/.ssh/authorized_keys
+blacklist ${HOME}/.ssh/authorized_keys2
+blacklist ${HOME}/.ssh/environment
+blacklist ${HOME}/.ssh/rc
+blacklist /etc/hosts.equiv
+read-only ${HOME}/.ssh/config
+read-only ${HOME}/.ssh/config.d
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
-- 
cgit v1.2.3-70-g09d2