github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

disable-common.inc: add missing openssh paths

Browse source 
The paths are taken from ssh(1) and sshd(8).

    $ pacman -Q openssh
    openssh 8.4p1-2

These are only used by sshd(8), so always blacklist them:

* ~/.rhosts: controls remote access to the local machine
* ~/.shosts: same as above
* ~/.ssh/authorized_keys: same as above
* ~/.ssh/authorized_keys2: same as above
* ~/.ssh/environment: potentially allows arbitrary command execution on
  the local machine
* ~/.ssh/rc: allows arbitrary command execution on the local machine
* /etc/hosts.equiv: system-wide equivalent of ~/.rhosts

Note: There are files in /etc/ssh that are equivalent to some of the
above ones, but they are already blocked by `blacklist /etc/ssh/*`.

Note2: From sshd(8):

> If the file ~/.ssh/rc exists, sh(1) runs it after reading the
> environment files but before starting the user's shell or command.

So even if the user shell is set to /usr/bin/firejail and
disable-common.inc is loaded, this patch shouldn't interfere with sshd.

This file is actually used by ssh(1), so just mark it read-only:

* ~/.ssh/config: allows arbitrary command execution on the remote
  machine (with e.g.: RemoteCommand) and also defines the connection
  strength

Since version 7.3p1 (released on 2016-08-01), openssh supports including
other config files on ssh_config(5)[1][2].  This is the conventional
path for storing them[3], so mark it read-only:

* ~/.ssh/config.d: same as above

P.S. See also the explanation on the commit b5542fc94
("disable-common.inc: read-only access to ~/.ssh/authorized_keys"),
which last touched/added the "Remote access" section.

[1]: https://anongit.mindrot.org/openssh.git/commit/?id=dc7990be865450574c7940c9880567f5d2555b37
[2]: https://www.openssh.com/txt/release-7.3
[3]: https://superuser.com/a/1142813
This commit is contained in:
Kelvin M. Klann 2021-01-09 18:20:38 -03:00
parent 90f2d73694
commit 2ec3f3a965
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
etc/inc/disable-common.inc
View file

@ -291,7 +291,15 @@ read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
# Remote access
read-only ${HOME}/.ssh/authorized_keys
blacklist ${HOME}/.rhosts
blacklist ${HOME}/.shosts
blacklist ${HOME}/.ssh/authorized_keys
blacklist ${HOME}/.ssh/authorized_keys2
blacklist ${HOME}/.ssh/environment
blacklist ${HOME}/.ssh/rc
blacklist /etc/hosts.equiv
read-only ${HOME}/.ssh/config
read-only ${HOME}/.ssh/config.d
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc