github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 14:56:05 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

disable-common.inc: read-only access to ~/.ssh/authorized_keys

Browse source 
disable-common.inc blacklists whole .ssh, but some profiles (e.g. idea.sh)
unblacklists it to allow git over ssh with public key auth.

But this creates security hole, since firejailed app could modify
~/.ssh/authorized_keys and allow arbitrary code execution on the host with sshd
installed (e.g. ssh localhost and run any program) or even open backdoor for
remote attacker.

This commits disallows write access to ~/.ssh/authorized_keys even if .ssh was
unblacklisted.

Signed-off-by: Alexander GQ Gerasiov <gq@cs.msu.su>
This commit is contained in:
Alexander GQ Gerasiov 2017-12-22 14:00:17 +03:00
parent a51c369b8c
commit b5542fc948
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
etc/disable-common.inc
View file

@ -194,6 +194,9 @@ read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
# Remote access
read-only ${HOME}/.ssh/authorized_keys
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.dotfiles