github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3927] [INFO] Whitelist ssh_config #2456

New issue

Closed

opened 2026-05-05 09:08:27 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:08:27 -06:00

Owner

Originally created by @rgomez-eng on GitHub (Jan 29, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3927

We are using firejail for very specific use case, only for jailed shell and access to basic tools inside the host for multiple users. Therefor we don't configure any profile. Always used the default.

We created a custom2020.inc and added it to default.profile right after the include globals.local with include custom2020.inc

The file content is the following.

noblacklist /etc/ssh
whitelist /etc/ssh/ssh_config
read-only /etc/ssh/ssh_config

As /etc/ssh is blacklisted on the include disable-common.inc and I would like to have the system-wide ssh_config file available for all users there is a need to have it readable.

However the blacklist /etc/ssh that comes after by the include disable-common.inc I would expect it to be blacklisting all the other files again.

I guess something is wrong in the file and the settings order.

Originally created by @rgomez-eng on GitHub (Jan 29, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3927 We are using firejail for very specific use case, only for jailed shell and access to basic tools inside the host for multiple users. Therefor we don't configure any profile. Always used the default. We created a `custom2020.inc` and added it to `default.profile` right after the `include globals.local` with `include custom2020.inc` The file content is the following. > noblacklist /etc/ssh > whitelist /etc/ssh/ssh_config > read-only /etc/ssh/ssh_config As `/etc/ssh` is blacklisted on the `include disable-common.inc` and I would like to have the system-wide `ssh_config` file available for all users there is a need to have it readable. However the `blacklist /etc/ssh` that comes after by the `include disable-common.inc` I would expect it to be blacklisting all the other files again. I guess something is wrong in the file and the settings order.

gitea-mirror

2026-05-05 09:08:27 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 09:08:29 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 29, 2021):

However the blacklist /etc/ssh that comes after by the include disable-common.inc I would expect it to be blacklisting all the other files again.

blacklist /etc/ssh means blacklist /etc/ssh and not blacklist /etc/ssh/* so only that directory is blacklisted. If you the add a noblacklist the blacklist is ognored.

whitelist /etc/ssh/ssh_config

This means /etc/ssh/ssh_config will be the only file in /etc, no passwd, ssl, pki, bashrc, wgetrc, vimrc, crypto-policies, fonts, machine-id, … .

I guess something is wrong in the file and the settings order.

This is probably what you want:

noblacklist /etc/ssh/ssh_config
blacklist /etc/ssh/*
noblacklist /etc/ssh

Allow /etc/ssh/ssh_config but blacklist everything else in /etc/ssh (when the sandbox is started).

@rusty-snake commented on GitHub (Jan 29, 2021): > However the blacklist /etc/ssh that comes after by the include disable-common.inc I would expect it to be blacklisting all the other files again. `blacklist /etc/ssh` _means_ `blacklist /etc/ssh` and not `blacklist /etc/ssh/*` so only that directory is blacklisted. If you the add a `noblacklist` the `blacklist` is ognored. > whitelist /etc/ssh/ssh_config This means `/etc/ssh/ssh_config` will be the only file in `/etc`, no passwd, ssl, pki, bashrc, wgetrc, vimrc, crypto-policies, fonts, machine-id, … . > I guess something is wrong in the file and the settings order. This is probably what you want: ``` noblacklist /etc/ssh/ssh_config blacklist /etc/ssh/* noblacklist /etc/ssh ``` Allow `/etc/ssh/ssh_config` but blacklist everything else in `/etc/ssh` (when the sandbox is started).

gitea-mirror commented

2026-05-05 09:08:30 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 29, 2021):

@rgomez-eng commented 1 hour ago:

As /etc/ssh is blacklisted on the include disable-common.inc and I would
like to have the system-wide ssh_config file available for all users there
is a need to have it readable.

Hello, allowing ssh_config is part of #3885; see commit 3849e1201
("allow-ssh.inc: allow /etc/ssh/ssh_config"). The only difference is that it's
done with blacklisting rather than whitelisting (just like the rest of
disable-common.inc).

@rusty-snake commented 44 minutes ago:

This is probably what you want:
noblacklist /etc/ssh/ssh_config
blacklist /etc/ssh/*
noblacklist /etc/ssh
Allow /etc/ssh/ssh_config but blacklist everything else in /etc/ssh (when
the sandbox is started).

That commit does essentially this (I guess I did it right then :p)

@kmk3 commented on GitHub (Jan 29, 2021): @rgomez-eng commented 1 hour ago: > As `/etc/ssh` is blacklisted on the `include disable-common.inc` and I would > like to have the system-wide `ssh_config` file available for all users there > is a need to have it readable. Hello, allowing ssh_config is part of #3885; see commit 3849e1201 ("allow-ssh.inc: allow /etc/ssh/ssh_config"). The only difference is that it's done with blacklisting rather than whitelisting (just like the rest of disable-common.inc). @rusty-snake commented 44 minutes ago: > This is probably what you want: > > ``` > noblacklist /etc/ssh/ssh_config > blacklist /etc/ssh/* > noblacklist /etc/ssh > ``` > > Allow `/etc/ssh/ssh_config` but blacklist everything else in `/etc/ssh` (when > the sandbox is started). That commit does essentially this (I guess I did it right then :p)

gitea-mirror commented

2026-05-05 09:08:31 -06:00

Author

Owner

@rgomez-eng commented on GitHub (Jan 29, 2021):

Thank you @rusty-snake worked like I charm. Also I think I got better understanding now.

@kmk3 good job

@rgomez-eng commented on GitHub (Jan 29, 2021): Thank you @rusty-snake worked like I charm. Also I think I got better understanding now. @kmk3 good job

gitea-mirror referenced this issue

2026-05-05 10:17:56 -06:00

[PR #2456] [MERGED] Harden exiftool.profile #4323

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2456

No description provided.

Rows
Columns