[PR #7059] [MERGED] profiles: fix allowing netcat #6296

New issue

Closed

opened 2026-05-05 10:54:17 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:54:17 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/7059
Author: @kmk3
Created: 2/10/2026
Status: ✅ Merged
Merged: 2/11/2026
Merged by: @kmk3

Base: master ← Head: profiles-fix-netcat

📝 Commits (1)

d043028 profiles: fix allowing netcat

📊 Changes

2 files changed (+5 additions, -0 deletions)

View changed files

📝 etc/profile-m-z/playonlinux.profile (+3 -0)
📝 etc/profile-m-z/ssh.profile (+2 -0)

📄 Description

disable-common.inc has these lines:

blacklist ${PATH}/nc
blacklist ${PATH}/nc.openbsd
blacklist ${PATH}/nc.traditional
blacklist ${PATH}/ncat

With openbsd-netcat on Artix, /usr/bin/nc.openbsd is symlinked to
/usr/bin/nc:

$ pacman -Fl gnu-netcat openbsd-netcat | grep bin/nc
gnu-netcat usr/bin/nc
openbsd-netcat usr/bin/nc
openbsd-netcat usr/bin/nc.openbsd
$ realpath /usr/bin/nc.openbsd
/usr/bin/nc

So noblacklist ${PATH}/nc is not enough, as
blacklist ${PATH}/nc.openbsd will follow the symlink to /usr/bin/nc
and still blacklist it.

To prevent /usr/bin/nc from being blacklisted,
noblacklist ${PATH}/nc.openbsd is also needed in this case.

To ensure that netcat is allowed, always noblacklist all netcat paths.

Fixes #6911.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/7059 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 2/10/2026 **Status:** ✅ Merged **Merged:** 2/11/2026 **Merged by:** [@kmk3](https://github.com/kmk3) **Base:** `master` ← **Head:** `profiles-fix-netcat` --- ### 📝 Commits (1) - [`d043028`](https://github.com/netblue30/firejail/commit/d043028bb590e69d52067ae9d76133f7c8e976fb) profiles: fix allowing netcat ### 📊 Changes **2 files changed** (+5 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `etc/profile-m-z/playonlinux.profile` (+3 -0) 📝 `etc/profile-m-z/ssh.profile` (+2 -0) </details> ### 📄 Description disable-common.inc has these lines: blacklist ${PATH}/nc blacklist ${PATH}/nc.openbsd blacklist ${PATH}/nc.traditional blacklist ${PATH}/ncat With openbsd-netcat on Artix, `/usr/bin/nc.openbsd` is symlinked to `/usr/bin/nc`: $ pacman -Fl gnu-netcat openbsd-netcat | grep bin/nc gnu-netcat usr/bin/nc openbsd-netcat usr/bin/nc openbsd-netcat usr/bin/nc.openbsd $ realpath /usr/bin/nc.openbsd /usr/bin/nc So `noblacklist ${PATH}/nc` is not enough, as `blacklist ${PATH}/nc.openbsd` will follow the symlink to `/usr/bin/nc` and still blacklist it. To prevent `/usr/bin/nc` from being blacklisted, `noblacklist ${PATH}/nc.openbsd` is also needed in this case. To ensure that netcat is allowed, always `noblacklist` all netcat paths. Fixes #6911. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:54:17 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6296

No description provided.

Rows
Columns