[GH-ISSUE #111] Protect shell startup files #71

New issue

Closed

opened 2026-05-05 04:57:14 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 04:57:14 -06:00

Owner

Originally created by @dbakker on GitHub (Oct 30, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/111

Firejail currently blocks access to directories such as ~/.ssh to protect your secrets.

One way an attacker could currently still get to them though is by adding a malicious command to one of the automatically executed files, such as ~/.profile or ~/.bash_logout. That command will then get executed outside of firejail when you reboot and login to your user account.

Perhaps it would be a good idea to make those kinds of files read only? My list so far:

# General startup files
read-only ${HOME}/.xinitrc
read-only ${HOME}/.xserverrc
read-only ${HOME}/.profile

# Shell startup files
read-only ${HOME}/.bash_login
read-only ${HOME}/.bashrc
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bash_logout
read-only ${HOME}/.zshrc
read-only ${HOME}/.zlogin
read-only ${HOME}/.zprofile
read-only ${HOME}/.zlogout
read-only ${HOME}/.zsh_files
read-only ${HOME}/.tcshrc
read-only ${HOME}/.cshrc
read-only ${HOME}/.csh_files

# Initialization files that allow arbitrary command execution
read-only ${HOME}/.mailcap
read-only ${HOME}/.exrc
read-only ${HOME}/.vimrc
read-only ${HOME}/.vim
read-only ${HOME}/.emacs
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.xmonad

# The user ~/bin directory can override commands such as ls
read-only ${HOME}/bin

Unfortunately, It's not fullproof. For example, some arbitrary files may be getting sourced from ~/.bashrc that an attacker can edit. Or an attacker may hide code in a .git/hooks file or some other more uncommon initialization file or script.

Another point is that some users may want to be able to edit those files within the jail. For that we could considering making it optional and read-only or blacklist these files for known programs (such as firefox and so on).

I'm just throwing this up there because there didn't seem to be any discussion about it so far and it seems like an issue that should be addressed.

Originally created by @dbakker on GitHub (Oct 30, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/111 Firejail currently blocks access to directories such as `~/.ssh` to protect your secrets. One way an attacker could currently still get to them though is by adding a malicious command to one of the automatically executed files, such as `~/.profile` or `~/.bash_logout`. That command will then get executed _outside of firejail_ when you reboot and login to your user account. Perhaps it would be a good idea to make those kinds of files read only? My list so far: ``` # General startup files read-only ${HOME}/.xinitrc read-only ${HOME}/.xserverrc read-only ${HOME}/.profile # Shell startup files read-only ${HOME}/.bash_login read-only ${HOME}/.bashrc read-only ${HOME}/.bash_profile read-only ${HOME}/.bash_logout read-only ${HOME}/.zshrc read-only ${HOME}/.zlogin read-only ${HOME}/.zprofile read-only ${HOME}/.zlogout read-only ${HOME}/.zsh_files read-only ${HOME}/.tcshrc read-only ${HOME}/.cshrc read-only ${HOME}/.csh_files # Initialization files that allow arbitrary command execution read-only ${HOME}/.mailcap read-only ${HOME}/.exrc read-only ${HOME}/.vimrc read-only ${HOME}/.vim read-only ${HOME}/.emacs read-only ${HOME}/.tmux.conf read-only ${HOME}/.iscreenrc read-only ${HOME}/.muttrc read-only ${HOME}/.xmonad # The user ~/bin directory can override commands such as ls read-only ${HOME}/bin ``` Unfortunately, It's not fullproof. For example, some arbitrary files may be getting sourced from `~/.bashrc` that an attacker can edit. Or an attacker may hide code in a `.git/hooks` file or some other more uncommon initialization file or script. Another point is that some users may _want_ to be able to edit those files within the jail. For that we could considering making it optional and read-only or blacklist these files for known programs (such as firefox and so on). I'm just throwing this up there because there didn't seem to be any discussion about it so far and it seems like an issue that should be addressed.

gitea-mirror closed this issue

2026-05-05 04:57:18 -06:00

gitea-mirror commented

2026-05-05 04:57:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 30, 2015):

Thank you for the patch - merged into etc/disable-common.inc

@netblue30 commented on GitHub (Oct 30, 2015): Thank you for the patch - merged into etc/disable-common.inc

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#71

No description provided.

Rows
Columns