github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 06:06:02 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions
firejail/etc/ids.config
Kelvin M. Klann 580283d74b disable-common.inc: blacklist sudo/doas paths in /etc 
Commands used to find the relevant paths in /etc:

    $ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort
    /etc/pam.d/ is owned by sudo 1.9.14.p1-1
    /etc/sudo.conf is owned by sudo 1.9.14.p1-1
    /etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1
    /etc/sudoers is owned by sudo 1.9.14.p1-1
    /etc/sudoers.d/ is owned by sudo 1.9.14.p1-1

Environment: Artix Linux.

Also, add missing paths sudo/doas to etc/ids.config and jailcheck.

See also commit dbebd71db ("disable-common.inc: blacklist doas binary",
2022-10-05).

Relates to #5385.

Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
2023-07-14 08:08:47 -03:00

164 lines
3 KiB
Text
Raw Blame History

# /etc/firejail/ids.config - configuration file for Firejail's Intrusion Detection System
# This config file is overwritten when a new version of Firejail is installed.
# For global customization use /etc/firejail/ids.config.local.
include ids.config.local
#
# Each line is a file or directory name such as
# /usr/bin
# or
# ${HOME}/Desktop/*.desktop
#
# ${HOME} is expanded to the user's home directory, and * is the regular
# globbing match for zero or more characters.
#
# File or directory names starting with ! are not scanned. For example
# !${HOME}/.ssh/known_hosts
# ${HOME}/.ssh
# will scan all files in ~/.ssh directory with the exception of known_hosts
### system executables ###
/bin
/sbin
/usr/bin
/usr/games
/usr/libexec
/usr/sbin
### user executables ###
#/opt
#/usr/local
### system libraries ###
#/lib
#/usr/lib
#/usr/lib32
#/usr/lib64
#/usr/libx32
### shells local ###
# bash
${HOME}/.bash_aliases
${HOME}/.bash_login
${HOME}/.bash_logout
${HOME}/.bash_profile
${HOME}/.bashrc
# fish
${HOME}/.config/fish/config.fish
# others
${HOME}/.cshrc
${HOME}/.kshrc
${HOME}/.login
${HOME}/.logout
${HOME}/.profile
${HOME}/.tcshrc
# zsh
${HOME}/.zlogin
${HOME}/.zlogout
${HOME}/.zshenv
${HOME}/.zshprofile
${HOME}/.zshrc
# Note: This list should be kept in sync with the one in inc/disable-shell.inc.
### shells global ###
# all
/etc/dircolors
/etc/environment
/etc/profile
/etc/profile.d
/etc/shells
/etc/skel
# bash
/etc/bash
/etc/bash.bashrc
/etc/bash_completion*
/etc/bashrc
# fish
/etc/fish
# ksh
/etc/ksh.kshrc
/etc/suid_profile
# tcsh
/etc/complete.tcsh
/etc/csh.cshrc
/etc/csh.login
/etc/csh.logout
# zsh
/etc/zlogin
/etc/zlogout
/etc/zprofile
/etc/zsh
/etc/zshenv
/etc/zshrc
### X11 ###
/etc/X11
${HOME}/.xinitrc
${HOME}/.xmodmaprc
${HOME}/.xprofile
${HOME}/.Xresources
${HOME}/.xserverrc
${HOME}/.Xsession
${HOME}/.xsession
${HOME}/.xsessionrc
### window/desktop manager ###
${HOME}/Desktop/*.desktop
${HOME}/.config/autostart
${HOME}/.config/autostart-scripts
${HOME}/.config/lxsession/LXDE/autostart
${HOME}/.config/openbox/autostart
${HOME}/.config/openbox/environment
${HOME}/.config/plasma-workspace/env
${HOME}/.config/plasma-workspace/shutdown
${HOME}/.gnomerc
${HOME}/.gtkrc
${HOME}/.kde/Autostart
${HOME}/.kde/env
${HOME}/.kde/share/autostart
${HOME}/.kde/shutdown
${HOME}/.kde4/Autostart
${HOME}/.kde4/env
${HOME}/.kde4/share/autostart
${HOME}/.kde4/shutdown
${HOME}/.kderc
${HOME}/.local/share/autostart
### security ###
/etc/aide
/etc/apparmor*
/etc/chkrootkit.conf
/etc/cracklib
/etc/doas.conf
/etc/libaudit.conf
/etc/group*
/etc/gshadow*
/etc/pam.*
/etc/passwd*
/etc/rkhunter*
/etc/securetty
/etc/security
/etc/selinux
/etc/shadow*
/etc/sudo*.conf
/etc/sudoers*
/etc/tripwire
${HOME}/.config/firejail
${HOME}/.gnupg
${HOME}/.pam_environment
### network security ###
/etc/ca-certificates*
/etc/hosts.*
/etc/services
/etc/snort
/etc/ssh
/etc/ssl
/etc/wireshark
!${HOME}/.ssh/known_hosts # excluding
${HOME}/.ssh
/usr/share/ca-certificates
### system config ###
/etc/cron.*
/etc/crontab
/etc/default
Reference in a new issue View git blame Copy permalink