On Wed, Nov 13, 2019 at 03:10:13PM +0100, Hans-Christoph Steiner wrote:
>
> It seems the suggested workaround does not work with the actual
> executable name "nc.openbsd":
>
> ~ $ which ssh
> /usr/bin/ssh
> ~ $ cat ~/.ssh/config
> Host testserver
> Hostname aasdfasdfasdfkfshd.onion
> ~ $ firejail --noblacklist=/bin/nc.openbsd ssh \
> -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver
> /bin/bash: /bin/nc.openbsd: Permission denied
> /bin/bash: line 0: exec: /bin/nc.openbsd: cannot execute: Permission denied
> ssh_exchange_identification: Connection closed by remote host
>
>
> These work:
>
> firejail --noblacklist='${PATH}/nc' --noblacklist=/bin/nc.openbsd ssh \
> -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver
>
> firejail --noblacklist='${PATH}/nc' ssh \
> -oProxyCommand="nc --x 127.0.0.1:9050 %h %p" testserver
>
>
> This is confusing, but perhaps required. You can close this issue if
> you think that's appropriate.
>
--noblacklist='${PATH}/nc' is needed because the included disable-common.inc
blacklists '${PATH}/nc'. noblacklist only removes stuff that has
previously been blacklisted.
firejail also resolves symlinks, so when ${PATH}/nc is blacklisted, it
actually blacklists the binary the link is pointing to (via alternatives
nc.openbsd).
Do you by chance have a merged-usr system, where /bin is actually
/usr/bin? That could also be another reason why --noblacklist=/bin/nc.openbsd
would not work.
Regards,
Reiner
signature.asc
Description: PGP signature

