[jailcheck] Warning: I can run programs in ... #4398
-
Environment
Hi altogether, running Linux Lubuntu 20.04.2 LTS I received my latest batch of updates yesterday, among them I´ve learnt that there´s a new tool - jailcheck - available, which is phantastic. Thanks a lot for that. However some programmes I run within firejail needed some tinkering with as they wouldn´t run the way they used to. Finally I got w3m, newsboat and podboat working again. For e.g. podboat I used the default.profile and had just to comment out "include disable-programs.inc": "#include disable-programs.inc". That way it works again. But: when invoking the jailcheck command I get this:
... which got me wondering. How crucial are those warnings? Should I have done something different? Comparing it to the results I got from "firejail firefox":
I see I get no warnings here. Could you help me somehow? Thanks so much in advance. Many greetings. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 21 replies
-
That's because default.profile does not
Low. Having a Imagine an attacker can create a file in
Not recommended, default.profile is already weak and commenting Or best: Copy
Just to say it, applies for jailcheck as well: |
Beta Was this translation helpful? Give feedback.
That's because default.profile does not
include disbale-exec.in
. You can either create a podboat.profile and add it there or/and addinclude disbale-exec.in
to default.local (I do this).Low.
Having a
whitelist
profile anddbus-{user,system} (filter|none)
is much more important.Imagine an attacker can create a file in
/home/rosika
or/tmp
containing malware and he/she can execute this file. Now, if you make this placenoexec
(viadisable-exec.inc
), he/she can no longer execute this file. However, maybe there are other directories which are writeable and don't have anoexec
or the malware is written in python/perl/... or…