On Wed, Nov 13, 2019 at 03:10:13PM +0100, Hans-Christoph Steiner wrote:
> 
> It seems the suggested workaround does not work with the actual
> executable name "nc.openbsd":
> 
>  ~ $ which ssh
> /usr/bin/ssh
> ~ $ cat ~/.ssh/config
> Host testserver
>      Hostname aasdfasdfasdfkfshd.onion
>  ~ $ firejail --noblacklist=/bin/nc.openbsd ssh \
>  -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver
> /bin/bash: /bin/nc.openbsd: Permission denied
> /bin/bash: line 0: exec: /bin/nc.openbsd: cannot execute: Permission denied
> ssh_exchange_identification: Connection closed by remote host
> 
> 
> These work:
> 
> firejail --noblacklist='${PATH}/nc' --noblacklist=/bin/nc.openbsd ssh \
>  -oProxyCommand="/bin/nc.openbsd -x 127.0.0.1:9050 %h %p" testserver
> 
> firejail --noblacklist='${PATH}/nc' ssh \
>  -oProxyCommand="nc --x 127.0.0.1:9050 %h %p" testserver
> 
> 
> This is confusing, but perhaps required.  You can close this issue if
> you think that's appropriate.
> 

--noblacklist='${PATH}/nc' is needed because the included disable-common.inc
blacklists '${PATH}/nc'. noblacklist only removes stuff that has
previously been blacklisted.
firejail also resolves symlinks, so when ${PATH}/nc is blacklisted, it
actually blacklists the binary the link is pointing to (via alternatives
nc.openbsd).
Do you by chance have a merged-usr system, where /bin is actually
/usr/bin? That could also be another reason why --noblacklist=/bin/nc.openbsd
would not work.

Regards,
  Reiner

Attachment: signature.asc
Description: PGP signature

Reply via email to