2 README smrsh - sendmail restricted shell.
4 This README file is provided as a courtesy of the CERT Coordination Center,
5 Software Engineering Institute, Carnegie Mellon University. This file is
6 intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
7 and to the software, smrsh.c, written by Eric Allman.
11 The smrsh(8) program is intended as a replacement for /bin/sh in the
12 program mailer definition of sendmail(8). This README file describes
13 the steps needed to compile and install smrsh.
15 smrsh is a restricted shell utility that provides the ability to
16 specify, through a configuration, an explicit list of executable
17 programs. When used in conjunction with sendmail, smrsh effectively
18 limits sendmail's scope of program execution to only those programs
19 specified in smrsh's configuration.
21 smrsh has been written with portability in mind, and uses traditional
22 Unix library utilities. As such, smrsh should compile on most
25 smrsh should build on most systems with the enclosed Build script:
27 host.domain% sh ./Build
29 To compile smrsh.c by hand, use the following command:
31 host.domain% cc -o smrsh smrsh.c
33 For machines that provide dynamic linking, it is advisable to compile
34 smrsh without dynamic linking. As an example with the Sun Microsystems
35 compiler, you should compile with the -Bstatic option.
37 host.domain% cc -Bstatic -o smrsh smrsh.c
39 host.domain% sh ./Build LDOPTS=-Bstatic
41 With gcc, the GNU C compiler, use the -static option.
43 host.domain% cc -static -o smrsh smrsh.c
45 host.domain% sh ./Build LDOPTS=-static
47 The following C defines can be set defined to change the search path and
48 the bin directory used by smrsh.
50 -DSMRSH_PATH=\"path\" \"/bin:/usr/bin:/usr/ucb\" The default search
52 -DSMRSH_CMDDIR=\"dir\" \"/usr/adm/sm.bin\" The default smrsh
55 These can be added to the devtools/Site/site.config.m4 file using the
56 global M4 macro confENVDEF or the smrsh specific M4 macro
59 As root, install smrsh in /usr/libexec. Using the Build script:
61 host.domain# sh ./Build install
63 For manual installation: install smrsh in the /usr/libexec
64 directory, with mode 511.
66 host.domain# mv smrsh /usr/libexec
67 host.domain# chmod 511 /usr/libexec/smrsh
71 Next, determine the list of commands that smrsh should allow sendmail
72 to run. This list of allowable commands can be determined by:
74 1. examining your /etc/mail/aliases file, to indicate what commands
75 are being used by the system.
77 2. surveying your host's .forward files, to determine what
78 commands users have specified.
80 See the man page for aliases(5) if you are unfamiliar with the format of
81 these specifications. Additionally, you should include in the list,
82 popular commands such as /usr/ucb/vacation.
84 You should NOT include interpreter programs such as sh(1), csh(1),
85 perl(1), uudecode(1) or the stream editor sed(1) in your list of
88 If your platform doesn't have a default SMRSH_CMDDIR setting, you will
89 next need to create the directory /usr/adm/sm.bin and populate
90 it with the programs that your site feels are allowable for sendmail
91 to execute. This directory is explicitly specified in the source
92 code for smrsh, so changing this directory must be accompanied with
96 You will have to be root to make these modifications.
98 After creating the /usr/adm/sm.bin directory, either copy the programs
99 to the directory, or establish links to the allowable programs from
100 /usr/adm/sm.bin. Change the file permissions, so that these programs
101 can not be modified by non-root users. If you use links, you should
102 ensure that the target programs are not modifiable.
104 To allow the popular vacation(1) program by creating a link in the
105 /usr/adm/sm.bin directory, you should:
107 host.domain# cd /usr/adm/sm.bin
108 host.domain# ln -s /usr/ucb/vacation vacation
113 After populating the /usr/adm/sm.bin directory, you can now configure
114 sendmail to use the restricted shell. Save the current sendmail.cf
115 file prior to modifying it, as a prudent precaution.
117 Typically, the program mailer is defined by a single line in the
118 sendmail configuration file, sendmail.cf. This file is traditionally
119 found in the /etc, /usr/lib or /etc/mail directories, depending on
122 If you are unsure of the location of the actual sendmail configuration
123 file, a search of the strings(1) output of the sendmail binary, will
126 In order to configure sendmail to use smrsh, you must modify the Mprog
127 definition in the sendmail.cf file, by replacing the /bin/sh specification
128 with /usr/libexec/smrsh.
132 In most Sun Microsystems' sendmail.cf files, the line is:
133 Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
135 which should be changed to:
136 Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
139 A more generic line may be:
140 Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u
142 and should be changed to;
143 Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
146 After modifying the Mprog definition in the sendmail.cf file, if a frozen
147 configuration file is being used, it is essential to create a new one.
148 You can determine if you need a frozen configuration by discovering
149 if a sendmail.fc file currently exists in either the /etc/, /usr/lib,
150 or /etc/mail directories. The specific location can be determined using
151 a search of the strings(1) output of the sendmail binary.
153 In order to create a new frozen configuration, if it is required:
154 host.domain# /usr/lib/sendmail -bz
156 Now re-start the sendmail process. An example of how to do this on
157 a typical system follows:
159 host.domain# cat /var/run/sendmail.pid
161 /usr/sbin/sendmail -bd -q30m
162 host.domain# /bin/kill -15 130
163 host.domain# /usr/sbin/sendmail -bd -q30m
166 $Revision: 8.10 $, Last updated $Date: 2008/02/12 16:40:06 $
tuxillo's projects / dragonfly.git / blob