e3793f7654
Note: As the first merge since the conversion to svn, it includes many propset changes to get the proper svn:eol-style and svn:mime-type on the files (as merged from the fixed up vendor/dist area). MFC after: 3 days
167 lines
5.7 KiB
Plaintext
167 lines
5.7 KiB
Plaintext
|
|
README smrsh - sendmail restricted shell.
|
|
|
|
This README file is provided as a courtesy of the CERT Coordination Center,
|
|
Software Engineering Institute, Carnegie Mellon University. This file is
|
|
intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
|
|
and to the software, smrsh.c, written by Eric Allman.
|
|
|
|
|
|
|
|
The smrsh(8) program is intended as a replacement for /bin/sh in the
|
|
program mailer definition of sendmail(8). This README file describes
|
|
the steps needed to compile and install smrsh.
|
|
|
|
smrsh is a restricted shell utility that provides the ability to
|
|
specify, through a configuration, an explicit list of executable
|
|
programs. When used in conjunction with sendmail, smrsh effectively
|
|
limits sendmail's scope of program execution to only those programs
|
|
specified in smrsh's configuration.
|
|
|
|
smrsh has been written with portability in mind, and uses traditional
|
|
Unix library utilities. As such, smrsh should compile on most
|
|
Unix C compilers.
|
|
|
|
smrsh should build on most systems with the enclosed Build script:
|
|
|
|
host.domain% sh ./Build
|
|
|
|
To compile smrsh.c by hand, use the following command:
|
|
|
|
host.domain% cc -o smrsh smrsh.c
|
|
|
|
For machines that provide dynamic linking, it is advisable to compile
|
|
smrsh without dynamic linking. As an example with the Sun Microsystems
|
|
compiler, you should compile with the -Bstatic option.
|
|
|
|
host.domain% cc -Bstatic -o smrsh smrsh.c
|
|
or
|
|
host.domain% sh ./Build LDOPTS=-Bstatic
|
|
|
|
With gcc, the GNU C compiler, use the -static option.
|
|
|
|
host.domain% cc -static -o smrsh smrsh.c
|
|
or
|
|
host.domain% sh ./Build LDOPTS=-static
|
|
|
|
The following C defines can be set defined to change the search path and
|
|
the bin directory used by smrsh.
|
|
|
|
-DSMRSH_PATH=\"path\" \"/bin:/usr/bin:/usr/ucb\" The default search
|
|
path.
|
|
-DSMRSH_CMDDIR=\"dir\" \"/usr/adm/sm.bin\" The default smrsh
|
|
program directory
|
|
|
|
These can be added to the devtools/Site/site.config.m4 file using the
|
|
global M4 macro confENVDEF or the smrsh specific M4 macro
|
|
conf_smrsh_ENVDEF.
|
|
|
|
As root, install smrsh in /usr/libexec. Using the Build script:
|
|
|
|
host.domain# sh ./Build install
|
|
|
|
For manual installation: install smrsh in the /usr/libexec
|
|
directory, with mode 511.
|
|
|
|
host.domain# mv smrsh /usr/libexec
|
|
host.domain# chmod 511 /usr/libexec/smrsh
|
|
|
|
|
|
|
|
Next, determine the list of commands that smrsh should allow sendmail
|
|
to run. This list of allowable commands can be determined by:
|
|
|
|
1. examining your /etc/mail/aliases file, to indicate what commands
|
|
are being used by the system.
|
|
|
|
2. surveying your host's .forward files, to determine what
|
|
commands users have specified.
|
|
|
|
See the man page for aliases(5) if you are unfamiliar with the format of
|
|
these specifications. Additionally, you should include in the list,
|
|
popular commands such as /usr/ucb/vacation.
|
|
|
|
You should NOT include interpreter programs such as sh(1), csh(1),
|
|
perl(1), uudecode(1) or the stream editor sed(1) in your list of
|
|
acceptable commands.
|
|
|
|
If your platform doesn't have a default SMRSH_CMDDIR setting, you will
|
|
next need to create the directory /usr/adm/sm.bin and populate
|
|
it with the programs that your site feels are allowable for sendmail
|
|
to execute. This directory is explicitly specified in the source
|
|
code for smrsh, so changing this directory must be accompanied with
|
|
a change in smrsh.c.
|
|
|
|
|
|
You will have to be root to make these modifications.
|
|
|
|
After creating the /usr/adm/sm.bin directory, either copy the programs
|
|
to the directory, or establish links to the allowable programs from
|
|
/usr/adm/sm.bin. Change the file permissions, so that these programs
|
|
can not be modified by non-root users. If you use links, you should
|
|
ensure that the target programs are not modifiable.
|
|
|
|
To allow the popular vacation(1) program by creating a link in the
|
|
/usr/adm/sm.bin directory, you should:
|
|
|
|
host.domain# cd /usr/adm/sm.bin
|
|
host.domain# ln -s /usr/ucb/vacation vacation
|
|
|
|
|
|
|
|
|
|
After populating the /usr/adm/sm.bin directory, you can now configure
|
|
sendmail to use the restricted shell. Save the current sendmail.cf
|
|
file prior to modifying it, as a prudent precaution.
|
|
|
|
Typically, the program mailer is defined by a single line in the
|
|
sendmail configuration file, sendmail.cf. This file is traditionally
|
|
found in the /etc, /usr/lib or /etc/mail directories, depending on
|
|
the UNIX vendor.
|
|
|
|
If you are unsure of the location of the actual sendmail configuration
|
|
file, a search of the strings(1) output of the sendmail binary, will
|
|
help to locate it.
|
|
|
|
In order to configure sendmail to use smrsh, you must modify the Mprog
|
|
definition in the sendmail.cf file, by replacing the /bin/sh specification
|
|
with /usr/libexec/smrsh.
|
|
|
|
As an example:
|
|
|
|
In most Sun Microsystems' sendmail.cf files, the line is:
|
|
Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
|
|
|
|
which should be changed to:
|
|
Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
|
|
^^^^^^^^^^^^^^^^^^
|
|
|
|
A more generic line may be:
|
|
Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u
|
|
|
|
and should be changed to;
|
|
Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
|
|
|
|
|
|
After modifying the Mprog definition in the sendmail.cf file, if a frozen
|
|
configuration file is being used, it is essential to create a new one.
|
|
You can determine if you need a frozen configuration by discovering
|
|
if a sendmail.fc file currently exists in either the /etc/, /usr/lib,
|
|
or /etc/mail directories. The specific location can be determined using
|
|
a search of the strings(1) output of the sendmail binary.
|
|
|
|
In order to create a new frozen configuration, if it is required:
|
|
host.domain# /usr/lib/sendmail -bz
|
|
|
|
Now re-start the sendmail process. An example of how to do this on
|
|
a typical system follows:
|
|
|
|
host.domain# cat /var/run/sendmail.pid
|
|
130
|
|
/usr/sbin/sendmail -bd -q30m
|
|
host.domain# /bin/kill -15 130
|
|
host.domain# /usr/sbin/sendmail -bd -q30m
|
|
|
|
|
|
$Revision: 8.10 $, Last updated $Date: 2008/02/12 16:40:06 $
|