1c2aa98e2SPeter Wemm 2c2aa98e2SPeter Wemm 3c2aa98e2SPeter Wemm 4c2aa98e2SPeter WemmREADME smrsh - sendmail restricted shell. 5c2aa98e2SPeter Wemm 6c2aa98e2SPeter Wemm @(#)README 8.2 11/11/95 7c2aa98e2SPeter Wemm 8c2aa98e2SPeter Wemm 9c2aa98e2SPeter WemmThis README file is provided as a courtesy of the CERT Coordination Center, 10c2aa98e2SPeter WemmSoftware Engineering Institute, Carnegie Mellon University. This file is 11c2aa98e2SPeter Wemmintended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, 12c2aa98e2SPeter Wemmand to the software, smrsh.c, written by Eric Allman. 13c2aa98e2SPeter Wemm 14c2aa98e2SPeter Wemm 15c2aa98e2SPeter Wemm 16c2aa98e2SPeter WemmThe smrsh(8) program is intended as a replacement for /bin/sh in the 17c2aa98e2SPeter Wemmprogram mailer definition of sendmail(8). This README file describes 18c2aa98e2SPeter Wemmthe steps needed to compile and install smrsh. 19c2aa98e2SPeter Wemm 20c2aa98e2SPeter Wemmsmrsh is a restricted shell utility that provides the ability to 21c2aa98e2SPeter Wemmspecify, through a configuration, an explicit list of executable 22c2aa98e2SPeter Wemmprograms. When used in conjunction with sendmail, smrsh effectively 23c2aa98e2SPeter Wemmlimits sendmail's scope of program execution to only those programs 24c2aa98e2SPeter Wemmspecified in smrsh's configuration. 25c2aa98e2SPeter Wemm 26c2aa98e2SPeter Wemmsmrsh has been written with portability in mind, and uses traditional 27c2aa98e2SPeter WemmUnix library utilities. As such, smrsh should compile on most 28c2aa98e2SPeter WemmUnix C compilers. 29c2aa98e2SPeter Wemm 30c2aa98e2SPeter Wemm 31c2aa98e2SPeter Wemm 32c2aa98e2SPeter WemmTo compile smrsh.c, use the following command: 33c2aa98e2SPeter Wemm 34c2aa98e2SPeter Wemmhost.domain% cc -o smrsh smrsh.c 35c2aa98e2SPeter Wemm 36c2aa98e2SPeter WemmFor machines that provide dynamic linking, it is advisable to compile 37c2aa98e2SPeter Wemmsmrsh without dynamic linking. As an example with the Sun Microsystems 38c2aa98e2SPeter Wemmcompiler, you should compile with the -Bstatic option. 39c2aa98e2SPeter Wemm 40c2aa98e2SPeter Wemmhost.domain% cc -Bstatic -o smrsh smrsh.c 41c2aa98e2SPeter Wemm 42c2aa98e2SPeter Wemm 43c2aa98e2SPeter WemmChoose a directory that smrsh will reside in. We will use the traditional 44c2aa98e2SPeter Wemm/usr/local/etc directory for the remainder of this document. 45c2aa98e2SPeter Wemm 46c2aa98e2SPeter WemmAs root, install smrsh in /usr/local/etc directory, with mode 511. 47c2aa98e2SPeter Wemm 48c2aa98e2SPeter Wemmhost.domain# mv smrsh /usr/local/etc 49c2aa98e2SPeter Wemmhost.domain# chmod 511 /usr/local/etc/smrsh 50c2aa98e2SPeter Wemm 51c2aa98e2SPeter Wemm 52c2aa98e2SPeter Wemm 53c2aa98e2SPeter WemmNext, determine the list of commands that smrsh should allow sendmail 54c2aa98e2SPeter Wemmto run. This list of allowable commands can be determined by: 55c2aa98e2SPeter Wemm 56c2aa98e2SPeter Wemm 1. examining your /etc/aliases file, to indicate what commands 57c2aa98e2SPeter Wemm are being used by the system. 58c2aa98e2SPeter Wemm 59c2aa98e2SPeter Wemm 2. surveying your host's .forward files, to determine what 60c2aa98e2SPeter Wemm commands users have specified. 61c2aa98e2SPeter Wemm 62c2aa98e2SPeter WemmSee the man page for aliases(5) if you are unfamiliar with the format of 63c2aa98e2SPeter Wemmthese specifications. Additionally, you should include in the list, 64c2aa98e2SPeter Wemmpopular commands such as /usr/ucb/vacation. 65c2aa98e2SPeter Wemm 66c2aa98e2SPeter WemmYou should NOT include interpreter programs such as sh(1), csh(1), 67c2aa98e2SPeter Wemmperl(1), uudecode(1) or the stream editor sed(1) in your list of 68c2aa98e2SPeter Wemmacceptable commands. 69c2aa98e2SPeter Wemm 70c2aa98e2SPeter Wemm 71c2aa98e2SPeter WemmYou will next need to create the directory /usr/adm/sm.bin and populate 72c2aa98e2SPeter Wemmit with the programs that your site feels are allowable for sendmail 73c2aa98e2SPeter Wemmto execute. This directory is explicitly specified in the source 74c2aa98e2SPeter Wemmcode for smrsh, so changing this directory must be accompanied with 75c2aa98e2SPeter Wemma change in smrsh.c. 76c2aa98e2SPeter Wemm 77c2aa98e2SPeter Wemm 78c2aa98e2SPeter WemmYou will have to be root to make these modifications. 79c2aa98e2SPeter Wemm 80c2aa98e2SPeter WemmAfter creating the /usr/adm/sm.bin directory, either copy the programs 81c2aa98e2SPeter Wemmto the directory, or establish links to the allowable programs from 82c2aa98e2SPeter Wemm/usr/adm/sm.bin. Change the file permissions, so that these programs 83c2aa98e2SPeter Wemmcan not be modified by non-root users. If you use links, you should 84c2aa98e2SPeter Wemmensure that the target programs are not modifiable. 85c2aa98e2SPeter Wemm 86c2aa98e2SPeter WemmTo allow the popular vacation(1) program by creating a link in the 87c2aa98e2SPeter Wemm/usr/adm/sm.bin directory, you should: 88c2aa98e2SPeter Wemm 89c2aa98e2SPeter Wemmhost.domain# cd /usr/adm/sm.bin 90c2aa98e2SPeter Wemmhost.domain# ln -s /usr/ucb/vacation vacation 91c2aa98e2SPeter Wemm 92c2aa98e2SPeter Wemm 93c2aa98e2SPeter Wemm 94c2aa98e2SPeter Wemm 95c2aa98e2SPeter WemmAfter populating the /usr/adm/sm.bin directory, you can now configure 96c2aa98e2SPeter Wemmsendmail to use the restricted shell. Save the current sendmail.cf 97c2aa98e2SPeter Wemmfile prior to modifying it, as a prudent precaution. 98c2aa98e2SPeter Wemm 99c2aa98e2SPeter WemmTypically, the program mailer is defined by a single line in the 100c2aa98e2SPeter Wemmsendmail configuration file, sendmail.cf. This file is traditionally 101c2aa98e2SPeter Wemmfound in the /etc, /usr/lib or /etc/mail directories, depending on 102c2aa98e2SPeter Wemmthe UNIX vendor. 103c2aa98e2SPeter Wemm 104c2aa98e2SPeter WemmIf you are unsure of the location of the actual sendmail configuration 105c2aa98e2SPeter Wemmfile, a search of the strings(1) output of the sendmail binary, will 106c2aa98e2SPeter Wemmhelp to locate it. 107c2aa98e2SPeter Wemm 108c2aa98e2SPeter WemmIn order to configure sendmail to use smrsh, you must modify the Mprog 109c2aa98e2SPeter Wemmdefinition in the sendmail.cf file, by replacing the /bin/sh specification 110c2aa98e2SPeter Wemmwith /usr/local/etc/smrsh. 111c2aa98e2SPeter Wemm 112c2aa98e2SPeter WemmAs an example: 113c2aa98e2SPeter Wemm 114c2aa98e2SPeter WemmIn most Sun Microsystems' sendmail.cf files, the line is: 115c2aa98e2SPeter WemmMprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 116c2aa98e2SPeter Wemm 117c2aa98e2SPeter Wemmwhich should be changed to: 118c2aa98e2SPeter WemmMprog, P=/usr/local/etc/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 119c2aa98e2SPeter Wemm ^^^^^^^^^^^^^^^^^^^^ 120c2aa98e2SPeter Wemm 121c2aa98e2SPeter WemmA more generic line may be: 122c2aa98e2SPeter WemmMprog, P=/bin/sh, F=lsDFM, A=sh -c $u 123c2aa98e2SPeter Wemm 124c2aa98e2SPeter Wemmand should be changed to; 125c2aa98e2SPeter WemmMprog, P=/usr/local/etc/smrsh, F=lsDFM, A=sh -c $u 126c2aa98e2SPeter Wemm 127c2aa98e2SPeter Wemm 128c2aa98e2SPeter WemmAfter modifying the Mprog definition in the sendmail.cf file, if a frozen 129c2aa98e2SPeter Wemmconfiguration file is being used, it is essential to create a new one. 130c2aa98e2SPeter WemmYou can determine if you need a frozen configuration by discovering 131c2aa98e2SPeter Wemmif a sendmail.fc file currently exists in either the /etc/, /usr/lib, 132c2aa98e2SPeter Wemmor /etc/mail directories. The specific location can be determined using 133c2aa98e2SPeter Wemma search of the strings(1) output of the sendmail binary. 134c2aa98e2SPeter Wemm 135c2aa98e2SPeter WemmIn order to create a new frozen configuration, if it is required: 136c2aa98e2SPeter Wemmhost.domain# /usr/lib/sendmail -bz 137c2aa98e2SPeter Wemm 138c2aa98e2SPeter WemmNow re-start the sendmail process. An example of how to do this on 139c2aa98e2SPeter Wemma typical system follows: 140c2aa98e2SPeter Wemm 141c2aa98e2SPeter Wemmhost.domain# /usr/bin/ps aux | /usr/bin/grep sendmail 142c2aa98e2SPeter Wemmroot 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q 143c2aa98e2SPeter Wemmhost.domain# /bin/kill -9 130 144c2aa98e2SPeter Wemmhost.domain# /usr/lib/sendmail -bd -q30m 145