1 2README smrsh - sendmail restricted shell. 3 4This README file is provided as a courtesy of the CERT Coordination Center, 5Software Engineering Institute, Carnegie Mellon University. This file is 6intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, 7and to the software, smrsh.c, written by Eric Allman. 8 9 10 11The smrsh(8) program is intended as a replacement for /bin/sh in the 12program mailer definition of sendmail(8). This README file describes 13the steps needed to compile and install smrsh. 14 15smrsh is a restricted shell utility that provides the ability to 16specify, through a configuration, an explicit list of executable 17programs. When used in conjunction with sendmail, smrsh effectively 18limits sendmail's scope of program execution to only those programs 19specified in smrsh's configuration. 20 21smrsh has been written with portability in mind, and uses traditional 22Unix library utilities. As such, smrsh should compile on most 23Unix C compilers. 24 25smrsh should build on most systems with the enclosed Build script: 26 27 host.domain% sh Build 28 29To compile smrsh.c by hand, use the following command: 30 31 host.domain% cc -o smrsh smrsh.c 32 33For machines that provide dynamic linking, it is advisable to compile 34smrsh without dynamic linking. As an example with the Sun Microsystems 35compiler, you should compile with the -Bstatic option. 36 37 host.domain% cc -Bstatic -o smrsh smrsh.c 38 or 39 host.domain% sh Build LDOPTS=-Bstatic 40 41With gcc, the GNU C compiler, use the -static option. 42 43 host.domain% cc -static -o smrsh smrsh.c 44 or 45 host.domain% sh Build LDOPTS=-static 46 47 48 49As root, install smrsh in /usr/libexec. Using the Build script: 50 51 host.domain# sh Build install 52 53For manual installation: install smrsh in the /usr/libexec 54directory, with mode 511. 55 56 host.domain# mv smrsh /usr/libexec 57 host.domain# chmod 511 /usr/libexec/smrsh 58 59 60 61Next, determine the list of commands that smrsh should allow sendmail 62to run. This list of allowable commands can be determined by: 63 64 1. examining your /etc/mail/aliases file, to indicate what commands 65 are being used by the system. 66 67 2. surveying your host's .forward files, to determine what 68 commands users have specified. 69 70See the man page for aliases(5) if you are unfamiliar with the format of 71these specifications. Additionally, you should include in the list, 72popular commands such as /usr/ucb/vacation. 73 74You should NOT include interpreter programs such as sh(1), csh(1), 75perl(1), uudecode(1) or the stream editor sed(1) in your list of 76acceptable commands. 77 78If your platform doesn't have a default CMDDIR setting, you will 79next need to create the directory /usr/adm/sm.bin and populate 80it with the programs that your site feels are allowable for sendmail 81to execute. This directory is explicitly specified in the source 82code for smrsh, so changing this directory must be accompanied with 83a change in smrsh.c. 84 85 86You will have to be root to make these modifications. 87 88After creating the /usr/adm/sm.bin directory, either copy the programs 89to the directory, or establish links to the allowable programs from 90/usr/adm/sm.bin. Change the file permissions, so that these programs 91can not be modified by non-root users. If you use links, you should 92ensure that the target programs are not modifiable. 93 94To allow the popular vacation(1) program by creating a link in the 95/usr/adm/sm.bin directory, you should: 96 97 host.domain# cd /usr/adm/sm.bin 98 host.domain# ln -s /usr/ucb/vacation vacation 99 100 101 102 103After populating the /usr/adm/sm.bin directory, you can now configure 104sendmail to use the restricted shell. Save the current sendmail.cf 105file prior to modifying it, as a prudent precaution. 106 107Typically, the program mailer is defined by a single line in the 108sendmail configuration file, sendmail.cf. This file is traditionally 109found in the /etc, /usr/lib or /etc/mail directories, depending on 110the UNIX vendor. 111 112If you are unsure of the location of the actual sendmail configuration 113file, a search of the strings(1) output of the sendmail binary, will 114help to locate it. 115 116In order to configure sendmail to use smrsh, you must modify the Mprog 117definition in the sendmail.cf file, by replacing the /bin/sh specification 118with /usr/libexec/smrsh. 119 120As an example: 121 122In most Sun Microsystems' sendmail.cf files, the line is: 123Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 124 125which should be changed to: 126Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 127 ^^^^^^^^^^^^^^^^^^ 128 129A more generic line may be: 130Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u 131 132and should be changed to; 133Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u 134 135 136After modifying the Mprog definition in the sendmail.cf file, if a frozen 137configuration file is being used, it is essential to create a new one. 138You can determine if you need a frozen configuration by discovering 139if a sendmail.fc file currently exists in either the /etc/, /usr/lib, 140or /etc/mail directories. The specific location can be determined using 141a search of the strings(1) output of the sendmail binary. 142 143In order to create a new frozen configuration, if it is required: 144 host.domain# /usr/lib/sendmail -bz 145 146Now re-start the sendmail process. An example of how to do this on 147a typical system follows: 148 149 host.domain# cat /var/run/sendmail.pid 150 130 151 /usr/sbin/sendmail -bd -q30m 152 host.domain# /bin/kill -15 130 153 host.domain# /usr/sbin/sendmail -bd -q30m 154 155 156$Revision: 8.6.16.1 $, Last updated $Date: 2000/10/09 20:39:55 $ 157