xref: /freebsd/contrib/sendmail/smrsh/README (revision 3823d5e198425b4f5e5a80267d195769d1063773)
1
2README  smrsh - sendmail restricted shell.
3
4This README file is provided as a courtesy of the CERT Coordination Center,
5Software Engineering Institute, Carnegie Mellon University.  This file is
6intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
7and to the software, smrsh.c, written by Eric Allman.
8
9
10
11The smrsh(8) program is intended as a replacement for /bin/sh in the
12program mailer definition of sendmail(8).  This README file describes
13the steps needed to compile and install smrsh.
14
15smrsh is a restricted shell utility that provides the ability to
16specify, through a configuration, an explicit list of executable
17programs.  When used in conjunction with sendmail, smrsh effectively
18limits sendmail's scope of program execution to only those programs
19specified in smrsh's configuration.
20
21smrsh has been written with portability in mind, and uses traditional
22Unix library utilities.  As such, smrsh should compile on most
23Unix C compilers.
24
25smrsh should build on most systems with the enclosed Build script:
26
27	host.domain% sh ./Build
28
29To compile smrsh.c by hand, use the following command:
30
31	host.domain% cc -o smrsh smrsh.c
32
33For machines that provide dynamic linking, it is advisable to compile
34smrsh without dynamic linking.  As an example with the Sun Microsystems
35compiler, you should compile with the -Bstatic option.
36
37	host.domain% cc -Bstatic -o smrsh smrsh.c
38		or
39	host.domain% sh ./Build LDOPTS=-Bstatic
40
41With gcc, the GNU C compiler, use the -static option.
42
43	host.domain% cc -static -o smrsh smrsh.c
44		or
45	host.domain% sh ./Build LDOPTS=-static
46
47The following C defines can be set defined to change the search path and
48the bin directory used by smrsh.
49
50-DSMRSH_PATH=\"path\"	\"/bin:/usr/bin:/usr/ucb\"	The default search
51							path.
52-DSMRSH_CMDDIR=\"dir\"	\"/usr/adm/sm.bin\"		The default smrsh
53							program directory
54
55These can be added to the devtools/Site/site.config.m4 file using the
56global M4 macro confENVDEF or the smrsh specific M4 macro
57conf_smrsh_ENVDEF.
58
59As root, install smrsh in /usr/libexec.  Using the Build script:
60
61	host.domain# sh ./Build install
62
63For manual installation: install smrsh in the /usr/libexec
64directory, with mode 511.
65
66	host.domain# mv smrsh /usr/libexec
67	host.domain# chmod 511 /usr/libexec/smrsh
68
69
70
71Next, determine the list of commands that smrsh should allow sendmail
72to run.  This list of allowable commands can be determined by:
73
74   1.  examining your /etc/mail/aliases file, to indicate what commands
75       are being used by the system.
76
77   2.  surveying your host's .forward files, to determine what
78       commands users have specified.
79
80See the man page for aliases(5) if you are unfamiliar with the format of
81these specifications. Additionally, you should include in the list,
82popular commands such as /usr/ucb/vacation.
83
84You should NOT include interpreter programs such as sh(1), csh(1),
85perl(1), uudecode(1) or the stream editor sed(1) in your list of
86acceptable commands.
87
88If your platform doesn't have a default SMRSH_CMDDIR setting, you will
89next need to create the directory /usr/adm/sm.bin and populate
90it with the programs that your site feels are allowable for sendmail
91to execute.   This directory is explicitly specified in the source
92code for smrsh, so changing this directory must be accompanied with
93a change in smrsh.c.
94
95
96You will have to be root to make these modifications.
97
98After creating the /usr/adm/sm.bin directory, either copy the programs
99to the directory, or establish links to the allowable programs from
100/usr/adm/sm.bin.  Change the file permissions, so that these programs
101can not be modified by non-root users.  If you use links, you should
102ensure that the target programs are not modifiable.
103
104To allow the popular vacation(1) program by creating a link in the
105/usr/adm/sm.bin directory, you should:
106
107	host.domain# cd /usr/adm/sm.bin
108	host.domain# ln -s /usr/ucb/vacation vacation
109
110
111
112
113After populating the /usr/adm/sm.bin directory, you can now configure
114sendmail to use the restricted shell.  Save the current sendmail.cf
115file prior to modifying it, as a prudent precaution.
116
117Typically, the program mailer is defined by a single line in the
118sendmail configuration file, sendmail.cf.  This file is traditionally
119found in the /etc, /usr/lib or /etc/mail directories, depending on
120the UNIX vendor.
121
122If you are unsure of the location of the actual sendmail configuration
123file, a search of the strings(1) output of the sendmail binary, will
124help to locate it.
125
126In order to configure sendmail to use smrsh, you must modify the Mprog
127definition in the sendmail.cf file, by replacing the /bin/sh specification
128with /usr/libexec/smrsh.
129
130As an example:
131
132In most Sun Microsystems' sendmail.cf files, the line is:
133Mprog,	P=/bin/sh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
134
135which should be changed to:
136Mprog,	P=/usr/libexec/smrsh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
137          ^^^^^^^^^^^^^^^^^^
138
139A more generic line may be:
140Mprog,		P=/bin/sh, F=lsDFM, A=sh -c $u
141
142and should be changed to;
143Mprog,		P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
144
145
146After modifying the Mprog definition in the sendmail.cf file, if a frozen
147configuration file is being used, it is essential to create a new one.
148You can determine if you need a frozen configuration by discovering
149if a sendmail.fc file currently exists in either the /etc/, /usr/lib,
150or /etc/mail directories.  The specific location can be determined using
151a search of the strings(1) output of the sendmail binary.
152
153In order to create a new frozen configuration, if it is required:
154	host.domain# /usr/lib/sendmail -bz
155
156Now re-start the sendmail process.  An example of how to do this on
157a typical system follows:
158
159	host.domain# cat /var/run/sendmail.pid
160	130
161	/usr/sbin/sendmail -bd -q30m
162	host.domain# /bin/kill -15 130
163	host.domain# /usr/sbin/sendmail -bd -q30m
164
165
166$Revision: 8.10 $, Last updated $Date: 2008-02-12 16:40:06 $
167