1 2README smrsh - sendmail restricted shell. 3 4This README file is provided as a courtesy of the CERT Coordination Center, 5Software Engineering Institute, Carnegie Mellon University. This file is 6intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, 7and to the software, smrsh.c, written by Eric Allman. 8 9 10 11The smrsh(8) program is intended as a replacement for /bin/sh in the 12program mailer definition of sendmail(8). This README file describes 13the steps needed to compile and install smrsh. 14 15smrsh is a restricted shell utility that provides the ability to 16specify, through a configuration, an explicit list of executable 17programs. When used in conjunction with sendmail, smrsh effectively 18limits sendmail's scope of program execution to only those programs 19specified in smrsh's configuration. 20 21smrsh has been written with portability in mind, and uses traditional 22Unix library utilities. As such, smrsh should compile on most 23Unix C compilers. 24 25smrsh should build on most systems with the enclosed Build script: 26 27 host.domain% sh Build 28 29To compile smrsh.c by hand, use the following command: 30 31 host.domain% cc -o smrsh smrsh.c 32 33For machines that provide dynamic linking, it is advisable to compile 34smrsh without dynamic linking. As an example with the Sun Microsystems 35compiler, you should compile with the -Bstatic option. 36 37 host.domain% cc -Bstatic -o smrsh smrsh.c 38 or 39 host.domain% sh Build LDOPTS=-Bstatic 40 41With gcc, the GNU C compiler, use the -static option. 42 43 host.domain% cc -static -o smrsh smrsh.c 44 or 45 host.domain% sh Build LDOPTS=-static 46 47The following C defines can be set defined to change the search path and 48the bin directory used by smrsh. 49 50-DSMRSH_PATH=\"path\" \"/bin:/usr/bin:/usr/ucb\" The default search 51 path. 52-DSMRSH_CMDDIR=\"dir\" \"/usr/adm/sm.bin\" The default smrsh 53 program directory 54 55These can be added to the devtools/Site/site.config.m4 file using the 56global M4 macro confENVDEF or the smrsh specific M4 macro 57conf_smrsh_ENVDEF. 58 59As root, install smrsh in /usr/libexec. Using the Build script: 60 61 host.domain# sh Build install 62 63For manual installation: install smrsh in the /usr/libexec 64directory, with mode 511. 65 66 host.domain# mv smrsh /usr/libexec 67 host.domain# chmod 511 /usr/libexec/smrsh 68 69 70 71Next, determine the list of commands that smrsh should allow sendmail 72to run. This list of allowable commands can be determined by: 73 74 1. examining your /etc/mail/aliases file, to indicate what commands 75 are being used by the system. 76 77 2. surveying your host's .forward files, to determine what 78 commands users have specified. 79 80See the man page for aliases(5) if you are unfamiliar with the format of 81these specifications. Additionally, you should include in the list, 82popular commands such as /usr/ucb/vacation. 83 84You should NOT include interpreter programs such as sh(1), csh(1), 85perl(1), uudecode(1) or the stream editor sed(1) in your list of 86acceptable commands. 87 88If your platform doesn't have a default SMRSH_CMDDIR setting, you will 89next need to create the directory /usr/adm/sm.bin and populate 90it with the programs that your site feels are allowable for sendmail 91to execute. This directory is explicitly specified in the source 92code for smrsh, so changing this directory must be accompanied with 93a change in smrsh.c. 94 95 96You will have to be root to make these modifications. 97 98After creating the /usr/adm/sm.bin directory, either copy the programs 99to the directory, or establish links to the allowable programs from 100/usr/adm/sm.bin. Change the file permissions, so that these programs 101can not be modified by non-root users. If you use links, you should 102ensure that the target programs are not modifiable. 103 104To allow the popular vacation(1) program by creating a link in the 105/usr/adm/sm.bin directory, you should: 106 107 host.domain# cd /usr/adm/sm.bin 108 host.domain# ln -s /usr/ucb/vacation vacation 109 110 111 112 113After populating the /usr/adm/sm.bin directory, you can now configure 114sendmail to use the restricted shell. Save the current sendmail.cf 115file prior to modifying it, as a prudent precaution. 116 117Typically, the program mailer is defined by a single line in the 118sendmail configuration file, sendmail.cf. This file is traditionally 119found in the /etc, /usr/lib or /etc/mail directories, depending on 120the UNIX vendor. 121 122If you are unsure of the location of the actual sendmail configuration 123file, a search of the strings(1) output of the sendmail binary, will 124help to locate it. 125 126In order to configure sendmail to use smrsh, you must modify the Mprog 127definition in the sendmail.cf file, by replacing the /bin/sh specification 128with /usr/libexec/smrsh. 129 130As an example: 131 132In most Sun Microsystems' sendmail.cf files, the line is: 133Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 134 135which should be changed to: 136Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 137 ^^^^^^^^^^^^^^^^^^ 138 139A more generic line may be: 140Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u 141 142and should be changed to; 143Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u 144 145 146After modifying the Mprog definition in the sendmail.cf file, if a frozen 147configuration file is being used, it is essential to create a new one. 148You can determine if you need a frozen configuration by discovering 149if a sendmail.fc file currently exists in either the /etc/, /usr/lib, 150or /etc/mail directories. The specific location can be determined using 151a search of the strings(1) output of the sendmail binary. 152 153In order to create a new frozen configuration, if it is required: 154 host.domain# /usr/lib/sendmail -bz 155 156Now re-start the sendmail process. An example of how to do this on 157a typical system follows: 158 159 host.domain# cat /var/run/sendmail.pid 160 130 161 /usr/sbin/sendmail -bd -q30m 162 host.domain# /bin/kill -15 130 163 host.domain# /usr/sbin/sendmail -bd -q30m 164 165 166$Revision: 8.8.4.1 $, Last updated $Date: 2003/05/26 04:29:42 $ 167