1 2 3 4README smrsh - sendmail restricted shell. 5 6 @(#)README 8.2 11/11/1995 7 8 9This README file is provided as a courtesy of the CERT Coordination Center, 10Software Engineering Institute, Carnegie Mellon University. This file is 11intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, 12and to the software, smrsh.c, written by Eric Allman. 13 14 15 16The smrsh(8) program is intended as a replacement for /bin/sh in the 17program mailer definition of sendmail(8). This README file describes 18the steps needed to compile and install smrsh. 19 20smrsh is a restricted shell utility that provides the ability to 21specify, through a configuration, an explicit list of executable 22programs. When used in conjunction with sendmail, smrsh effectively 23limits sendmail's scope of program execution to only those programs 24specified in smrsh's configuration. 25 26smrsh has been written with portability in mind, and uses traditional 27Unix library utilities. As such, smrsh should compile on most 28Unix C compilers. 29 30 31 32To compile smrsh.c, use the following command: 33 34host.domain% cc -o smrsh smrsh.c 35 36For machines that provide dynamic linking, it is advisable to compile 37smrsh without dynamic linking. As an example with the Sun Microsystems 38compiler, you should compile with the -Bstatic option. 39 40host.domain% cc -Bstatic -o smrsh smrsh.c 41 42 43Choose a directory that smrsh will reside in. We will use the traditional 44/usr/local/etc directory for the remainder of this document. 45 46As root, install smrsh in /usr/local/etc directory, with mode 511. 47 48host.domain# mv smrsh /usr/local/etc 49host.domain# chmod 511 /usr/local/etc/smrsh 50 51 52 53Next, determine the list of commands that smrsh should allow sendmail 54to run. This list of allowable commands can be determined by: 55 56 1. examining your /etc/aliases file, to indicate what commands 57 are being used by the system. 58 59 2. surveying your host's .forward files, to determine what 60 commands users have specified. 61 62See the man page for aliases(5) if you are unfamiliar with the format of 63these specifications. Additionally, you should include in the list, 64popular commands such as /usr/ucb/vacation. 65 66You should NOT include interpreter programs such as sh(1), csh(1), 67perl(1), uudecode(1) or the stream editor sed(1) in your list of 68acceptable commands. 69 70 71You will next need to create the directory /usr/adm/sm.bin and populate 72it with the programs that your site feels are allowable for sendmail 73to execute. This directory is explicitly specified in the source 74code for smrsh, so changing this directory must be accompanied with 75a change in smrsh.c. 76 77 78You will have to be root to make these modifications. 79 80After creating the /usr/adm/sm.bin directory, either copy the programs 81to the directory, or establish links to the allowable programs from 82/usr/adm/sm.bin. Change the file permissions, so that these programs 83can not be modified by non-root users. If you use links, you should 84ensure that the target programs are not modifiable. 85 86To allow the popular vacation(1) program by creating a link in the 87/usr/adm/sm.bin directory, you should: 88 89host.domain# cd /usr/adm/sm.bin 90host.domain# ln -s /usr/ucb/vacation vacation 91 92 93 94 95After populating the /usr/adm/sm.bin directory, you can now configure 96sendmail to use the restricted shell. Save the current sendmail.cf 97file prior to modifying it, as a prudent precaution. 98 99Typically, the program mailer is defined by a single line in the 100sendmail configuration file, sendmail.cf. This file is traditionally 101found in the /etc, /usr/lib or /etc/mail directories, depending on 102the UNIX vendor. 103 104If you are unsure of the location of the actual sendmail configuration 105file, a search of the strings(1) output of the sendmail binary, will 106help to locate it. 107 108In order to configure sendmail to use smrsh, you must modify the Mprog 109definition in the sendmail.cf file, by replacing the /bin/sh specification 110with /usr/local/etc/smrsh. 111 112As an example: 113 114In most Sun Microsystems' sendmail.cf files, the line is: 115Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 116 117which should be changed to: 118Mprog, P=/usr/local/etc/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u 119 ^^^^^^^^^^^^^^^^^^^^ 120 121A more generic line may be: 122Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u 123 124and should be changed to; 125Mprog, P=/usr/local/etc/smrsh, F=lsDFM, A=sh -c $u 126 127 128After modifying the Mprog definition in the sendmail.cf file, if a frozen 129configuration file is being used, it is essential to create a new one. 130You can determine if you need a frozen configuration by discovering 131if a sendmail.fc file currently exists in either the /etc/, /usr/lib, 132or /etc/mail directories. The specific location can be determined using 133a search of the strings(1) output of the sendmail binary. 134 135In order to create a new frozen configuration, if it is required: 136host.domain# /usr/lib/sendmail -bz 137 138Now re-start the sendmail process. An example of how to do this on 139a typical system follows: 140 141host.domain# /usr/bin/ps aux | /usr/bin/grep sendmail 142root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q 143host.domain# /bin/kill -9 130 144host.domain# /usr/lib/sendmail -bd -q30m 145