1 | |
---|
2 | README smrsh - sendmail restricted shell. |
---|
3 | |
---|
4 | This README file is provided as a courtesy of the CERT Coordination Center, |
---|
5 | Software Engineering Institute, Carnegie Mellon University. This file is |
---|
6 | intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, |
---|
7 | and to the software, smrsh.c, written by Eric Allman. |
---|
8 | |
---|
9 | |
---|
10 | |
---|
11 | The smrsh(8) program is intended as a replacement for /bin/sh in the |
---|
12 | program mailer definition of sendmail(8). This README file describes |
---|
13 | the steps needed to compile and install smrsh. |
---|
14 | |
---|
15 | smrsh is a restricted shell utility that provides the ability to |
---|
16 | specify, through a configuration, an explicit list of executable |
---|
17 | programs. When used in conjunction with sendmail, smrsh effectively |
---|
18 | limits sendmail's scope of program execution to only those programs |
---|
19 | specified in smrsh's configuration. |
---|
20 | |
---|
21 | smrsh has been written with portability in mind, and uses traditional |
---|
22 | Unix library utilities. As such, smrsh should compile on most |
---|
23 | Unix C compilers. |
---|
24 | |
---|
25 | smrsh should build on most systems with the enclosed Build script: |
---|
26 | |
---|
27 | host.domain% sh Build |
---|
28 | |
---|
29 | To compile smrsh.c by hand, use the following command: |
---|
30 | |
---|
31 | host.domain% cc -o smrsh smrsh.c |
---|
32 | |
---|
33 | For machines that provide dynamic linking, it is advisable to compile |
---|
34 | smrsh without dynamic linking. As an example with the Sun Microsystems |
---|
35 | compiler, you should compile with the -Bstatic option. |
---|
36 | |
---|
37 | host.domain% cc -Bstatic -o smrsh smrsh.c |
---|
38 | or |
---|
39 | host.domain% sh Build LDOPTS=-Bstatic |
---|
40 | |
---|
41 | With gcc, the GNU C compiler, use the -static option. |
---|
42 | |
---|
43 | host.domain% cc -static -o smrsh smrsh.c |
---|
44 | or |
---|
45 | host.domain% sh Build LDOPTS=-static |
---|
46 | |
---|
47 | |
---|
48 | |
---|
49 | As root, install smrsh in /usr/libexec. Using the Build script: |
---|
50 | |
---|
51 | host.domain# sh Build install |
---|
52 | |
---|
53 | For manual installation: install smrsh in the /usr/libexec |
---|
54 | directory, with mode 511. |
---|
55 | |
---|
56 | host.domain# mv smrsh /usr/libexec |
---|
57 | host.domain# chmod 511 /usr/libexec/smrsh |
---|
58 | |
---|
59 | |
---|
60 | |
---|
61 | Next, determine the list of commands that smrsh should allow sendmail |
---|
62 | to run. This list of allowable commands can be determined by: |
---|
63 | |
---|
64 | 1. examining your /etc/mail/aliases file, to indicate what commands |
---|
65 | are being used by the system. |
---|
66 | |
---|
67 | 2. surveying your host's .forward files, to determine what |
---|
68 | commands users have specified. |
---|
69 | |
---|
70 | See the man page for aliases(5) if you are unfamiliar with the format of |
---|
71 | these specifications. Additionally, you should include in the list, |
---|
72 | popular commands such as /usr/ucb/vacation. |
---|
73 | |
---|
74 | You should NOT include interpreter programs such as sh(1), csh(1), |
---|
75 | perl(1), uudecode(1) or the stream editor sed(1) in your list of |
---|
76 | acceptable commands. |
---|
77 | |
---|
78 | If your platform doesn't have a default SMRSH_CMDDIR setting, you will |
---|
79 | next need to create the directory /usr/adm/sm.bin and populate |
---|
80 | it with the programs that your site feels are allowable for sendmail |
---|
81 | to execute. This directory is explicitly specified in the source |
---|
82 | code for smrsh, so changing this directory must be accompanied with |
---|
83 | a change in smrsh.c. |
---|
84 | |
---|
85 | |
---|
86 | You will have to be root to make these modifications. |
---|
87 | |
---|
88 | After creating the /usr/adm/sm.bin directory, either copy the programs |
---|
89 | to the directory, or establish links to the allowable programs from |
---|
90 | /usr/adm/sm.bin. Change the file permissions, so that these programs |
---|
91 | can not be modified by non-root users. If you use links, you should |
---|
92 | ensure that the target programs are not modifiable. |
---|
93 | |
---|
94 | To allow the popular vacation(1) program by creating a link in the |
---|
95 | /usr/adm/sm.bin directory, you should: |
---|
96 | |
---|
97 | host.domain# cd /usr/adm/sm.bin |
---|
98 | host.domain# ln -s /usr/ucb/vacation vacation |
---|
99 | |
---|
100 | |
---|
101 | |
---|
102 | |
---|
103 | After populating the /usr/adm/sm.bin directory, you can now configure |
---|
104 | sendmail to use the restricted shell. Save the current sendmail.cf |
---|
105 | file prior to modifying it, as a prudent precaution. |
---|
106 | |
---|
107 | Typically, the program mailer is defined by a single line in the |
---|
108 | sendmail configuration file, sendmail.cf. This file is traditionally |
---|
109 | found in the /etc, /usr/lib or /etc/mail directories, depending on |
---|
110 | the UNIX vendor. |
---|
111 | |
---|
112 | If you are unsure of the location of the actual sendmail configuration |
---|
113 | file, a search of the strings(1) output of the sendmail binary, will |
---|
114 | help to locate it. |
---|
115 | |
---|
116 | In order to configure sendmail to use smrsh, you must modify the Mprog |
---|
117 | definition in the sendmail.cf file, by replacing the /bin/sh specification |
---|
118 | with /usr/libexec/smrsh. |
---|
119 | |
---|
120 | As an example: |
---|
121 | |
---|
122 | In most Sun Microsystems' sendmail.cf files, the line is: |
---|
123 | Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u |
---|
124 | |
---|
125 | which should be changed to: |
---|
126 | Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u |
---|
127 | ^^^^^^^^^^^^^^^^^^ |
---|
128 | |
---|
129 | A more generic line may be: |
---|
130 | Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u |
---|
131 | |
---|
132 | and should be changed to; |
---|
133 | Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u |
---|
134 | |
---|
135 | |
---|
136 | After modifying the Mprog definition in the sendmail.cf file, if a frozen |
---|
137 | configuration file is being used, it is essential to create a new one. |
---|
138 | You can determine if you need a frozen configuration by discovering |
---|
139 | if a sendmail.fc file currently exists in either the /etc/, /usr/lib, |
---|
140 | or /etc/mail directories. The specific location can be determined using |
---|
141 | a search of the strings(1) output of the sendmail binary. |
---|
142 | |
---|
143 | In order to create a new frozen configuration, if it is required: |
---|
144 | host.domain# /usr/lib/sendmail -bz |
---|
145 | |
---|
146 | Now re-start the sendmail process. An example of how to do this on |
---|
147 | a typical system follows: |
---|
148 | |
---|
149 | host.domain# cat /var/run/sendmail.pid |
---|
150 | 130 |
---|
151 | /usr/sbin/sendmail -bd -q30m |
---|
152 | host.domain# /bin/kill -15 130 |
---|
153 | host.domain# /usr/sbin/sendmail -bd -q30m |
---|
154 | |
---|
155 | |
---|
156 | $Revision: 1.1.1.2 $, Last updated $Date: 2003-04-08 15:11:50 $ |
---|