source: trunk/third/sendmail/smrsh/smrsh.0 @ 12554

Revision 12554, 2.5 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r12553, which included commits to RCS files with non-trunk default branches.
Line 
1
2
3
4SMRSH(8)                                                 SMRSH(8)
5
6
7NNAAMMEE
8       smrsh - restricted shell for sendmail
9
10SSYYNNOOPPSSIISS
11       ssmmrrsshh --cc command
12
13DDEESSCCRRIIPPTTIIOONN
14       The  _s_m_r_s_h program is intended as a replacement for _s_h for
15       use in the ``prog'' mailer  in  _s_e_n_d_m_a_i_l(8)  configuration
16       files.   It  sharply  limits  the commands that can be run
17       using the ``|program'' syntax  of  _s_e_n_d_m_a_i_l  in  order  to
18       improve  the  over  all security of your system.  Briefly,
19       even if a ``bad guy'' can get sendmail to  run  a  program
20       without going through an alias or forward file, _s_m_r_s_h lim-
21       its the set of programs that he or she can execute.
22
23       Briefly, _s_m_r_s_h limits programs  to  be  in  the  directory
24       /usr/adm/sm.bin,  allowing  the  system  administrator  to
25       choose the set of acceptable commands.   It  also  rejects
26       any  commands with the characters ``', `<', `>', `|', `;',
27       `&', `$', `(', `)', `\r' (carriage return), or `\n'  (new-
28       line)  on the command line to prevent ``end run'' attacks.
29
30       Initial pathnames on programs are stripped, so  forwarding
31       to      ``/usr/ucb/vacation'',      ``/usr/bin/vacation'',
32       ``/home/server/mydir/bin/vacation'', and ``vacation''  all
33       actually forward to ``/usr/adm/sm.bin/vacation''.
34
35       System  administrators  should be conservative about popu-
36       lating /usr/adm/sm.bin.  Reasonable  additions  are  _v_a_c_a_-
37       _t_i_o_n(1),  _p_r_o_c_m_a_i_l(1),  and the like.  No matter how brow-
38       beaten you may be, never include any shell  or  shell-like
39       program  (such  as _p_e_r_l(1)) in the sm.bin directory.  Note
40       that this does not restrict  the  use  of  shell  or  perl
41       scripts in the sm.bin directory (using the ``#!'' syntax);
42       it simply disallows execution of arbitrary programs.
43
44CCOOMMPPIILLAATTIIOONN
45       Compilation should be trivial on most  systems.   You  may
46       need  to  use -DPATH=\"_p_a_t_h\" to adjust the default search
47       path  (defaults  to   ``/bin:/usr/bin:/usr/ucb'')   and/or
48       -DCMDBIN=\"_d_i_r\"  to  change the default program directory
49       (defaults to ``/usr/adm/sm.bin'').
50
51FFIILLEESS
52       /usr/adm/sm.bin - directory for restricted programs
53
54SSEEEE AALLSSOO
55       sendmail(8)
56
57
58
59
60
61
62
63
64                             11/02/93                           1
65
66
Note: See TracBrowser for help on using the repository browser.