smrsh - restricted shell for sendmail
smrsh -c command
The smrsh program is intended as a replacement for /bin/sh
for use in the
``prog'' mailer in sendmail(8) configuration files. It
sharply limits
the commands that can be run using the ``|program'' syntax
of sendmail(8)
in order to improve the overall security of your system.
Briefly, even
if a ``bad guy'' can get sendmail to run a program without
going through
an alias or forward file, smrsh limits the set of programs
that he or she
can execute.
Briefly, smrsh limits programs to be in a single directory,
by default
/usr/libexec/sm.bin, allowing the system administrator to
choose the set
of acceptable commands, and the shell built-in commands
``exec'',
``exit'', and ``echo''. It also rejects any commands with
the characters ' (carriage return), or
`', `<', `>', `;', `$', `(', `)', `
`0 (newline)
on the command line to prevent ``end run'' attacks.
It allows
``||'' and ``&&'' to enable commands like:
"|exec /usr/local/bin/filter || exit 75"
Initial pathnames on programs are stripped, so forwarding to
/usr/ucb/vacation, /usr/bin/vacation,
/home/server/mydir/bin/vacation,
and vacation all actually forward to
/usr/libexec/sm.bin/vacation.
System administrators should be conservative about populating the sm.bin
directory. For example, a reasonable additions is vacation(1) and the
like. No matter how brow-beaten you may be, never include
any shell or
shell-like program (such as perl(1)) in the sm.bin directory. Note that
this does not restrict the use of shell or perl scripts in
the sm.bin directory
(using the ``#!'' syntax); it simply disallows execution of arbitrary
programs. Also, including mail filtering programs
such as procmail
is a very bad idea. procmail allows users to run arbitrary
programs in
their procmailrc.
/usr/libexec/sm.bin directory for restricted programs
sendmail(8)
OpenBSD 3.6 October 7, 2003
[ Back ] |
