1.\" Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers.
2.\" All rights reserved.
3.\" Copyright (c) 1993 Eric P. Allman. All rights reserved.
4.\" Copyright (c) 1993
5.\" The Regents of the University of California. All rights reserved.
6.\"
7.\" By using this file, you agree to the terms and conditions set
8.\" forth in the LICENSE file which can be found at the top level of
9.\" the sendmail distribution.
10.\"
11.\"
12.\" $Id: smrsh.8,v 8.16 2002/04/25 13:33:40 ca Exp $
13.\"
14.TH SMRSH 8 "$Date: 2001/01/24 00:40:47 $"
15.SH NAME
16smrsh \- restricted shell for sendmail
17.SH SYNOPSIS
18.B smrsh
19.B \-c
20command
21.SH DESCRIPTION
22The
--- 19 unchanged lines hidden (view full) ---
42/usr/libexec/sm.bin,
43allowing the system administrator to choose the set of acceptable commands,
44and to the shell builtin commands ``exec'', ``exit'', and ``echo''.
45It also rejects any commands with the characters
46`\`', `<', `>', `;', `$', `(', `)', `\er' (carriage return),
47or `\en' (newline)
48on the command line to prevent ``end run'' attacks.
49It allows ``||'' and ``&&'' to enable commands like:
50``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"''
51.PP
52Initial pathnames on programs are stripped,
53so forwarding to ``/usr/bin/vacation'',
54``/home/server/mydir/bin/vacation'',
55and
56``vacation''
57all actually forward to
58``/usr/libexec/sm.bin/vacation''.
59.PP
60System administrators should be conservative about populating
61the sm.bin directory.
62Reasonable additions are
63.IR vacation (1),
64.IR procmail (1),
65and the like.
66No matter how brow-beaten you may be,
67never include any shell or shell-like program
68(such as
69.IR perl (1))
70in the
71sm.bin
72directory.
73Note that this does not restrict the use of shell or perl scripts
74in the sm.bin directory (using the ``#!'' syntax);
75it simply disallows execution of arbitrary programs.
76.SH COMPILATION
77Compilation should be trivial on most systems.
78You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e"
79to adjust the default search path
80(defaults to ``/bin:/usr/bin'')
81and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e"
82to change the default program directory
83(defaults to ``/usr/libexec/sm.bin'').
84.SH FILES
85/usr/libexec/sm.bin \- directory for restricted programs
86.SH SEE ALSO
87sendmail(8)
88.\" $FreeBSD: head/contrib/sendmail/smrsh/smrsh.8 102533 2002-08-28 18:12:33Z gshapiro $
2.\" All rights reserved.
3.\" Copyright (c) 1993 Eric P. Allman. All rights reserved.
4.\" Copyright (c) 1993
5.\" The Regents of the University of California. All rights reserved.
6.\"
7.\" By using this file, you agree to the terms and conditions set
8.\" forth in the LICENSE file which can be found at the top level of
9.\" the sendmail distribution.
10.\"
11.\"
12.\" $Id: smrsh.8,v 8.16 2002/04/25 13:33:40 ca Exp $
13.\"
14.TH SMRSH 8 "$Date: 2001/01/24 00:40:47 $"
15.SH NAME
16smrsh \- restricted shell for sendmail
17.SH SYNOPSIS
18.B smrsh
19.B \-c
20command
21.SH DESCRIPTION
22The
--- 19 unchanged lines hidden (view full) ---
42/usr/libexec/sm.bin,
43allowing the system administrator to choose the set of acceptable commands,
44and to the shell builtin commands ``exec'', ``exit'', and ``echo''.
45It also rejects any commands with the characters
46`\`', `<', `>', `;', `$', `(', `)', `\er' (carriage return),
47or `\en' (newline)
48on the command line to prevent ``end run'' attacks.
49It allows ``||'' and ``&&'' to enable commands like:
50``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"''
51.PP
52Initial pathnames on programs are stripped,
53so forwarding to ``/usr/bin/vacation'',
54``/home/server/mydir/bin/vacation'',
55and
56``vacation''
57all actually forward to
58``/usr/libexec/sm.bin/vacation''.
59.PP
60System administrators should be conservative about populating
61the sm.bin directory.
62Reasonable additions are
63.IR vacation (1),
64.IR procmail (1),
65and the like.
66No matter how brow-beaten you may be,
67never include any shell or shell-like program
68(such as
69.IR perl (1))
70in the
71sm.bin
72directory.
73Note that this does not restrict the use of shell or perl scripts
74in the sm.bin directory (using the ``#!'' syntax);
75it simply disallows execution of arbitrary programs.
76.SH COMPILATION
77Compilation should be trivial on most systems.
78You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e"
79to adjust the default search path
80(defaults to ``/bin:/usr/bin'')
81and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e"
82to change the default program directory
83(defaults to ``/usr/libexec/sm.bin'').
84.SH FILES
85/usr/libexec/sm.bin \- directory for restricted programs
86.SH SEE ALSO
87sendmail(8)
88.\" $FreeBSD: head/contrib/sendmail/smrsh/smrsh.8 102533 2002-08-28 18:12:33Z gshapiro $