| smrsh.8 (102533) | smrsh.8 (120259) |
|---|---|
| 1.\" Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. 2.\" All rights reserved. 3.\" Copyright (c) 1993 Eric P. Allman. All rights reserved. 4.\" Copyright (c) 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" By using this file, you agree to the terms and conditions set 8.\" forth in the LICENSE file which can be found at the top level of 9.\" the sendmail distribution. 10.\" 11.\" | 1.\" Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. 2.\" All rights reserved. 3.\" Copyright (c) 1993 Eric P. Allman. All rights reserved. 4.\" Copyright (c) 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" By using this file, you agree to the terms and conditions set 8.\" forth in the LICENSE file which can be found at the top level of 9.\" the sendmail distribution. 10.\" 11.\" |
| 12.\" $Id: smrsh.8,v 8.16 2002/04/25 13:33:40 ca Exp $ | 12.\" $Id: smrsh.8,v 8.16.2.1 2003/07/08 01:33:03 gshapiro Exp $ |
| 13.\" | 13.\" |
| 14.TH SMRSH 8 "$Date: 2001/01/24 00:40:47 $" | 14.TH SMRSH 8 "$Date: 2003/07/08 01:33:03 $" |
| 15.SH NAME 16smrsh \- restricted shell for sendmail 17.SH SYNOPSIS 18.B smrsh 19.B \-c 20command 21.SH DESCRIPTION 22The --- 19 unchanged lines hidden (view full) --- 42/usr/libexec/sm.bin, 43allowing the system administrator to choose the set of acceptable commands, 44and to the shell builtin commands ``exec'', ``exit'', and ``echo''. 45It also rejects any commands with the characters 46`\`', `<', `>', `;', `$', `(', `)', `\er' (carriage return), 47or `\en' (newline) 48on the command line to prevent ``end run'' attacks. 49It allows ``||'' and ``&&'' to enable commands like: | 15.SH NAME 16smrsh \- restricted shell for sendmail 17.SH SYNOPSIS 18.B smrsh 19.B \-c 20command 21.SH DESCRIPTION 22The --- 19 unchanged lines hidden (view full) --- 42/usr/libexec/sm.bin, 43allowing the system administrator to choose the set of acceptable commands, 44and to the shell builtin commands ``exec'', ``exit'', and ``echo''. 45It also rejects any commands with the characters 46`\`', `<', `>', `;', `$', `(', `)', `\er' (carriage return), 47or `\en' (newline) 48on the command line to prevent ``end run'' attacks. 49It allows ``||'' and ``&&'' to enable commands like: |
| 50``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"'' | 50``"|exec /usr/local/bin/filter || exit 75"'' |
| 51.PP 52Initial pathnames on programs are stripped, 53so forwarding to ``/usr/bin/vacation'', 54``/home/server/mydir/bin/vacation'', 55and 56``vacation'' 57all actually forward to 58``/usr/libexec/sm.bin/vacation''. 59.PP 60System administrators should be conservative about populating 61the sm.bin directory. | 51.PP 52Initial pathnames on programs are stripped, 53so forwarding to ``/usr/bin/vacation'', 54``/home/server/mydir/bin/vacation'', 55and 56``vacation'' 57all actually forward to 58``/usr/libexec/sm.bin/vacation''. 59.PP 60System administrators should be conservative about populating 61the sm.bin directory. |
| 62Reasonable additions are | 62For example, a reasonable additions is |
| 63.IR vacation (1), | 63.IR vacation (1), |
| 64.IR procmail (1), | |
| 65and the like. 66No matter how brow-beaten you may be, 67never include any shell or shell-like program 68(such as 69.IR perl (1)) 70in the 71sm.bin 72directory. 73Note that this does not restrict the use of shell or perl scripts 74in the sm.bin directory (using the ``#!'' syntax); 75it simply disallows execution of arbitrary programs. | 64and the like. 65No matter how brow-beaten you may be, 66never include any shell or shell-like program 67(such as 68.IR perl (1)) 69in the 70sm.bin 71directory. 72Note that this does not restrict the use of shell or perl scripts 73in the sm.bin directory (using the ``#!'' syntax); 74it simply disallows execution of arbitrary programs. |
| 75Also, including mail filtering programs such as 76.IR procmail (1) 77is a very bad idea. 78.IR procmail (1) 79allows users to run arbitrary programs in their 80.IR procmailrc (5). |
|
| 76.SH COMPILATION 77Compilation should be trivial on most systems. 78You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e" 79to adjust the default search path 80(defaults to ``/bin:/usr/bin'') 81and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e" 82to change the default program directory 83(defaults to ``/usr/libexec/sm.bin''). 84.SH FILES 85/usr/libexec/sm.bin \- directory for restricted programs 86.SH SEE ALSO 87sendmail(8) | 81.SH COMPILATION 82Compilation should be trivial on most systems. 83You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e" 84to adjust the default search path 85(defaults to ``/bin:/usr/bin'') 86and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e" 87to change the default program directory 88(defaults to ``/usr/libexec/sm.bin''). 89.SH FILES 90/usr/libexec/sm.bin \- directory for restricted programs 91.SH SEE ALSO 92sendmail(8) |
| 88.\" $FreeBSD: head/contrib/sendmail/smrsh/smrsh.8 102533 2002-08-28 18:12:33Z gshapiro $ | 93.\" $FreeBSD: head/contrib/sendmail/smrsh/smrsh.8 120259 2003-09-19 23:14:57Z gshapiro $ |