README revision 98121 
1
2README  smrsh - sendmail restricted shell.
3
4This README file is provided as a courtesy of the CERT Coordination Center,
5Software Engineering Institute, Carnegie Mellon University.  This file is
6intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
7and to the software, smrsh.c, written by Eric Allman.
8
9
10
11The smrsh(8) program is intended as a replacement for /bin/sh in the
12program mailer definition of sendmail(8).  This README file describes
13the steps needed to compile and install smrsh.
14
15smrsh is a restricted shell utility that provides the ability to
16specify, through a configuration, an explicit list of executable
17programs.  When used in conjunction with sendmail, smrsh effectively
18limits sendmail's scope of program execution to only those programs
19specified in smrsh's configuration.
20
21smrsh has been written with portability in mind, and uses traditional
22Unix library utilities.  As such, smrsh should compile on most
23Unix C compilers.
24
25smrsh should build on most systems with the enclosed Build script:
26
27	host.domain% sh Build
28
29To compile smrsh.c by hand, use the following command:
30
31	host.domain% cc -o smrsh smrsh.c
32
33For machines that provide dynamic linking, it is advisable to compile
34smrsh without dynamic linking.  As an example with the Sun Microsystems
35compiler, you should compile with the -Bstatic option.
36
37	host.domain% cc -Bstatic -o smrsh smrsh.c
38		or
39	host.domain% sh Build LDOPTS=-Bstatic
40
41With gcc, the GNU C compiler, use the -static option.
42
43	host.domain% cc -static -o smrsh smrsh.c
44		or
45	host.domain% sh Build LDOPTS=-static
46
47
48
49As root, install smrsh in /usr/libexec.  Using the Build script:
50
51	host.domain# sh Build install
52
53For manual installation: install smrsh in the /usr/libexec
54directory, with mode 511.
55
56	host.domain# mv smrsh /usr/libexec
57	host.domain# chmod 511 /usr/libexec/smrsh
58
59
60
61Next, determine the list of commands that smrsh should allow sendmail
62to run.  This list of allowable commands can be determined by:
63
64   1.  examining your /etc/mail/aliases file, to indicate what commands
65       are being used by the system.
66
67   2.  surveying your host's .forward files, to determine what
68       commands users have specified.
69
70See the man page for aliases(5) if you are unfamiliar with the format of
71these specifications. Additionally, you should include in the list,
72popular commands such as /usr/ucb/vacation.
73
74You should NOT include interpreter programs such as sh(1), csh(1),
75perl(1), uudecode(1) or the stream editor sed(1) in your list of
76acceptable commands.
77
78If your platform doesn't have a default SMRSH_CMDDIR setting, you will
79next need to create the directory /usr/adm/sm.bin and populate
80it with the programs that your site feels are allowable for sendmail
81to execute.   This directory is explicitly specified in the source
82code for smrsh, so changing this directory must be accompanied with
83a change in smrsh.c.
84
85
86You will have to be root to make these modifications.
87
88After creating the /usr/adm/sm.bin directory, either copy the programs
89to the directory, or establish links to the allowable programs from
90/usr/adm/sm.bin.  Change the file permissions, so that these programs
91can not be modified by non-root users.  If you use links, you should
92ensure that the target programs are not modifiable.
93
94To allow the popular vacation(1) program by creating a link in the
95/usr/adm/sm.bin directory, you should:
96
97	host.domain# cd /usr/adm/sm.bin
98	host.domain# ln -s /usr/ucb/vacation vacation
99
100
101
102
103After populating the /usr/adm/sm.bin directory, you can now configure
104sendmail to use the restricted shell.  Save the current sendmail.cf
105file prior to modifying it, as a prudent precaution.
106
107Typically, the program mailer is defined by a single line in the
108sendmail configuration file, sendmail.cf.  This file is traditionally
109found in the /etc, /usr/lib or /etc/mail directories, depending on
110the UNIX vendor.
111
112If you are unsure of the location of the actual sendmail configuration
113file, a search of the strings(1) output of the sendmail binary, will
114help to locate it.
115
116In order to configure sendmail to use smrsh, you must modify the Mprog
117definition in the sendmail.cf file, by replacing the /bin/sh specification
118with /usr/libexec/smrsh.
119
120As an example:
121
122In most Sun Microsystems' sendmail.cf files, the line is:
123Mprog,	P=/bin/sh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
124
125which should be changed to:
126Mprog,	P=/usr/libexec/smrsh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
127          ^^^^^^^^^^^^^^^^^^
128
129A more generic line may be:
130Mprog,		P=/bin/sh, F=lsDFM, A=sh -c $u
131
132and should be changed to;
133Mprog,		P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
134
135
136After modifying the Mprog definition in the sendmail.cf file, if a frozen
137configuration file is being used, it is essential to create a new one.
138You can determine if you need a frozen configuration by discovering
139if a sendmail.fc file currently exists in either the /etc/, /usr/lib,
140or /etc/mail directories.  The specific location can be determined using
141a search of the strings(1) output of the sendmail binary.
142
143In order to create a new frozen configuration, if it is required:
144	host.domain# /usr/lib/sendmail -bz
145
146Now re-start the sendmail process.  An example of how to do this on
147a typical system follows:
148
149	host.domain# cat /var/run/sendmail.pid
150	130
151	/usr/sbin/sendmail -bd -q30m
152	host.domain# /bin/kill -15 130
153	host.domain# /usr/sbin/sendmail -bd -q30m
154
155
156$Revision: 8.8 $, Last updated $Date: 2001/01/24 00:05:58 $
157