The smrsh program is intended as a replacement for /bin/sh in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability
to specify, through the /etc/smrsh directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions
can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's
scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under /usr/sbin/smrsh.
The first thing we need to do is to determine the list of commands that smrsh should allow Sendmail to run. By default we include, but are not limited to:
/bin/mail-if you have it installed on your system/usr/bin/procmail-if you have it installed on your system
You should not include interpreter programs such as sh(1), csh(1), perl(1), uudecode(1) or sed(1) -the stream editor, in your list of acceptable commands.
You will next need to populate the
/etc/smrshdirectory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better to establish links to the allowable programs from/etc/smrshrather than copy programs to this directory. To allow the mail program/bin/mail, use the following commands:[root@deep] /# cd /etc/smrsh [root@deep ]/smrsh# ln -s /bin/mail mailTo allow the procmail program
/usr/bin/procmail, use the following commands:[root@deep] /# cd /etc/smrsh [root@deep ]/smrsh# ln -s /usr/bin/procmail procmailThis will allow the mail and procmail programs to be run from a user's
.forwardfile or analiasesfile which uses the program syntax.
Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured your system as a Local Client Server then skip the procmail step above.
We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file,
/etc/mail/sendmail.cf. You must modify this single line Mprog definition in thesendmail.cffile, by replacing the /bin/sh specification with/usr/sbin/smrsh. Edit thesendmail.cffile, vi/etc/mail/sendmail.cfand change the line:Example 22.3.
sendmail.cfMprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $uWhich should be changed to:
Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
Now re-start the sendmail process manually with the following command:
[root@deep] /# /etc/rc.d/init.d/sendmail restart
In our sendmail.mc configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell /usr/sbin/smrsh
with the m4 macro FEATURE(`smrsh',`/usr/sbin/smrsh'), so don't be surprised if the /usr/sbin/smrshspecification is already set in your /etc/mail/sendmail.cf
file for the Mail Hub relay.
Instead, use the technique shown above for other /etc/mail/sendmail.cf files in your network like the one for the nullclient local or neighbor client and servers that use the null.mc macro configuration file to generate the /etc/mail/sendmail.cf file.