You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
182 lines
6.6 KiB
182 lines
6.6 KiB
diff -up sendmail-8.14.3/smrsh/README.smrsh_paths sendmail-8.14.3/smrsh/README |
|
--- sendmail-8.14.3/smrsh/README.smrsh_paths 2008-02-12 17:40:06.000000000 +0100 |
|
+++ sendmail-8.14.3/smrsh/README 2008-07-15 14:40:36.000000000 +0200 |
|
@@ -6,7 +6,7 @@ Software Engineering Institute, Carnegie |
|
intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, |
|
and to the software, smrsh.c, written by Eric Allman. |
|
|
|
- |
|
+* Modified by Red Hat, Inc., to reflect different paths. * |
|
|
|
The smrsh(8) program is intended as a replacement for /bin/sh in the |
|
program mailer definition of sendmail(8). This README file describes |
|
@@ -56,15 +56,15 @@ These can be added to the devtools/Site/ |
|
global M4 macro confENVDEF or the smrsh specific M4 macro |
|
conf_smrsh_ENVDEF. |
|
|
|
-As root, install smrsh in /usr/libexec. Using the Build script: |
|
+As root, install smrsh in /usr/sbin. Using the Build script: |
|
|
|
host.domain# sh ./Build install |
|
|
|
-For manual installation: install smrsh in the /usr/libexec |
|
+For manual installation: install smrsh in the /usr/sbin |
|
directory, with mode 511. |
|
|
|
- host.domain# mv smrsh /usr/libexec |
|
- host.domain# chmod 511 /usr/libexec/smrsh |
|
+ host.domain# mv smrsh /usr/sbin |
|
+ host.domain# chmod 511 /usr/sbin/smrsh |
|
|
|
|
|
|
|
@@ -86,7 +86,7 @@ perl(1), uudecode(1) or the stream edito |
|
acceptable commands. |
|
|
|
If your platform doesn't have a default SMRSH_CMDDIR setting, you will |
|
-next need to create the directory /usr/adm/sm.bin and populate |
|
+next need to create the directory /etc/smrsh and populate |
|
it with the programs that your site feels are allowable for sendmail |
|
to execute. This directory is explicitly specified in the source |
|
code for smrsh, so changing this directory must be accompanied with |
|
@@ -95,22 +95,22 @@ a change in smrsh.c. |
|
|
|
You will have to be root to make these modifications. |
|
|
|
-After creating the /usr/adm/sm.bin directory, either copy the programs |
|
+After creating the /etc/smrsh directory, either copy the programs |
|
to the directory, or establish links to the allowable programs from |
|
-/usr/adm/sm.bin. Change the file permissions, so that these programs |
|
+/etc/smrsh. Change the file permissions, so that these programs |
|
can not be modified by non-root users. If you use links, you should |
|
ensure that the target programs are not modifiable. |
|
|
|
To allow the popular vacation(1) program by creating a link in the |
|
-/usr/adm/sm.bin directory, you should: |
|
+/etc/smrsh directory, you should: |
|
|
|
- host.domain# cd /usr/adm/sm.bin |
|
+ host.domain# cd /etc/smrsh |
|
host.domain# ln -s /usr/ucb/vacation vacation |
|
|
|
|
|
|
|
|
|
-After populating the /usr/adm/sm.bin directory, you can now configure |
|
+After populating the /etc/smrsh directory, you can now configure |
|
sendmail to use the restricted shell. Save the current sendmail.cf |
|
file prior to modifying it, as a prudent precaution. |
|
|
|
@@ -125,7 +125,7 @@ help to locate it. |
|
|
|
In order to configure sendmail to use smrsh, you must modify the Mprog |
|
definition in the sendmail.cf file, by replacing the /bin/sh specification |
|
-with /usr/libexec/smrsh. |
|
+with /usr/sbin/smrsh. |
|
|
|
As an example: |
|
|
|
@@ -133,14 +133,14 @@ In most Sun Microsystems' sendmail.cf fi |
|
Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u |
|
|
|
which should be changed to: |
|
-Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u |
|
- ^^^^^^^^^^^^^^^^^^ |
|
+Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u |
|
+ ^^^^^^^^^^^^^^^^ |
|
|
|
A more generic line may be: |
|
Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u |
|
|
|
and should be changed to; |
|
-Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u |
|
+Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u |
|
|
|
|
|
After modifying the Mprog definition in the sendmail.cf file, if a frozen |
|
@@ -151,7 +151,7 @@ or /etc/mail directories. The specific |
|
a search of the strings(1) output of the sendmail binary. |
|
|
|
In order to create a new frozen configuration, if it is required: |
|
- host.domain# /usr/lib/sendmail -bz |
|
+ host.domain# /usr/sbin/sendmail -bz |
|
|
|
Now re-start the sendmail process. An example of how to do this on |
|
a typical system follows: |
|
diff -up sendmail-8.14.3/smrsh/smrsh.8.smrsh_paths sendmail-8.14.3/smrsh/smrsh.8 |
|
--- sendmail-8.14.3/smrsh/smrsh.8.smrsh_paths 2004-08-06 05:55:35.000000000 +0200 |
|
+++ sendmail-8.14.3/smrsh/smrsh.8 2008-07-15 14:38:07.000000000 +0200 |
|
@@ -39,7 +39,7 @@ Briefly, |
|
.I smrsh |
|
limits programs to be in a single directory, |
|
by default |
|
-/usr/adm/sm.bin, |
|
+/etc/smrsh, |
|
allowing the system administrator to choose the set of acceptable commands, |
|
and to the shell builtin commands ``exec'', ``exit'', and ``echo''. |
|
It also rejects any commands with the characters |
|
@@ -56,10 +56,10 @@ so forwarding to ``/usr/ucb/vacation'', |
|
and |
|
``vacation'' |
|
all actually forward to |
|
-``/usr/adm/sm.bin/vacation''. |
|
+``/etc/smrsh/vacation''. |
|
.PP |
|
System administrators should be conservative about populating |
|
-the sm.bin directory. |
|
+the /etc/smrsh directory. |
|
For example, a reasonable additions is |
|
.IR vacation (1), |
|
and the like. |
|
@@ -68,7 +68,7 @@ never include any shell or shell-like pr |
|
(such as |
|
.IR perl (1)) |
|
in the |
|
-sm.bin |
|
+/etc/smrsh |
|
directory. |
|
Note that this does not restrict the use of shell or perl scripts |
|
in the sm.bin directory (using the ``#!'' syntax); |
|
@@ -79,20 +79,7 @@ is a very bad idea. |
|
.IR procmail (1) |
|
allows users to run arbitrary programs in their |
|
.IR procmailrc (5). |
|
-.SH COMPILATION |
|
-Compilation should be trivial on most systems. |
|
-You may need to use \-DSMRSH_PATH=\e"\fIpath\fP\e" |
|
-to adjust the default search path |
|
-(defaults to ``/bin:/usr/bin:/usr/ucb'') |
|
-and/or \-DSMRSH_CMDDIR=\e"\fIdir\fP\e" |
|
-to change the default program directory |
|
-(defaults to ``/usr/adm/sm.bin''). |
|
.SH FILES |
|
-/usr/adm/sm.bin \- default directory for restricted programs on most OSs |
|
-.PP |
|
-/var/adm/sm.bin \- directory for restricted programs on HP UX and Solaris |
|
-.PP |
|
-/usr/libexec/sm.bin \- directory for restricted programs on FreeBSD (>= 3.3) and DragonFly BSD |
|
- |
|
+/etc/smrsh \- directory for restricted programs |
|
.SH SEE ALSO |
|
sendmail(8) |
|
diff -up sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths sendmail-8.14.3/smrsh/smrsh.c |
|
--- sendmail-8.14.3/smrsh/smrsh.c.smrsh_paths 2004-08-06 20:54:22.000000000 +0200 |
|
+++ sendmail-8.14.3/smrsh/smrsh.c 2008-07-15 14:38:07.000000000 +0200 |
|
@@ -77,7 +77,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20 |
|
# ifdef SMRSH_CMDDIR |
|
# define CMDDIR SMRSH_CMDDIR |
|
# else /* SMRSH_CMDDIR */ |
|
-# define CMDDIR "/usr/adm/sm.bin" |
|
+# define CMDDIR "/etc/smrsh" |
|
# endif /* SMRSH_CMDDIR */ |
|
#endif /* ! CMDDIR */ |
|
|
|
@@ -89,7 +89,7 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 20 |
|
# ifdef SMRSH_PATH |
|
# define PATH SMRSH_PATH |
|
# else /* SMRSH_PATH */ |
|
-# define PATH "/bin:/usr/bin:/usr/ucb" |
|
+# define PATH "/bin:/usr/bin" |
|
# endif /* SMRSH_PATH */ |
|
#endif /* ! PATH */ |
|
|
|
|