SMRSH(8) BSD System Manager's Manual SMRSH(8)NAMEsmrsh - restricted shell for sendmail
SYNOPSISsmrsh-c command
DESCRIPTION
The smrsh program is intended as a replacement for /bin/sh for use in the
"prog" mailer in sendmail(8) configuration files. It sharply limits the
commands that can be run using the "|program" syntax of sendmail(8) in
order to improve the overall security of your system. Briefly, even if a
"bad guy" can get sendmail to run a program without going through an
alias or forward file, smrsh limits the set of programs that he or she
can execute.
Briefly, smrsh limits programs to be in a single directory, by default
/usr/libexec/sm.bin, allowing the system administrator to choose the set
of acceptable commands, and the shell built-in commands "exec", "exit",
and "echo". It also rejects any commands with the characters '\', '<',
'>', ';', '$', '(', ')', '\r' (carriage return), or '\n' (newline) on the
command line to prevent "end run" attacks. It allows "||" and "&&" to en-
able commands like:
"|exec /usr/local/bin/filter || exit 75"
Initial pathnames on programs are stripped, so forwarding to
/usr/ucb/vacation, /usr/bin/vacation, /home/server/mydir/bin/vacation,
and vacation all actually forward to /usr/libexec/sm.bin/vacation.
System administrators should be conservative about populating the sm.bin
directory. For example, a reasonable additions is vacation(1) and the
like. No matter how brow-beaten you may be, never include any shell or
shell-like program (such as perl(1)) in the sm.bin directory. Note that
this does not restrict the use of shell or perl scripts in the sm.bin
directory (using the "#!" syntax); it simply disallows execution of arbi-
trary programs. Also, including mail filtering programs such as procmail
is a very bad idea. procmail allows users to run arbitrary programs in
their procmailrc.
FILES
/usr/libexec/sm.bin directory for restricted programs
SEE ALSOsendmail(8)MirOS BSD #10-current July 2, 2011 1
