Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ smrsh(1M) — Reliant UNIX 5.44c4

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

sendmail(1M)

smrsh(1M)                                                         smrsh(1M)

NAME
     smrsh - restricted shell for sendmail

SYNOPSIS
     smrsh -c command

DESCRIPTION
     The smrsh program is intended as a replacement for sh for use in the
     "Local and Program Mailer" specification in sendmail(1M) configuration
     files. It sharply limits the commands that can be run using the
     "|program" syntax of sendmail in order to improve the over all secu-
     rity of your system. Briefly, even if a "bad guy" can get sendmail to
     run a program without going through an alias or forward file, smrsh
     limits the set of programs that he or she can execute.

     Briefly, smrsh limits programs to be in the directory /usr/adm/sm.bin,
     allowing the system administrator to choose the set of acceptable com-
     mands. It also rejects any commands with the characters "`", "<", ">",
     "|", ";", "&", "$", "(", ")", "\r" (carriage return), or "\n" (new-
     line) on the command line to prevent "end run" attacks.

     Initial pathnames on programs are stripped, so forwarding to
     /usr/ucb/vacation, /usr/bin/vacation, /home/server/mydir/bin/vacation,
     and vacation all actually forward to /usr/adm/sm.bin/vacation.

     System administrators should be conservative about populating
     /usr/adm/sm.bin. Reasonable additions are notify(1), vacation(1), and
     the like. No matter how brow-beaten you may be, never include any
     shell or shell-like program (such as perl) in the sm.bin directory.
     Note that this does not restrict the use of shell or perl scripts in
     the sm.bin directory (using the "#!" syntax); it simply disallows exe-
     cution of arbitrary programs.

COMPILATION
     Compilation should be trivial on most systems. You may need to use
     -DPATH=\"path\" to adjust the default search path (defaults to
     /bin:/usr/bin:/usr/ucb) and/or -DCMDBIN=\"dir\" to change the default
     program directory (defaults to /usr/adm/sm.bin).

FILES
     /usr/adm/sm.bin
          directory for restricted programs

SEE ALSO
     sendmail(1M).










Page 1                       Reliant UNIX 5.44                 Printed 4/99

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026