]>
Commit | Line | Data |
---|---|---|
56e8ff67 | 1 | --- sendmail-8.10.0/smrsh/README.smrsh Tue Apr 27 22:26:10 1999 |
2 | +++ sendmail-8.10.0/smrsh/README Thu Mar 9 13:21:10 2000 | |
3 | @@ -6,7 +6,7 @@ | |
4 | intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, | |
5 | and to the software, smrsh.c, written by Eric Allman. | |
6 | ||
7 | - | |
8 | +* Modified by Red Hat Software to reflect different paths. * | |
9 | ||
10 | The smrsh(8) program is intended as a replacement for /bin/sh in the | |
11 | program mailer definition of sendmail(8). This README file describes | |
12 | @@ -46,15 +46,15 @@ | |
13 | ||
14 | ||
15 | ||
16 | -As root, install smrsh in /usr/libexec. Using the Build script: | |
17 | +As root, install smrsh in /usr/sbin. Using the Build script: | |
18 | ||
19 | host.domain# sh Build install | |
20 | ||
21 | -For manual installation: install smrsh in the /usr/libexec | |
22 | +For manual installation: install smrsh in the /usr/sbin | |
23 | directory, with mode 511. | |
24 | ||
25 | - host.domain# mv smrsh /usr/libexec | |
26 | - host.domain# chmod 511 /usr/libexec/smrsh | |
27 | + host.domain# mv smrsh /usr/sbin | |
28 | + host.domain# chmod 511 /usr/sbin/smrsh | |
29 | ||
30 | ||
31 | ||
32 | @@ -76,7 +76,7 @@ | |
33 | acceptable commands. | |
34 | ||
35 | ||
36 | -You will next need to create the directory /usr/adm/sm.bin and populate | |
37 | +You will next need to create the directory /etc/smrsh and populate | |
38 | it with the programs that your site feels are allowable for sendmail | |
39 | to execute. This directory is explicitly specified in the source | |
40 | code for smrsh, so changing this directory must be accompanied with | |
41 | @@ -85,22 +85,22 @@ | |
42 | ||
43 | You will have to be root to make these modifications. | |
44 | ||
45 | -After creating the /usr/adm/sm.bin directory, either copy the programs | |
46 | +After creating the /etc/smrsh directory, either copy the programs | |
47 | to the directory, or establish links to the allowable programs from | |
48 | -/usr/adm/sm.bin. Change the file permissions, so that these programs | |
49 | +/etc/smrsh. Change the file permissions, so that these programs | |
50 | can not be modified by non-root users. If you use links, you should | |
51 | ensure that the target programs are not modifiable. | |
52 | ||
53 | To allow the popular vacation(1) program by creating a link in the | |
54 | -/usr/adm/sm.bin directory, you should: | |
55 | +/etc/smrsh directory, you should: | |
56 | ||
57 | - host.domain# cd /usr/adm/sm.bin | |
58 | + host.domain# cd /etc/smrsh | |
59 | host.domain# ln -s /usr/ucb/vacation vacation | |
60 | ||
61 | ||
62 | ||
63 | ||
64 | -After populating the /usr/adm/sm.bin directory, you can now configure | |
65 | +After populating the /etc/smrsh directory, you can now configure | |
66 | sendmail to use the restricted shell. Save the current sendmail.cf | |
67 | file prior to modifying it, as a prudent precaution. | |
68 | ||
69 | @@ -115,7 +115,7 @@ | |
70 | ||
71 | In order to configure sendmail to use smrsh, you must modify the Mprog | |
72 | definition in the sendmail.cf file, by replacing the /bin/sh specification | |
73 | -with /usr/libexec/smrsh. | |
74 | +with /usr/sbin/smrsh. | |
75 | ||
76 | As an example: | |
77 | ||
78 | @@ -123,14 +123,14 @@ | |
79 | Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
80 | ||
81 | which should be changed to: | |
82 | -Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
83 | +Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
84 | ^^^^^^^^^^^^^^^^^^ | |
85 | ||
86 | A more generic line may be: | |
87 | Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u | |
88 | ||
89 | and should be changed to; | |
90 | -Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u | |
91 | +Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u | |
92 | ||
93 | ||
94 | After modifying the Mprog definition in the sendmail.cf file, if a frozen | |
95 | @@ -141,7 +141,7 @@ | |
96 | a search of the strings(1) output of the sendmail binary. | |
97 | ||
98 | In order to create a new frozen configuration, if it is required: | |
99 | - host.domain# /usr/lib/sendmail -bz | |
100 | + host.domain# /usr/sbin/sendmail -bz | |
101 | ||
102 | Now re-start the sendmail process. An example of how to do this on | |
103 | a typical system follows: | |
104 | --- sendmail-8.10.0/smrsh/smrsh.8.smrsh Tue Jun 15 00:50:19 1999 | |
105 | +++ sendmail-8.10.0/smrsh/smrsh.8 Thu Mar 9 13:21:40 2000 | |
106 | @@ -38,7 +38,7 @@ | |
107 | Briefly, | |
108 | .I smrsh | |
109 | limits programs to be in the directory | |
110 | -/usr/adm/sm.bin, | |
111 | +/etc/smrsh, | |
112 | allowing the system administrator to choose the set of acceptable commands, | |
113 | and to the shell builtin commands ``exec'', ``exit'', and ``echo''. | |
114 | It also rejects any commands with the characters | |
115 | @@ -55,10 +55,10 @@ | |
116 | and | |
117 | ``vacation'' | |
118 | all actually forward to | |
119 | -``/usr/adm/sm.bin/vacation''. | |
120 | +``/etc/smrsh/vacation''. | |
121 | .PP | |
122 | System administrators should be conservative about populating | |
123 | -/usr/adm/sm.bin. | |
124 | +/etc/smrsh | |
125 | Reasonable additions are | |
126 | .IR vacation (1), | |
127 | .IR procmail (1), | |
128 | @@ -68,20 +68,12 @@ | |
129 | (such as | |
130 | .IR perl (1)) | |
131 | in the | |
132 | -sm.bin | |
133 | +/etc/smrsh | |
134 | directory. | |
135 | Note that this does not restrict the use of shell or perl scripts | |
136 | -in the sm.bin directory (using the ``#!'' syntax); | |
137 | +in the /etc/smrsh directory (using the ``#!'' syntax); | |
138 | it simply disallows execution of arbitrary programs. | |
139 | -.SH COMPILATION | |
140 | -Compilation should be trivial on most systems. | |
141 | -You may need to use \-DPATH=\e"\fIpath\fP\e" | |
142 | -to adjust the default search path | |
143 | -(defaults to ``/bin:/usr/bin:/usr/ucb'') | |
144 | -and/or \-DCMDBIN=\e"\fIdir\fP\e" | |
145 | -to change the default program directory | |
146 | -(defaults to ``/usr/adm/sm.bin''). | |
147 | .SH FILES | |
148 | -/usr/adm/sm.bin \- directory for restricted programs | |
149 | +/etc/smrsh \- directory for restricted programs | |
150 | .SH SEE ALSO | |
151 | sendmail(8) | |
152 | --- sendmail-8.10.0/smrsh/smrsh.c.smrsh2 Tue Oct 26 22:49:51 1999 | |
153 | +++ sendmail-8.10.0/smrsh/smrsh.c Thu Mar 9 13:28:37 2000 | |
154 | @@ -76,7 +76,7 @@ | |
155 | ||
156 | /* directory in which all commands must reside */ | |
157 | #ifndef CMDDIR | |
158 | -# define CMDDIR "/usr/adm/sm.bin" | |
159 | +# define CMDDIR "/etc/smrsh" | |
160 | #endif /* ! CMDDIR */ | |
161 | ||
162 | /* characters disallowed in the shell "-c" argument */ | |
163 | @@ -84,7 +84,7 @@ | |
164 | ||
165 | /* default search path */ | |
166 | #ifndef PATH | |
167 | -# define PATH "/bin:/usr/bin:/usr/ucb" | |
168 | +# define PATH "/bin:/usr/bin:" | |
169 | #endif /* ! PATH */ | |
170 | ||
171 | #ifndef __P |