[packages/sendmail.git] / sendmail-smrsh-paths.patch

diff -Nru sendmail-8.11.3/smrsh/README sendmail-8.11.3.new/smrsh/README
--- sendmail-8.11.3/smrsh/README	Thu Mar  1 07:19:27 2001
+++ sendmail-8.11.3.new/smrsh/README	Thu Mar  1 07:17:50 2001
@@ -6,7 +6,7 @@
 intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
 and to the software, smrsh.c, written by Eric Allman.
 
-
+* Modified by PLD Team to reflect different paths. *
 
 The smrsh(8) program is intended as a replacement for /bin/sh in the
 program mailer definition of sendmail(8).  This README file describes
@@ -46,15 +46,15 @@
 
 
 
-As root, install smrsh in /usr/libexec.  Using the Build script:
+As root, install smrsh in /usr/sbin.  Using the Build script:
 
 	host.domain# sh Build install
 
-For manual installation: install smrsh in the /usr/libexec
+For manual installation: install smrsh in the /usr/sbin
 directory, with mode 511.
 
-	host.domain# mv smrsh /usr/libexec
-	host.domain# chmod 511 /usr/libexec/smrsh
+	host.domain# mv smrsh /usr/sbin
+	host.domain# chmod 511 /usr/sbin/smrsh
 
 
 
@@ -76,7 +76,7 @@
 acceptable commands.
 
 If your platform doesn't have a default CMDDIR setting, you will
-next need to create the directory /usr/adm/sm.bin and populate
+next need to create the directory /etc/smrsh and populate
 it with the programs that your site feels are allowable for sendmail
 to execute.   This directory is explicitly specified in the source
 code for smrsh, so changing this directory must be accompanied with
@@ -85,22 +85,22 @@
 
 You will have to be root to make these modifications.
 
-After creating the /usr/adm/sm.bin directory, either copy the programs
+After creating the /etc/smrsh directory, either copy the programs
 to the directory, or establish links to the allowable programs from
-/usr/adm/sm.bin.  Change the file permissions, so that these programs
+/etc/smrsh.  Change the file permissions, so that these programs
 can not be modified by non-root users.  If you use links, you should
 ensure that the target programs are not modifiable.
 
 To allow the popular vacation(1) program by creating a link in the
-/usr/adm/sm.bin directory, you should:
+/etc/smrsh directory, you should:
 
-	host.domain# cd /usr/adm/sm.bin
-	host.domain# ln -s /usr/ucb/vacation vacation
+	host.domain# cd /etc/smrsh
+	host.domain# ln -s /usr/bin/vacation vacation
 
 
 
 
-After populating the /usr/adm/sm.bin directory, you can now configure
+After populating the /etc/smrsh directory, you can now configure
 sendmail to use the restricted shell.  Save the current sendmail.cf
 file prior to modifying it, as a prudent precaution.
 
@@ -115,7 +115,7 @@
 
 In order to configure sendmail to use smrsh, you must modify the Mprog
 definition in the sendmail.cf file, by replacing the /bin/sh specification
-with /usr/libexec/smrsh.
+with /usr/sbin/smrsh.
 
 As an example:
 
@@ -123,14 +123,14 @@
 Mprog,	P=/bin/sh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
 
 which should be changed to:
-Mprog,	P=/usr/libexec/smrsh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
-          ^^^^^^^^^^^^^^^^^^
+Mprog,	P=/usr/sbin/smrsh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
+          ^^^^^^^^^^^^^^^
 
 A more generic line may be:
 Mprog,		P=/bin/sh, F=lsDFM, A=sh -c $u
 
 and should be changed to;
-Mprog,		P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
+Mprog,		P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u
 
 
 After modifying the Mprog definition in the sendmail.cf file, if a frozen
@@ -141,7 +141,7 @@
 a search of the strings(1) output of the sendmail binary.
 
 In order to create a new frozen configuration, if it is required:
-	host.domain# /usr/lib/sendmail -bz
+	host.domain# /usr/sbin/sendmail -bz
 
 Now re-start the sendmail process.  An example of how to do this on
 a typical system follows:
diff -Nru sendmail-8.11.3/smrsh/smrsh.8 sendmail-8.11.3.new/smrsh/smrsh.8
--- sendmail-8.11.3/smrsh/smrsh.8	Thu Mar  1 07:19:27 2001
+++ sendmail-8.11.3.new/smrsh/smrsh.8	Thu Mar  1 07:17:50 2001
@@ -39,7 +39,7 @@
 .I smrsh
 limits programs to be in a single directory,
 by default
-/usr/adm/sm.bin,
+/etc/smrsh,
 allowing the system administrator to choose the set of acceptable commands,
 and to the shell builtin commands ``exec'', ``exit'', and ``echo''.
 It also rejects any commands with the characters
@@ -47,7 +47,7 @@
 or `\en' (newline)
 on the command line to prevent ``end run'' attacks.
 It allows ``||'' and ``&&'' to enable commands like:
-``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"''
+``"|exec /usr/bin/procmail -f- /etc/procmailrcs/user || exit 75"''
 .PP
 Initial pathnames on programs are stripped,
 so forwarding to ``/usr/ucb/vacation'',
@@ -56,10 +56,10 @@
 and
 ``vacation''
 all actually forward to
-``/usr/adm/sm.bin/vacation''.
+``/etc/smrsh/vacation''.
 .PP
 System administrators should be conservative about populating
-the sm.bin directory.
+the /etc/smrsh directory.
 Reasonable additions are
 .IR vacation (1),
 .IR procmail (1),
@@ -69,20 +69,12 @@
 (such as
 .IR perl (1))
 in the
-sm.bin
+/etc/smrsh
 directory.
 Note that this does not restrict the use of shell or perl scripts
 in the sm.bin directory (using the ``#!'' syntax);
 it simply disallows execution of arbitrary programs.
-.SH COMPILATION
-Compilation should be trivial on most systems.
-You may need to use \-DPATH=\e"\fIpath\fP\e"
-to adjust the default search path
-(defaults to ``/bin:/usr/bin:/usr/ucb'')
-and/or \-DCMDBIN=\e"\fIdir\fP\e"
-to change the default program directory
-(defaults to ``/usr/adm/sm.bin'').
 .SH FILES
-/usr/adm/sm.bin \- directory for restricted programs
+/etc/smrsh \- directory for restricted programs
 .SH SEE ALSO
 sendmail(8)
diff -Nru sendmail-8.11.3/smrsh/smrsh.c sendmail-8.11.3.new/smrsh/smrsh.c
--- sendmail-8.11.3/smrsh/smrsh.c	Thu Mar  1 07:19:27 2001
+++ sendmail-8.11.3.new/smrsh/smrsh.c	Thu Mar  1 07:20:44 2001
@@ -77,7 +77,7 @@
 # if defined(HPUX10) || defined(HPUX11) || SOLARIS >= 20800
 #  define CMDDIR	"/var/adm/sm.bin"
 # else /* HPUX10 || HPUX11 || SOLARIS >= 20800 */
-#  define CMDDIR	"/usr/adm/sm.bin"
+#  define CMDDIR	"/usr/smrsh"
 # endif /* HPUX10 || HPUX11 || SOLARIS >= 20800 */
 #endif /* ! CMDDIR */
 
@@ -86,7 +86,7 @@
 
 /* default search path */
 #ifndef PATH
-# define PATH		"/bin:/usr/bin:/usr/ucb"
+# define PATH		"/bin:/usr/bin"
 #endif /* ! PATH */
 
 #ifndef __P
Commit	Line	Data
83a32181	1	diff -Nru sendmail-8.11.3/smrsh/README sendmail-8.11.3.new/smrsh/README
	2	--- sendmail-8.11.3/smrsh/README Thu Mar 1 07:19:27 2001
	3	+++ sendmail-8.11.3.new/smrsh/README Thu Mar 1 07:17:50 2001
1dce6292 JB	4	@@ -6,7 +6,7 @@
	5	intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
	6	and to the software, smrsh.c, written by Eric Allman.
	7
	8	-
dbea50b4	9	+* Modified by PLD Team to reflect different paths. *
1dce6292 JB	10
	11	The smrsh(8) program is intended as a replacement for /bin/sh in the
	12	program mailer definition of sendmail(8). This README file describes
	13	@@ -46,15 +46,15 @@
	14
	15
	16
	17	-As root, install smrsh in /usr/libexec. Using the Build script:
	18	+As root, install smrsh in /usr/sbin. Using the Build script:
	19
	20	host.domain# sh Build install
	21
	22	-For manual installation: install smrsh in the /usr/libexec
	23	+For manual installation: install smrsh in the /usr/sbin
	24	directory, with mode 511.
	25
	26	- host.domain# mv smrsh /usr/libexec
	27	- host.domain# chmod 511 /usr/libexec/smrsh
	28	+ host.domain# mv smrsh /usr/sbin
	29	+ host.domain# chmod 511 /usr/sbin/smrsh
	30
	31
	32
	33	@@ -76,7 +76,7 @@
	34	acceptable commands.
	35
dbea50b4 JB	36	If your platform doesn't have a default CMDDIR setting, you will
	37	-next need to create the directory /usr/adm/sm.bin and populate
	38	+next need to create the directory /etc/smrsh and populate
1dce6292 JB	39	it with the programs that your site feels are allowable for sendmail
	40	to execute. This directory is explicitly specified in the source
	41	code for smrsh, so changing this directory must be accompanied with
	42	@@ -85,22 +85,22 @@
	43
	44	You will have to be root to make these modifications.
	45
	46	-After creating the /usr/adm/sm.bin directory, either copy the programs
	47	+After creating the /etc/smrsh directory, either copy the programs
	48	to the directory, or establish links to the allowable programs from
	49	-/usr/adm/sm.bin. Change the file permissions, so that these programs
	50	+/etc/smrsh. Change the file permissions, so that these programs
	51	can not be modified by non-root users. If you use links, you should
	52	ensure that the target programs are not modifiable.
	53
	54	To allow the popular vacation(1) program by creating a link in the
	55	-/usr/adm/sm.bin directory, you should:
	56	+/etc/smrsh directory, you should:
	57
	58	- host.domain# cd /usr/adm/sm.bin
dbea50b4	59	- host.domain# ln -s /usr/ucb/vacation vacation
1dce6292	60	+ host.domain# cd /etc/smrsh
dbea50b4	61	+ host.domain# ln -s /usr/bin/vacation vacation
1dce6292 JB	62
	63
	64
	65
	66	-After populating the /usr/adm/sm.bin directory, you can now configure
	67	+After populating the /etc/smrsh directory, you can now configure
	68	sendmail to use the restricted shell. Save the current sendmail.cf
	69	file prior to modifying it, as a prudent precaution.
	70
	71	@@ -115,7 +115,7 @@
	72
	73	In order to configure sendmail to use smrsh, you must modify the Mprog
	74	definition in the sendmail.cf file, by replacing the /bin/sh specification
	75	-with /usr/libexec/smrsh.
	76	+with /usr/sbin/smrsh.
	77
	78	As an example:
	79
	80	@@ -123,14 +123,14 @@
	81	Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
	82
	83	which should be changed to:
	84	-Mprog, P=/usr/libexec/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
dbea50b4	85	- ^^^^^^^^^^^^^^^^^^
1dce6292	86	+Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
dbea50b4	87	+ ^^^^^^^^^^^^^^^
1dce6292 JB	88
	89	A more generic line may be:
	90	Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u
	91
	92	and should be changed to;
	93	-Mprog, P=/usr/libexec/smrsh, F=lsDFM, A=sh -c $u
	94	+Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u
	95
	96
	97	After modifying the Mprog definition in the sendmail.cf file, if a frozen
	98	@@ -141,7 +141,7 @@
	99	a search of the strings(1) output of the sendmail binary.
	100
	101	In order to create a new frozen configuration, if it is required:
	102	- host.domain# /usr/lib/sendmail -bz
	103	+ host.domain# /usr/sbin/sendmail -bz
	104
	105	Now re-start the sendmail process. An example of how to do this on
	106	a typical system follows:
83a32181	107	diff -Nru sendmail-8.11.3/smrsh/smrsh.8 sendmail-8.11.3.new/smrsh/smrsh.8
	108	--- sendmail-8.11.3/smrsh/smrsh.8 Thu Mar 1 07:19:27 2001
	109	+++ sendmail-8.11.3.new/smrsh/smrsh.8 Thu Mar 1 07:17:50 2001
dbea50b4	110	@@ -39,7 +39,7 @@
1dce6292	111	.I smrsh
dbea50b4 JB	112	limits programs to be in a single directory,
dbea50b4 JB	113	by default
1dce6292 JB	114	-/usr/adm/sm.bin,
	115	+/etc/smrsh,
	116	allowing the system administrator to choose the set of acceptable commands,
	117	and to the shell builtin commands ``exec'', ``exit'', and ``echo''.
	118	It also rejects any commands with the characters
dbea50b4 JB	119	@@ -47,7 +47,7 @@
	120	or `\en' (newline)
	121	on the command line to prevent ``end run'' attacks.
	122	It allows ``\|\|'' and ``&&'' to enable commands like:
	123	-``"\|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user \|\| exit 75"''
	124	+``"\|exec /usr/bin/procmail -f- /etc/procmailrcs/user \|\| exit 75"''
	125	.PP
	126	Initial pathnames on programs are stripped,
	127	so forwarding to ``/usr/ucb/vacation'',
	128	@@ -56,10 +56,10 @@
1dce6292 JB	129	and
	130	``vacation''
	131	all actually forward to
	132	-``/usr/adm/sm.bin/vacation''.
	133	+``/etc/smrsh/vacation''.
	134	.PP
	135	System administrators should be conservative about populating
dbea50b4 JB	136	-the sm.bin directory.
dbea50b4 JB	137	+the /etc/smrsh directory.
1dce6292 JB	138	Reasonable additions are
	139	.IR vacation (1),
	140	.IR procmail (1),
dbea50b4	141	@@ -69,20 +69,12 @@
1dce6292 JB	142	(such as
	143	.IR perl (1))
	144	in the
	145	-sm.bin
	146	+/etc/smrsh
	147	directory.
	148	Note that this does not restrict the use of shell or perl scripts
dbea50b4	149	in the sm.bin directory (using the ``#!'' syntax);
1dce6292 JB	150	it simply disallows execution of arbitrary programs.
	151	-.SH COMPILATION
	152	-Compilation should be trivial on most systems.
	153	-You may need to use \-DPATH=\e"\fIpath\fP\e"
	154	-to adjust the default search path
	155	-(defaults to ``/bin:/usr/bin:/usr/ucb'')
	156	-and/or \-DCMDBIN=\e"\fIdir\fP\e"
	157	-to change the default program directory
	158	-(defaults to ``/usr/adm/sm.bin'').
	159	.SH FILES
	160	-/usr/adm/sm.bin \- directory for restricted programs
	161	+/etc/smrsh \- directory for restricted programs
	162	.SH SEE ALSO
	163	sendmail(8)
83a32181	164	diff -Nru sendmail-8.11.3/smrsh/smrsh.c sendmail-8.11.3.new/smrsh/smrsh.c
	165	--- sendmail-8.11.3/smrsh/smrsh.c Thu Mar 1 07:19:27 2001
	166	+++ sendmail-8.11.3.new/smrsh/smrsh.c Thu Mar 1 07:20:44 2001
dbea50b4 JB	167	@@ -77,7 +77,7 @@
	168	# if defined(HPUX10) \|\| defined(HPUX11) \|\| SOLARIS >= 20800
	169	# define CMDDIR "/var/adm/sm.bin"
83a32181	170	# else /* HPUX10 \|\| HPUX11 \|\| SOLARIS >= 20800 */
dbea50b4	171	-# define CMDDIR "/usr/adm/sm.bin"
83a32181	172	+# define CMDDIR "/usr/smrsh"
83a32181	173	# endif /* HPUX10 \|\| HPUX11 \|\| SOLARIS >= 20800 */
1dce6292 JB	174	#endif /* ! CMDDIR */
1dce6292 JB	175
dbea50b4	176	@@ -86,7 +86,7 @@
1dce6292 JB	177
	178	/* default search path */
	179	#ifndef PATH
	180	-# define PATH "/bin:/usr/bin:/usr/ucb"
dbea50b4	181	+# define PATH "/bin:/usr/bin"
1dce6292 JB	182	#endif /* ! PATH */
	183
	184	#ifndef __P