]>
Commit | Line | Data |
---|---|---|
c99e5551 | 1 | diff -Nur sendmail-8.9.3/smrsh/Makefile.m4 sendmail-8.9.3.pld/smrsh/Makefile.m4 |
2 | --- sendmail-8.9.3/smrsh/Makefile.m4 Tue Dec 29 18:42:52 1998 | |
3 | +++ sendmail-8.9.3.pld/smrsh/Makefile.m4 Thu May 27 19:42:08 1999 | |
4 | @@ -31,8 +31,8 @@ | |
5 | # libraries required on your system | |
6 | LIBS= ifdef(`confLIBS', `confLIBS') | |
7 | ||
8 | -# location of smrsh binary (usually /usr/libexec or /usr/etc) | |
9 | -EBINDIR=${DESTDIR}ifdef(`confEBINDIR', `confEBINDIR', `/usr/libexec') | |
10 | +# location of smrsh binary (usually /usr/sbin or /usr/etc) | |
11 | +EBINDIR=${DESTDIR}ifdef(`confEBINDIR', `confEBINDIR', `/usr/sbin') | |
12 | ||
13 | # additional .o files needed | |
14 | OBJADD= ifdef(`confOBJADD', `confOBJADD') | |
b3a5aac5 | 15 | --- sendmail-8.7.5/smrsh/README.marc Thu Aug 1 11:52:37 1996 |
16 | +++ sendmail-8.7.5/smrsh/README Thu Aug 1 11:54:51 1996 | |
17 | @@ -11,7 +11,7 @@ | |
18 | intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability, | |
19 | and to the software, smrsh.c, written by Eric Allman. | |
20 | ||
21 | - | |
22 | +* Modified by Red Hat Software to reflect different paths. * | |
23 | ||
24 | The smrsh(8) program is intended as a replacement for /bin/sh in the | |
25 | program mailer definition of sendmail(8). This README file describes | |
26 | @@ -41,12 +41,12 @@ | |
27 | ||
28 | ||
29 | Choose a directory that smrsh will reside in. We will use the traditional | |
30 | -/usr/local/etc directory for the remainder of this document. | |
31 | +/usr/sbin directory for the remainder of this document. | |
32 | ||
33 | -As root, install smrsh in /usr/local/etc directory, with mode 511. | |
34 | +As root, install smrsh in /usr/sbin directory, with mode 511. | |
35 | ||
36 | -host.domain# mv smrsh /usr/local/etc | |
37 | -host.domain# chmod 511 /usr/local/etc/smrsh | |
38 | +host.domain# mv smrsh /usr/sbin | |
39 | +host.domain# chmod 511 /usr/sbin/smrsh | |
40 | ||
41 | ||
42 | ||
43 | @@ -68,7 +68,7 @@ | |
44 | acceptable commands. | |
45 | ||
46 | ||
47 | -You will next need to create the directory /usr/adm/sm.bin and populate | |
48 | +You will next need to create the directory /etc/smrsh and populate | |
49 | it with the programs that your site feels are allowable for sendmail | |
50 | to execute. This directory is explicitly specified in the source | |
51 | code for smrsh, so changing this directory must be accompanied with | |
52 | @@ -77,22 +77,22 @@ | |
53 | ||
54 | You will have to be root to make these modifications. | |
55 | ||
56 | -After creating the /usr/adm/sm.bin directory, either copy the programs | |
57 | +After creating the /etc/smrsh directory, either copy the programs | |
58 | to the directory, or establish links to the allowable programs from | |
59 | -/usr/adm/sm.bin. Change the file permissions, so that these programs | |
60 | +/etc/smrsh. Change the file permissions, so that these programs | |
61 | can not be modified by non-root users. If you use links, you should | |
62 | ensure that the target programs are not modifiable. | |
63 | ||
64 | To allow the popular vacation(1) program by creating a link in the | |
65 | -/usr/adm/sm.bin directory, you should: | |
66 | +/etc/smrsh directory, you should: | |
67 | ||
68 | -host.domain# cd /usr/adm/sm.bin | |
69 | +host.domain# cd /etc/smrsh | |
70 | host.domain# ln -s /usr/ucb/vacation vacation | |
71 | ||
72 | ||
73 | ||
74 | ||
75 | -After populating the /usr/adm/sm.bin directory, you can now configure | |
76 | +After populating the /etc/smrsh directory, you can now configure | |
77 | sendmail to use the restricted shell. Save the current sendmail.cf | |
78 | file prior to modifying it, as a prudent precaution. | |
79 | ||
80 | @@ -107,7 +107,7 @@ | |
81 | ||
82 | In order to configure sendmail to use smrsh, you must modify the Mprog | |
83 | definition in the sendmail.cf file, by replacing the /bin/sh specification | |
84 | -with /usr/local/etc/smrsh. | |
85 | +with /usr/sbin/smrsh. | |
86 | ||
87 | As an example: | |
88 | ||
89 | @@ -115,14 +115,14 @@ | |
90 | Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
91 | ||
92 | which should be changed to: | |
93 | -Mprog, P=/usr/local/etc/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
94 | - ^^^^^^^^^^^^^^^^^^^^ | |
95 | +Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u | |
96 | + ^^^^^^^^^^^^^^^ | |
97 | ||
98 | A more generic line may be: | |
99 | Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u | |
100 | ||
101 | and should be changed to; | |
102 | -Mprog, P=/usr/local/etc/smrsh, F=lsDFM, A=sh -c $u | |
103 | +Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u | |
104 | ||
105 | ||
106 | After modifying the Mprog definition in the sendmail.cf file, if a frozen | |
107 | @@ -133,12 +133,12 @@ | |
108 | a search of the strings(1) output of the sendmail binary. | |
109 | ||
110 | In order to create a new frozen configuration, if it is required: | |
111 | -host.domain# /usr/lib/sendmail -bz | |
112 | +host.domain# /usr/sbin/sendmail -bz | |
113 | ||
114 | Now re-start the sendmail process. An example of how to do this on | |
115 | a typical system follows: | |
116 | ||
117 | host.domain# /usr/bin/ps aux | /usr/bin/grep sendmail | |
118 | -root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q | |
119 | +root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/sbin/sendmail -bd -q | |
120 | host.domain# /bin/kill -9 130 | |
121 | -host.domain# /usr/lib/sendmail -bd -q30m | |
122 | +host.domain# /usr/sbin/sendmail -bd -q30m | |
123 | --- sendmail-8.7.5/smrsh/smrsh.8.marc Sun Nov 13 13:25:16 1994 | |
124 | +++ sendmail-8.7.5/smrsh/smrsh.8 Thu Aug 1 11:48:07 1996 | |
125 | @@ -59,7 +59,7 @@ | |
126 | Briefly, | |
127 | .I smrsh | |
128 | limits programs to be in the directory | |
129 | -/usr/adm/sm.bin, | |
130 | +/etc/smrsh, | |
131 | allowing the system administrator to choose the set of acceptable commands. | |
132 | It also rejects any commands with the characters | |
133 | `\`', `<', `>', `|', `;', `&', `$', `(', `)', `\r' (carriage return), | |
134 | @@ -73,10 +73,10 @@ | |
135 | and | |
136 | ``vacation'' | |
137 | all actually forward to | |
138 | -``/usr/adm/sm.bin/vacation''. | |
139 | +``/etc/smrsh/vacation''. | |
140 | .PP | |
141 | System administrators should be conservative about populating | |
142 | -/usr/adm/sm.bin. | |
143 | +/etc/smrsh | |
144 | Reasonable additions are | |
145 | .IR vacation (1), | |
146 | .IR procmail (1), | |
147 | @@ -86,20 +86,12 @@ | |
148 | (such as | |
149 | .IR perl (1)) | |
150 | in the | |
151 | -sm.bin | |
152 | +/etc/smrsh | |
153 | directory. | |
154 | Note that this does not restrict the use of shell or perl scripts | |
155 | -in the sm.bin directory (using the ``#!'' syntax); | |
156 | +in the /etc/smrsh directory (using the ``#!'' syntax); | |
157 | it simply disallows execution of arbitrary programs. | |
158 | -.SH COMPILATION | |
159 | -Compilation should be trivial on most systems. | |
160 | -You may need to use \-DPATH=\e"\fIpath\fP\e" | |
161 | -to adjust the default search path | |
162 | -(defaults to ``/bin:/usr/bin:/usr/ucb'') | |
163 | -and/or \-DCMDBIN=\e"\fIdir\fP\e" | |
164 | -to change the default program directory | |
165 | -(defaults to ``/usr/adm/sm.bin''). | |
166 | .SH FILES | |
167 | -/usr/adm/sm.bin \- directory for restricted programs | |
168 | +/etc/smrsh \- directory for restricted programs | |
169 | .SH SEE ALSO | |
170 | sendmail(8) | |
171 | --- sendmail-8.9.3/smrsh/smrsh.c~ Tue Dec 29 12:42:52 1998 | |
172 | +++ sendmail-8.9.3/smrsh/smrsh.c Mon Apr 5 11:25:36 1999 | |
173 | @@ -58,7 +58,7 @@ | |
174 | ||
175 | /* directory in which all commands must reside */ | |
176 | #ifndef CMDDIR | |
177 | -# define CMDDIR "/usr/adm/sm.bin" | |
178 | +# define CMDDIR "/etc/smrsh" | |
179 | #endif | |
180 | ||
181 | /* characters disallowed in the shell "-c" argument */ | |
182 | @@ -66,7 +66,7 @@ | |
183 | ||
184 | /* default search path */ | |
185 | #ifndef PATH | |
186 | -# define PATH "/bin:/usr/bin:/usr/ucb" | |
187 | +# define PATH "/bin:/usr/bin" | |
188 | #endif | |
189 | ||
190 | int |