1 diff -Nur sendmail-8.9.3/smrsh/Makefile.m4 sendmail-8.9.3.pld/smrsh/Makefile.m4
2 --- sendmail-8.9.3/smrsh/Makefile.m4 Tue Dec 29 18:42:52 1998
3 +++ sendmail-8.9.3.pld/smrsh/Makefile.m4 Thu May 27 19:42:08 1999
5 # libraries required on your system
6 LIBS= ifdef(`confLIBS', `confLIBS')
8 -# location of smrsh binary (usually /usr/libexec or /usr/etc)
9 -EBINDIR=${DESTDIR}ifdef(`confEBINDIR', `confEBINDIR', `/usr/libexec')
10 +# location of smrsh binary (usually /usr/sbin or /usr/etc)
11 +EBINDIR=${DESTDIR}ifdef(`confEBINDIR', `confEBINDIR', `/usr/sbin')
13 # additional .o files needed
14 OBJADD= ifdef(`confOBJADD', `confOBJADD')
15 --- sendmail-8.7.5/smrsh/README.marc Thu Aug 1 11:52:37 1996
16 +++ sendmail-8.7.5/smrsh/README Thu Aug 1 11:54:51 1996
18 intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
19 and to the software, smrsh.c, written by Eric Allman.
22 +* Modified by Red Hat Software to reflect different paths. *
24 The smrsh(8) program is intended as a replacement for /bin/sh in the
25 program mailer definition of sendmail(8). This README file describes
29 Choose a directory that smrsh will reside in. We will use the traditional
30 -/usr/local/etc directory for the remainder of this document.
31 +/usr/sbin directory for the remainder of this document.
33 -As root, install smrsh in /usr/local/etc directory, with mode 511.
34 +As root, install smrsh in /usr/sbin directory, with mode 511.
36 -host.domain# mv smrsh /usr/local/etc
37 -host.domain# chmod 511 /usr/local/etc/smrsh
38 +host.domain# mv smrsh /usr/sbin
39 +host.domain# chmod 511 /usr/sbin/smrsh
47 -You will next need to create the directory /usr/adm/sm.bin and populate
48 +You will next need to create the directory /etc/smrsh and populate
49 it with the programs that your site feels are allowable for sendmail
50 to execute. This directory is explicitly specified in the source
51 code for smrsh, so changing this directory must be accompanied with
54 You will have to be root to make these modifications.
56 -After creating the /usr/adm/sm.bin directory, either copy the programs
57 +After creating the /etc/smrsh directory, either copy the programs
58 to the directory, or establish links to the allowable programs from
59 -/usr/adm/sm.bin. Change the file permissions, so that these programs
60 +/etc/smrsh. Change the file permissions, so that these programs
61 can not be modified by non-root users. If you use links, you should
62 ensure that the target programs are not modifiable.
64 To allow the popular vacation(1) program by creating a link in the
65 -/usr/adm/sm.bin directory, you should:
66 +/etc/smrsh directory, you should:
68 -host.domain# cd /usr/adm/sm.bin
69 +host.domain# cd /etc/smrsh
70 host.domain# ln -s /usr/ucb/vacation vacation
75 -After populating the /usr/adm/sm.bin directory, you can now configure
76 +After populating the /etc/smrsh directory, you can now configure
77 sendmail to use the restricted shell. Save the current sendmail.cf
78 file prior to modifying it, as a prudent precaution.
82 In order to configure sendmail to use smrsh, you must modify the Mprog
83 definition in the sendmail.cf file, by replacing the /bin/sh specification
84 -with /usr/local/etc/smrsh.
85 +with /usr/sbin/smrsh.
90 Mprog, P=/bin/sh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
92 which should be changed to:
93 -Mprog, P=/usr/local/etc/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
94 - ^^^^^^^^^^^^^^^^^^^^
95 +Mprog, P=/usr/sbin/smrsh, F=lsDFMeuP, S=10, R=20, A=sh -c $u
98 A more generic line may be:
99 Mprog, P=/bin/sh, F=lsDFM, A=sh -c $u
101 and should be changed to;
102 -Mprog, P=/usr/local/etc/smrsh, F=lsDFM, A=sh -c $u
103 +Mprog, P=/usr/sbin/smrsh, F=lsDFM, A=sh -c $u
106 After modifying the Mprog definition in the sendmail.cf file, if a frozen
107 @@ -133,12 +133,12 @@
108 a search of the strings(1) output of the sendmail binary.
110 In order to create a new frozen configuration, if it is required:
111 -host.domain# /usr/lib/sendmail -bz
112 +host.domain# /usr/sbin/sendmail -bz
114 Now re-start the sendmail process. An example of how to do this on
115 a typical system follows:
117 host.domain# /usr/bin/ps aux | /usr/bin/grep sendmail
118 -root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q
119 +root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/sbin/sendmail -bd -q
120 host.domain# /bin/kill -9 130
121 -host.domain# /usr/lib/sendmail -bd -q30m
122 +host.domain# /usr/sbin/sendmail -bd -q30m
123 --- sendmail-8.7.5/smrsh/smrsh.8.marc Sun Nov 13 13:25:16 1994
124 +++ sendmail-8.7.5/smrsh/smrsh.8 Thu Aug 1 11:48:07 1996
128 limits programs to be in the directory
131 allowing the system administrator to choose the set of acceptable commands.
132 It also rejects any commands with the characters
133 `\`', `<', `>', `|', `;', `&', `$', `(', `)', `\r' (carriage return),
137 all actually forward to
138 -``/usr/adm/sm.bin/vacation''.
139 +``/etc/smrsh/vacation''.
141 System administrators should be conservative about populating
144 Reasonable additions are
154 Note that this does not restrict the use of shell or perl scripts
155 -in the sm.bin directory (using the ``#!'' syntax);
156 +in the /etc/smrsh directory (using the ``#!'' syntax);
157 it simply disallows execution of arbitrary programs.
159 -Compilation should be trivial on most systems.
160 -You may need to use \-DPATH=\e"\fIpath\fP\e"
161 -to adjust the default search path
162 -(defaults to ``/bin:/usr/bin:/usr/ucb'')
163 -and/or \-DCMDBIN=\e"\fIdir\fP\e"
164 -to change the default program directory
165 -(defaults to ``/usr/adm/sm.bin'').
167 -/usr/adm/sm.bin \- directory for restricted programs
168 +/etc/smrsh \- directory for restricted programs
171 --- sendmail-8.9.3/smrsh/smrsh.c~ Tue Dec 29 12:42:52 1998
172 +++ sendmail-8.9.3/smrsh/smrsh.c Mon Apr 5 11:25:36 1999
175 /* directory in which all commands must reside */
177 -# define CMDDIR "/usr/adm/sm.bin"
178 +# define CMDDIR "/etc/smrsh"
181 /* characters disallowed in the shell "-c" argument */
184 /* default search path */
186 -# define PATH "/bin:/usr/bin:/usr/ucb"
187 +# define PATH "/bin:/usr/bin"