smrsh.0

< linux网络编程工具>>配套源码

SMRSH(8)                                                 SMRSH(8)


NNAAMMEE
       smrsh - restricted shell for sendmail

SSYYNNOOPPSSIISS
       ssmmrrsshh --cc command

DDEESSCCRRIIPPTTIIOONN
       The  _s_m_r_s_h program is intended as a replacement for _s_h for
       use in the ``prog'' mailer  in  _s_e_n_d_m_a_i_l(8)  configuration
       files.   It  sharply  limits  the commands that can be run
       using the ``|program'' syntax  of  _s_e_n_d_m_a_i_l  in  order  to
       improve  the  over  all security of your system.  Briefly,
       even if a ``bad guy'' can get sendmail to  run  a  program
       without going through an alias or forward file, _s_m_r_s_h lim-
       its the set of programs that he or she can execute.

       Briefly, _s_m_r_s_h limits programs  to  be  in  the  directory
       /usr/adm/sm.bin,  allowing  the  system  administrator  to
       choose the set of acceptable commands, and  to  the  shell
       builtin  commands  ``exec'',  ``exit'',  and ``echo''.  It
       also rejects any commands with the  characters  ``',  `<',
       `>',  `;',  `$', `(', `)', `\r' (carriage return), or `\n'
       (newline) on the  command  line  to  prevent  ``end  run''
       attacks.   It  allows ``||'' and ``&&'' to enable commands
       like: ``"|exec /usr/local/bin/procmail -f-  /etc/procmail-
       rcs/user || exit 75"''

       Initial  pathnames on programs are stripped, so forwarding
       to      ``/usr/ucb/vacation'',      ``/usr/bin/vacation'',
       ``/home/server/mydir/bin/vacation'',  and ``vacation'' all
       actually forward to ``/usr/adm/sm.bin/vacation''.

       System administrators should be conservative  about  popu-
       lating  /usr/adm/sm.bin.   Reasonable  additions are _v_a_c_a_-
       _t_i_o_n(1), _p_r_o_c_m_a_i_l(1), and the like.  No matter  how  brow-
       beaten  you  may be, never include any shell or shell-like
       program (such as _p_e_r_l(1)) in the sm.bin  directory.   Note
       that  this  does  not  restrict  the  use of shell or perl
       scripts in the sm.bin directory (using the ``#!'' syntax);
       it simply disallows execution of arbitrary programs.

CCOOMMPPIILLAATTIIOONN
       Compilation  should  be  trivial on most systems.  You may
       need to use -DPATH=\"_p_a_t_h\" to adjust the  default  search
       path   (defaults   to  ``/bin:/usr/bin:/usr/ucb'')  and/or
       -DCMDBIN=\"_d_i_r\" to change the default  program  directory
       (defaults to ``/usr/adm/sm.bin'').

FFIILLEESS
       /usr/adm/sm.bin - directory for restricted programs

SSEEEE AALLSSOO
       sendmail(8)




                             11/02/93                           1