Date: Wed, 17 Dec 1997 22:05:06 -0500 (EST) From: Brian Clapper <bmc@WillsCreek.COM> To: Charlie Roots <osiris2002@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail HYPER-SECURITY Message-ID: <199712180305.WAA00504@current.willscreek.com> In-Reply-To: <19971217091842.5156.rocketmail@send1a.yahoomail.com> References: <19971217091842.5156.rocketmail@send1a.yahoomail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charlie Roots wrote: > I understand that Sendmail was, once, a major security hole by which > attackers and hackers used to get the password file [ ... ] > Now, to make it even more secure, I have changed the default sh shell > into a new sendmail restricted shell or (smrsh) [ ... ] [ ... ] > A drawback of this technique is that when I try to do some > manipulations of the mail delivery system on my server the restriction > becomes a kind of Hyper-Security, I mean by that overdoing things, so > now the question; > > HOW can I use Procmail for mail filtering , and Majordomo for mailing > lists management, in presence of this limitation, since after I set > these 2 services up, they need to be invoked into the Sendmail mail > delivery system. > > Currently sendmail is refusing to allow them to do their stuff, even > if they are referenced in the sendmail.cf as they should. In addition to sanitizing the command to be run, `smrsh' imposes the restriction that the command reside in the `smrsh' bin directory, whatever you configured that to be when you compiled `smrsh'. (By default, this directory is "/usr/libexec/sm.bin".) If you want to convince `smrsh' to run `procmail', then you must either copy the `procmail' binary into that directory, or you must create a symlink to `procmail' in that directory. (Symlinks will work fine unless `sendmail' and, hence, `smrsh', are running in a chrooted area and procmail is not also in that chrooted area.) This is all clearly spelled out in the `smrsh' man page, which you should have if you have source to `smrsh'. Here's an excerpt from that page: Briefly, smrsh limits programs to be in the directory /usr/libexec/sm.bin, allowing the system administrator to choose the set of acceptable commands. It also rejects any commands with the characters ``', `<', `>', `|', `;', `&', `$', `(', `)', `\r' (carriage return), or `\n' (new- line) on the command line to prevent ``end run'' attacks. Initial pathnames on programs are stripped, so forwarding to ``/usr/bin/vacation'', ``/home/server/mydir/bin/vaca- tion'', and ``vacation'' all actually forward to ``/usr/libexec/sm.bin/vacation''. System administrators should be conservative about popu- lating /usr/libexec/sm.bin. Reasonable additions are vacation(1), procmail(1), and the like. No matter how brow-beaten you may be, never include any shell or shell- like program (such as perl(1)) in the sm.bin directory. Note that this does not restrict the use of shell or perl scripts in the sm.bin directory (using the ``#!'' syntax); it simply disallows execution of arbitrary programs. ----- Brian Clapper, bmc@WillsCreek.COM, http://WWW.WillsCreek.COM/ Unless you are very rich and very eccentric, you will not enjoy the luxury of a computer in your own home. -- Edward Yourdon, 1975.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712180305.WAA00504>