Date: Wed, 17 Dec 1997 22:05:06 -0500 (EST) From: Brian Clapper <bmc@WillsCreek.COM> To: Charlie Roots <osiris2002@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail HYPER-SECURITY Message-ID: <199712180305.WAA00504@current.willscreek.com> In-Reply-To: <19971217091842.5156.rocketmail@send1a.yahoomail.com> References: <19971217091842.5156.rocketmail@send1a.yahoomail.com>
index | next in thread | previous in thread | raw e-mail
Charlie Roots wrote:
> I understand that Sendmail was, once, a major security hole by which
> attackers and hackers used to get the password file
[ ... ]
> Now, to make it even more secure, I have changed the default sh shell
> into a new sendmail restricted shell or (smrsh) [ ... ]
[ ... ]
> A drawback of this technique is that when I try to do some
> manipulations of the mail delivery system on my server the restriction
> becomes a kind of Hyper-Security, I mean by that overdoing things, so
> now the question;
>
> HOW can I use Procmail for mail filtering , and Majordomo for mailing
> lists management, in presence of this limitation, since after I set
> these 2 services up, they need to be invoked into the Sendmail mail
> delivery system.
>
> Currently sendmail is refusing to allow them to do their stuff, even
> if they are referenced in the sendmail.cf as they should.
In addition to sanitizing the command to be run, `smrsh' imposes the
restriction that the command reside in the `smrsh' bin directory, whatever
you configured that to be when you compiled `smrsh'. (By default, this
directory is "/usr/libexec/sm.bin".) If you want to convince `smrsh' to
run `procmail', then you must either copy the `procmail' binary into that
directory, or you must create a symlink to `procmail' in that directory.
(Symlinks will work fine unless `sendmail' and, hence, `smrsh', are running
in a chrooted area and procmail is not also in that chrooted area.)
This is all clearly spelled out in the `smrsh' man page, which you should
have if you have source to `smrsh'. Here's an excerpt from that page:
Briefly, smrsh limits programs to be in the directory
/usr/libexec/sm.bin, allowing the system administrator to choose the
set of acceptable commands. It also rejects any commands with the
characters ``', `<', `>', `|', `;', `&', `$', `(', `)', `\r'
(carriage return), or `\n' (new- line) on the command line to
prevent ``end run'' attacks.
Initial pathnames on programs are stripped, so forwarding to
``/usr/bin/vacation'', ``/home/server/mydir/bin/vaca- tion'', and
``vacation'' all actually forward to
``/usr/libexec/sm.bin/vacation''.
System administrators should be conservative about popu-
lating /usr/libexec/sm.bin. Reasonable additions are
vacation(1), procmail(1), and the like. No matter how
brow-beaten you may be, never include any shell or shell-
like program (such as perl(1)) in the sm.bin directory.
Note that this does not restrict the use of shell or perl
scripts in the sm.bin directory (using the ``#!'' syntax);
it simply disallows execution of arbitrary programs.
-----
Brian Clapper, bmc@WillsCreek.COM, http://WWW.WillsCreek.COM/
Unless you are very rich and very eccentric, you will not enjoy the luxury of
a computer in your own home.
-- Edward Yourdon, 1975.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712180305.WAA00504>