From owner-freebsd-questions Wed Dec 17 19:38:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA13170 for questions-outgoing; Wed, 17 Dec 1997 19:38:01 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from BIGFUN.vwcom.com (BIGFUN.vwcom.com [151.197.101.21]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA13154 for ; Wed, 17 Dec 1997 19:37:30 -0800 (PST) (envelope-from bmc@WillsCreek.COM) Received: from WillsCreek.COM (gw.willscreek.com [151.197.101.46]) by BIGFUN.vwcom.com (8.8.6/8.8.6) with ESMTP id WAA09477; Wed, 17 Dec 1997 22:00:14 -0500 (EST) Received: from current.willscreek.com (current.willscreek.com [172.16.87.1]) by WillsCreek.COM (8.8.7/8.8.5) with ESMTP id WAA20220; Wed, 17 Dec 1997 22:05:07 -0500 (EST) Received: (from bmc@localhost) by current.willscreek.com (8.8.7/8.8.5) id WAA00504; Wed, 17 Dec 1997 22:05:06 -0500 (EST) Date: Wed, 17 Dec 1997 22:05:06 -0500 (EST) Message-Id: <199712180305.WAA00504@current.willscreek.com> From: Brian Clapper MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Charlie Roots Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail HYPER-SECURITY In-Reply-To: <19971217091842.5156.rocketmail@send1a.yahoomail.com> References: <19971217091842.5156.rocketmail@send1a.yahoomail.com> X-Mailer: VM 6.23 under Emacs 19.34.1 Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Charlie Roots wrote: > I understand that Sendmail was, once, a major security hole by which > attackers and hackers used to get the password file [ ... ] > Now, to make it even more secure, I have changed the default sh shell > into a new sendmail restricted shell or (smrsh) [ ... ] [ ... ] > A drawback of this technique is that when I try to do some > manipulations of the mail delivery system on my server the restriction > becomes a kind of Hyper-Security, I mean by that overdoing things, so > now the question; > > HOW can I use Procmail for mail filtering , and Majordomo for mailing > lists management, in presence of this limitation, since after I set > these 2 services up, they need to be invoked into the Sendmail mail > delivery system. > > Currently sendmail is refusing to allow them to do their stuff, even > if they are referenced in the sendmail.cf as they should. In addition to sanitizing the command to be run, `smrsh' imposes the restriction that the command reside in the `smrsh' bin directory, whatever you configured that to be when you compiled `smrsh'. (By default, this directory is "/usr/libexec/sm.bin".) If you want to convince `smrsh' to run `procmail', then you must either copy the `procmail' binary into that directory, or you must create a symlink to `procmail' in that directory. (Symlinks will work fine unless `sendmail' and, hence, `smrsh', are running in a chrooted area and procmail is not also in that chrooted area.) This is all clearly spelled out in the `smrsh' man page, which you should have if you have source to `smrsh'. Here's an excerpt from that page: Briefly, smrsh limits programs to be in the directory /usr/libexec/sm.bin, allowing the system administrator to choose the set of acceptable commands. It also rejects any commands with the characters ``', `<', `>', `|', `;', `&', `$', `(', `)', `\r' (carriage return), or `\n' (new- line) on the command line to prevent ``end run'' attacks. Initial pathnames on programs are stripped, so forwarding to ``/usr/bin/vacation'', ``/home/server/mydir/bin/vaca- tion'', and ``vacation'' all actually forward to ``/usr/libexec/sm.bin/vacation''. System administrators should be conservative about popu- lating /usr/libexec/sm.bin. Reasonable additions are vacation(1), procmail(1), and the like. No matter how brow-beaten you may be, never include any shell or shell- like program (such as perl(1)) in the sm.bin directory. Note that this does not restrict the use of shell or perl scripts in the sm.bin directory (using the ``#!'' syntax); it simply disallows execution of arbitrary programs. ----- Brian Clapper, bmc@WillsCreek.COM, http://WWW.WillsCreek.COM/ Unless you are very rich and very eccentric, you will not enjoy the luxury of a computer in your own home. -- Edward Yourdon, 1975.