smrsh man page on BSDi

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDi logo
[printable version]



SMRSH(8)						 SMRSH(8)

NAME
       smrsh - restricted shell for sendmail

SYNOPSIS
       smrsh -c command

DESCRIPTION
       The  smrsh program is intended as a replacement for sh for
       use in the ``prog'' mailer  in  sendmail(8)  configuration
       files.	It  sharply  limits  the commands that can be run
       using the ``|program'' syntax  of  sendmail  in	order  to
       improve	the  over  all security of your system.	 Briefly,
       even if a ``bad guy'' can get sendmail to  run  a  program
       without going through an alias or forward file, smrsh lim-
       its the set of programs that he or she can execute.

       Briefly, smrsh limits programs to be in	a  single  direc-
       tory,  by  default  /usr/adm/sm.bin,  allowing  the system
       administrator to choose the set	of  acceptable	commands,
       and  to the shell builtin commands ``exec'', ``exit'', and
       ``echo''.  It also rejects any commands with  the  charac-
       ters  ``',  `<',	 `>',  `;', `$', `(', `)', `\r' (carriage
       return), or `\n' (newline) on the command line to  prevent
       ``end  run''  attacks.	It  allows  ``||''  and ``&&'' to
       enable commands like: ``"|exec /usr/local/bin/procmail -f-
       /etc/procmailrcs/user || exit 75"''

       Initial	pathnames on programs are stripped, so forwarding
       to      ``/usr/ucb/vacation'',	   ``/usr/bin/vacation'',
       ``/home/server/mydir/bin/vacation'',  and ``vacation'' all
       actually forward to ``/usr/adm/sm.bin/vacation''.

       System administrators should be conservative  about  popu-
       lating  the  sm.bin  directory.	 Reasonable additions are
       vacation(1), procmail(1), and the  like.	  No  matter  how
       brow-beaten  you may be, never include any shell or shell-
       like program (such as perl(1)) in  the  sm.bin  directory.
       Note  that this does not restrict the use of shell or perl
       scripts in the sm.bin directory (using the ``#!'' syntax);
       it simply disallows execution of arbitrary programs.

COMPILATION
       Compilation  should  be	trivial on most systems.  You may
       need to use -DPATH=\"path\" to adjust the  default  search
       path   (defaults	  to  ``/bin:/usr/bin:/usr/ucb'')  and/or
       -DCMDBIN=\"dir\" to change the default  program	directory
       (defaults to ``/usr/adm/sm.bin'').

FILES
       /usr/adm/sm.bin - directory for restricted programs

SEE ALSO
       sendmail(8)

		   $Date: 2000/12/15 19:50:46 $			1

[top]

List of man pages available for BSDi

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net