Проект OpenNet: MAN smrsh (1) Команды и прикладные программы пользовательского уровня (FreeBSD и Linux)

Интерактивная система просмотра системных руководств (man-ов)

smrsh (1)

>> smrsh (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )

smrsh (8) ( FreeBSD man: Команды системного администрирования )

smrsh (8) ( Linux man: Команды системного администрирования )

NAME

smrsh - restricted shell for sendmail

SYNOPSIS

smrsh -c command

DESCRIPTION

The smrsh program is intended as a replacement for the sh command in the prog mailer in sendmail(1M) configuration files. The smrsh program sharply limits commands that can be run using the |program syntax of sendmail. This improves overall system security. smrsh limits the set of programs that a programmer can execute, even if sendmail runs a program without going through an alias or forward file.

Briefly, smrsh limits programs to be in the directory /var/adm/sm.bin, allowing system administrators to choose the set of acceptable commands. It also rejects any commands with the characters: ,, <, >, |, ;, &, $, \r (<RETURN>), or \n (<NEWLINE>) on the command line to prevent end run attacks.

Initial pathnames on programs are stripped, so forwarding to /usr/ucb/vacation, /usr/bin/vacation, /home/server/mydir/bin/vacation, and vacation all actually forward to/var/adm/sm.bin/vacation.

System administrators should be conservative about populating /var/adm/sm.bin. Reasonable additions are utilities such as vacation(1) and procmail. Never include any shell or shell-like program (for example, perl) in the sm.bin directory. This does not restrict the use of shell or perl scrips in the sm.bin directory (using the #! syntax); it simply disallows the execution of arbitrary programs.