From bf383cd8b01ace1511e5268fae78582cc3c22406 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 17 Jan 2001 05:26:52 +0000 Subject: convert to mdoc --- gnu/usr.sbin/sendmail/smrsh/smrsh.8 | 125 +++++++++++++++++++++++------------- 1 file changed, 82 insertions(+), 43 deletions(-) (limited to 'gnu') diff --git a/gnu/usr.sbin/sendmail/smrsh/smrsh.8 b/gnu/usr.sbin/sendmail/smrsh/smrsh.8 index 15ffdb833b6..8e51659adad 100644 --- a/gnu/usr.sbin/sendmail/smrsh/smrsh.8 +++ b/gnu/usr.sbin/sendmail/smrsh/smrsh.8 @@ -9,72 +9,111 @@ .\" the sendmail distribution. .\" .\" +.\" $OpenBSD: smrsh.8,v 1.5 2001/01/17 05:26:51 millert Exp $ .\" $Sendmail: smrsh.8,v 8.11.16.2 2000/12/15 19:50:46 gshapiro Exp $ .\" -.TH SMRSH 8 "$Date: 2001/01/17 04:53:19 $" -.SH NAME -smrsh \- restricted shell for sendmail -.SH SYNOPSIS -.B smrsh -.B \-c -command -.SH DESCRIPTION +.Dd December 15, 2000 +.Dt SMRSH 8 +.Os +.Sh NAME +.Nm smrsh +.Nd restricted shell for sendmail +.Sh SYNOPSIS +.Nm smrsh +.Fl c Ar command +.Sh DESCRIPTION The -.I smrsh +.Nm smrsh program is intended as a replacement for -.I sh -for use in the ``prog'' mailer in -.IR sendmail (8) +.Pa /bin/sh +for use in the +.Dq prog +mailer in +.Xr sendmail 8 configuration files. It sharply limits the commands that can be run using the -``|program'' syntax of -.I sendmail -in order to improve the over all security of your system. -Briefly, even if a ``bad guy'' can get sendmail to run a program +.Dq |program +syntax of +.Xr sendmail 8 +in order to improve the overall security of your system. +Briefly, even if a +.Dq bad guy +can get sendmail to run a program without going through an alias or forward file, -.I smrsh +.Nm smrsh limits the set of programs that he or she can execute. -.PP +.Pp Briefly, -.I smrsh -limits programs to be in a single directory, -by default -/usr/libexec/sm.bin, +.Nm smrsh +limits programs to be in a single directory, by default +.Pa /usr/libexec/sm.bin , allowing the system administrator to choose the set of acceptable commands, -and to the shell builtin commands ``exec'', ``exit'', and ``echo''. +and the shell builtin commands +.Dq exec , +.Dq exit , +and +.Dq echo . It also rejects any commands with the characters -`\`', `<', `>', `;', `$', `(', `)', `\er' (carriage return), -or `\en' (newline) -on the command line to prevent ``end run'' attacks. -It allows ``||'' and ``&&'' to enable commands like: -``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"'' -.PP +.Sq \e , +.Sq < , +.Sq > , +.So +; +.Sc , +.Sq $ , +.So +( +.Sc , +.So +) +.Sc , +.Sq \er +(carriage return), or +.Sq \en +(newline) on the command line to prevent +.Dq end run +attacks. +It allows +.Dq || +and +.Dq && +to enable commands like: +.Bd -literal -compact -offset "XXXX" +.Qq "|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75" +.Ed +.Pp Initial pathnames on programs are stripped, -so forwarding to ``/usr/ucb/vacation'', -``/usr/bin/vacation'', -``/home/server/mydir/bin/vacation'', +so forwarding to +.Pa /usr/ucb/vacation , +.Pa /usr/bin/vacation , +.Pa /home/server/mydir/bin/vacation , and -``vacation'' +.Pa vacation all actually forward to -``/usr/libexec/sm.bin/vacation''. -.PP +.Pa /usr/libexec/sm.bin/vacation . +.Pp System administrators should be conservative about populating the sm.bin directory. Reasonable additions are -.IR vacation (1), -.IR procmail (1), +.Xr vacation 1 , +.Xr procmail 1 , and the like. No matter how brow-beaten you may be, never include any shell or shell-like program (such as -.IR perl (1)) +.Xr perl 1 ) in the sm.bin directory. Note that this does not restrict the use of shell or perl scripts -in the sm.bin directory (using the ``#!'' syntax); +in the sm.bin directory (using the +.Dq #! +syntax); it simply disallows execution of arbitrary programs. -.SH FILES -/usr/libexec/sm.bin \- directory for restricted programs -.SH SEE ALSO -sendmail(8) +.Sh FILES +.Bl -tag -width "/usr/libexec/sm.bin" -compact +.It Pa /usr/libexec/sm.bin +directory for restricted programs +.El +.Sh SEE ALSO +.Xr sendmail 8 -- cgit v1.2.3