Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

smrsh(8) [centos man page]

SMRSH(8)						      System Manager's Manual							  SMRSH(8)

NAME

       smrsh - restricted shell for sendmail

SYNOPSIS

       smrsh -c command

DESCRIPTION

       The smrsh program is intended as a replacement for sh for use in the ``prog'' mailer in sendmail(8) configuration files.  It sharply limits
       the commands that can be run using the ``|program'' syntax of sendmail in order to improve the over all security of your system.   Briefly,
       even  if  a  ``bad guy'' can get sendmail to run a program without going through an alias or forward file, smrsh limits the set of programs
       that he or she can execute.

       Briefly, smrsh limits programs to be in a single directory, by default /etc/smrsh, allowing the system administrator to choose the  set	of
       acceptable  commands, and to the shell builtin commands ``exec'', ``exit'', and ``echo''.  It also rejects any commands with the characters
       ``', `<', `>', `;', `$', `(', `)', `
' (carriage return), or `
' (newline) on the command line to prevent ``end run'' attacks.  It allows
       ``||'' and ``&&'' to enable commands like: ``"|exec /usr/local/bin/filter || exit 75"''

       Initial	pathnames  on programs are stripped, so forwarding to ``/usr/ucb/vacation'', ``/usr/bin/vacation'', ``/home/server/mydir/bin/vaca-
       tion'', and ``vacation'' all actually forward to ``/etc/smrsh/vacation''.

       System administrators should be conservative about populating the /etc/smrsh directory.	For  example,  a  reasonable  additions  is  vaca-
       tion(1),  and  the  like.   No  matter  how  brow-beaten you may be, never include any shell or shell-like program (such as perl(1)) in the
       /etc/smrsh directory.  Note that this does not restrict the use of shell or perl scripts in the sm.bin directory (using the ``#!'' syntax);
       it  simply  disallows  execution  of  arbitrary	programs.  Also, including mail filtering programs such as procmail(1) is a very bad idea.
       procmail(1) allows users to run arbitrary programs in their procmailrc(5).

FILES

       /etc/smrsh - directory for restricted programs

SEE ALSO

       sendmail(8)

							   $Date: 2004/08/06 03:55:35 $ 						  SMRSH(8)

Check Out this Related Man Page

MAILER.CONF(5)						      BSD File Formats Manual						    MAILER.CONF(5)

NAME

     mailer.conf -- configuration file for mailwrapper(8)

DESCRIPTION

     The file /etc/mail/mailer.conf contains a series of lines of the form

     name program [arguments ...]

     The first word of each line is the name of a program invoking mailwrapper(8).  (For example, on a typical system /usr/sbin/sendmail would be
     a symbolic link to mailwrapper(8), as would newaliases(1) and mailq(1).  Thus, name might be ``sendmail'' or ``newaliases'' etc.)

     The second word of each line is the name of the program to actually execute when the first name is invoked.

     The further arguments, if any, are passed to the program, followed by the arguments mailwrapper(8) was called with.

     The file may also contain comment lines, denoted by a '#' mark in the first column of any line.

FILES

     /etc/mail/mailer.conf

EXAMPLES

     This example shows how to set up mailer.conf to invoke the traditional sendmail(8) program:

	   # Execute the "real" sendmail program located in
	   # /usr/libexec/sendmail/sendmail
	   sendmail	   /usr/libexec/sendmail/sendmail
	   send-mail	   /usr/libexec/sendmail/sendmail
	   mailq	   /usr/libexec/sendmail/sendmail
	   newaliases	   /usr/libexec/sendmail/sendmail

     This example shows how to invoke a sendmail-workalike like Postfix in place of sendmail(8):

	   # Emulate sendmail using postfix
	   sendmail	   /usr/local/sbin/sendmail
	   send-mail	   /usr/local/sbin/sendmail
	   mailq	   /usr/local/sbin/sendmail
	   newaliases	   /usr/local/sbin/sendmail

     This example shows how to invoke a sendmail-workalike with Exim (from ports) in place of sendmail(8):

	   # Emulate sendmail using exim
	   sendmail	   /usr/local/sbin/exim
	   send-mail	   /usr/local/sbin/exim
	   mailq	   /usr/local/sbin/exim -bp
	   newaliases	   /usr/bin/true
	   rmail	   /usr/local/sbin/exim -i -oee

     This example shows the use of the mini_sendmail package from ports in place of sendmail(8).  Note the use of additional arguments.

	   # Send outgoing mail to a smart relay using mini_sendmail
	   sendmail	   /usr/local/bin/mini_sendmail -srelayhost
	   send-mail	   /usr/local/bin/mini_sendmail -srelayhost

SEE ALSO

     mail(1), mailq(1), newaliases(1), mailwrapper(8), sendmail(8)

     postfix(1) (ports/mail/postfix), mini_sendmail(8) (ports/mail/mini_sendmail)

HISTORY

     mailer.conf appeared in NetBSD 1.4.

AUTHORS

     Perry E. Metzger <perry@piermont.com>

BUGS

     The entire reason this program exists is a crock.	Instead, a command for how to submit mail should be standardized, and all the "behave dif-
     ferently if invoked with a different name" behavior of things like mailq(1) should go away.

BSD
								  October 8, 2010							       BSD
Man Page