504 lines
8.8 KiB
HTML
504 lines
8.8 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Secure Sendmail using smrsh</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Securing and Optimizing Linux"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Software -Server/Mail Network"
|
||
|
HREF="soser-mailn.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="The /etc/rc.d/init.d/sendmail script file"
|
||
|
HREF="chap22sec181.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="The /etc/mail/aliases file"
|
||
|
HREF="chap22sec183.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="section"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="chap22sec181.html"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 22. Software -Server/Mail Network</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="chap22sec183.html"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="section"
|
||
|
><H1
|
||
|
CLASS="section"
|
||
|
><A
|
||
|
NAME="AEN12474"
|
||
|
>22.10. Secure Sendmail using <B
|
||
|
CLASS="command"
|
||
|
>smrsh</B
|
||
|
></A
|
||
|
></H1
|
||
|
><P
|
||
|
> The <B
|
||
|
CLASS="command"
|
||
|
>smrsh</B
|
||
|
> program is intended as a replacement for <TT
|
||
|
CLASS="filename"
|
||
|
>/bin/sh</TT
|
||
|
> in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability
|
||
|
to specify, through the <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/smrsh</TT
|
||
|
> directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions
|
||
|
can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's
|
||
|
scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/sbin/smrsh</TT
|
||
|
>.
|
||
|
</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
> The first thing we need to do is to determine the list of commands that <B
|
||
|
CLASS="command"
|
||
|
>smrsh</B
|
||
|
> should allow Sendmail to run.
|
||
|
By default we include, but are not limited to:
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
> <TT
|
||
|
CLASS="filename"
|
||
|
>/bin/mail</TT
|
||
|
> -<EM
|
||
|
>if you have it installed on your system</EM
|
||
|
>
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/bin/procmail</TT
|
||
|
> -<EM
|
||
|
>if you have it installed on your system</EM
|
||
|
>
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
>
|
||
|
<DIV
|
||
|
CLASS="warning"
|
||
|
><P
|
||
|
></P
|
||
|
><TABLE
|
||
|
CLASS="warning"
|
||
|
BORDER="1"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="CENTER"
|
||
|
><B
|
||
|
><SPAN
|
||
|
CLASS="inlinemediaobject"
|
||
|
><IMG
|
||
|
SRC="./images/Warning.gif"
|
||
|
ALT="Warning"
|
||
|
></IMG
|
||
|
></SPAN
|
||
|
></B
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
><P
|
||
|
> <EM
|
||
|
>You should not include interpreter programs</EM
|
||
|
> such as <SPAN
|
||
|
CLASS="citerefentry"
|
||
|
><SPAN
|
||
|
CLASS="refentrytitle"
|
||
|
>sh</SPAN
|
||
|
>(1)</SPAN
|
||
|
>, <SPAN
|
||
|
CLASS="citerefentry"
|
||
|
><SPAN
|
||
|
CLASS="refentrytitle"
|
||
|
>csh</SPAN
|
||
|
>(1)</SPAN
|
||
|
>,
|
||
|
<SPAN
|
||
|
CLASS="citerefentry"
|
||
|
><SPAN
|
||
|
CLASS="refentrytitle"
|
||
|
>perl</SPAN
|
||
|
>(1)</SPAN
|
||
|
>, <SPAN
|
||
|
CLASS="citerefentry"
|
||
|
><SPAN
|
||
|
CLASS="refentrytitle"
|
||
|
>uudecode</SPAN
|
||
|
>(1)</SPAN
|
||
|
> or <SPAN
|
||
|
CLASS="citerefentry"
|
||
|
><SPAN
|
||
|
CLASS="refentrytitle"
|
||
|
>sed</SPAN
|
||
|
>(1)</SPAN
|
||
|
> -the stream editor, in your list of acceptable commands.
|
||
|
</P
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
>
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> You will next need to populate the <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/smrsh</TT
|
||
|
> directory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better
|
||
|
to establish links to the allowable programs from <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/smrsh</TT
|
||
|
> rather than copy programs to this directory.
|
||
|
|
||
|
To allow the mail program <TT
|
||
|
CLASS="filename"
|
||
|
>/bin/mail</TT
|
||
|
>, use the following commands:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="screen"
|
||
|
> [root@deep] /# <B
|
||
|
CLASS="command"
|
||
|
>cd</B
|
||
|
> /etc/smrsh
|
||
|
[root@deep ]/smrsh# <B
|
||
|
CLASS="command"
|
||
|
>ln</B
|
||
|
> -s /bin/mail mail
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
To allow the procmail program <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/bin/procmail</TT
|
||
|
>, use the following commands:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="screen"
|
||
|
> [root@deep] /# <B
|
||
|
CLASS="command"
|
||
|
>cd</B
|
||
|
> /etc/smrsh
|
||
|
[root@deep ]/smrsh# <B
|
||
|
CLASS="command"
|
||
|
>ln</B
|
||
|
> -s /usr/bin/procmail procmail
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
This will allow the mail and procmail programs to be run from a user's <TT
|
||
|
CLASS="filename"
|
||
|
>.forward</TT
|
||
|
> file or an <TT
|
||
|
CLASS="filename"
|
||
|
>aliases</TT
|
||
|
> file which uses the program syntax.
|
||
|
<DIV
|
||
|
CLASS="important"
|
||
|
><BLOCKQUOTE
|
||
|
CLASS="important"
|
||
|
><P
|
||
|
><B
|
||
|
><SPAN
|
||
|
CLASS="inlinemediaobject"
|
||
|
><IMG
|
||
|
SRC="./images/Important.gif"
|
||
|
ALT="Important"
|
||
|
></IMG
|
||
|
></SPAN
|
||
|
>: </B
|
||
|
>
|
||
|
Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured
|
||
|
your system as a Local Client Server then skip the procmail step above.
|
||
|
</P
|
||
|
></BLOCKQUOTE
|
||
|
></DIV
|
||
|
>
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file, <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/sendmail.cf</TT
|
||
|
>. You must modify this single
|
||
|
line Mprog definition in the <TT
|
||
|
CLASS="filename"
|
||
|
>sendmail.cf</TT
|
||
|
> file, by replacing the /bin/sh specification with <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/sbin/smrsh</TT
|
||
|
>.
|
||
|
|
||
|
Edit the <TT
|
||
|
CLASS="filename"
|
||
|
>sendmail.cf</TT
|
||
|
> file, <B
|
||
|
CLASS="command"
|
||
|
>vi</B
|
||
|
> <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/sendmail.cf</TT
|
||
|
> and change the line:
|
||
|
|
||
|
<DIV
|
||
|
CLASS="example"
|
||
|
><A
|
||
|
NAME="AEN12549"
|
||
|
></A
|
||
|
><P
|
||
|
><B
|
||
|
>Example 22-3. <TT
|
||
|
CLASS="filename"
|
||
|
>sendmail.cf</TT
|
||
|
></B
|
||
|
></P
|
||
|
><P
|
||
|
> <TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="programlisting"
|
||
|
> Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
Which should be changed to:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="programlisting"
|
||
|
> Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
</P
|
||
|
></DIV
|
||
|
>
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
> Now re-start the sendmail process manually with the following command:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="screen"
|
||
|
> [root@deep] /# /etc/rc.d/init.d/sendmail <B
|
||
|
CLASS="command"
|
||
|
>restart</B
|
||
|
>
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
|
||
|
</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="note"
|
||
|
><BLOCKQUOTE
|
||
|
CLASS="note"
|
||
|
><P
|
||
|
><B
|
||
|
><SPAN
|
||
|
CLASS="inlinemediaobject"
|
||
|
><IMG
|
||
|
SRC="./images/Note.gif"
|
||
|
ALT="Note"
|
||
|
></IMG
|
||
|
></SPAN
|
||
|
>: </B
|
||
|
>
|
||
|
In our <TT
|
||
|
CLASS="filename"
|
||
|
>sendmail.mc</TT
|
||
|
> configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/sbin/smrsh</TT
|
||
|
>
|
||
|
with the m4 macro <TT
|
||
|
CLASS="envar"
|
||
|
>FEATURE(`smrsh',`/usr/sbin/smrsh')</TT
|
||
|
>, so don't be surprised if the <TT
|
||
|
CLASS="filename"
|
||
|
>/usr/sbin/smrsh</TT
|
||
|
>specification is already set in your <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/sendmail.cf</TT
|
||
|
>
|
||
|
file for the Mail Hub relay.
|
||
|
</P
|
||
|
><P
|
||
|
> Instead, use the technique shown above for other <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/sendmail.cf</TT
|
||
|
> files in your network like the <EM
|
||
|
>one for the nullclient local or neighbor client and servers</EM
|
||
|
> that use the <TT
|
||
|
CLASS="filename"
|
||
|
>null.mc</TT
|
||
|
> macro configuration file to generate the <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/sendmail.cf</TT
|
||
|
> file.
|
||
|
</P
|
||
|
></BLOCKQUOTE
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="chap22sec181.html"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="chap22sec183.html"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>The <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/rc.d/init.d/sendmail</TT
|
||
|
> script file</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="soser-mailn.html"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>The <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/mail/aliases</TT
|
||
|
> file</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|