LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/solrhe/Securing-Optimizing-Linux-R.../chap22sec182.html

504 lines
8.8 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Secure Sendmail using smrsh</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
REL="HOME"
TITLE="Securing and Optimizing Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="Software -Server/Mail Network"
HREF="soser-mailn.html"><LINK
REL="PREVIOUS"
TITLE="The /etc/rc.d/init.d/sendmail script file"
HREF="chap22sec181.html"><LINK
REL="NEXT"
TITLE="The /etc/mail/aliases file"
HREF="chap22sec183.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="chap22sec181.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 22. Software -Server/Mail Network</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chap22sec183.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="AEN12474"
>22.10. Secure Sendmail using <B
CLASS="command"
>smrsh</B
></A
></H1
><P
>&#13; The <B
CLASS="command"
>smrsh</B
> program is intended as a replacement for <TT
CLASS="filename"
>/bin/sh</TT
> in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability
to specify, through the <TT
CLASS="filename"
>/etc/smrsh</TT
> directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions
can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's
scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under <TT
CLASS="filename"
>/usr/sbin/smrsh</TT
>.
</P
><DIV
CLASS="procedure"
><OL
TYPE="1"
><LI
><P
>&#13; The first thing we need to do is to determine the list of commands that <B
CLASS="command"
>smrsh</B
> should allow Sendmail to run.
By default we include, but are not limited to:
<P
></P
><UL
><LI
><P
>&#13; <TT
CLASS="filename"
>/bin/mail</TT
> -<EM
>if you have it installed on your system</EM
>
</P
></LI
><LI
><P
>&#13; <TT
CLASS="filename"
>/usr/bin/procmail</TT
> -<EM
>if you have it installed on your system</EM
>
</P
></LI
></UL
>
<DIV
CLASS="warning"
><P
></P
><TABLE
CLASS="warning"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Warning.gif"
ALT="Warning"
></IMG
></SPAN
></B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>&#13; <EM
>You should not include interpreter programs</EM
> such as <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>sh</SPAN
>(1)</SPAN
>, <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>csh</SPAN
>(1)</SPAN
>,
<SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>perl</SPAN
>(1)</SPAN
>, <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>uudecode</SPAN
>(1)</SPAN
> or <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>sed</SPAN
>(1)</SPAN
> -the stream editor, in your list of acceptable commands.
</P
></TD
></TR
></TABLE
></DIV
>
</P
></LI
><LI
><P
>&#13; You will next need to populate the <TT
CLASS="filename"
>/etc/smrsh</TT
> directory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better
to establish links to the allowable programs from <TT
CLASS="filename"
>/etc/smrsh</TT
> rather than copy programs to this directory.
To allow the mail program <TT
CLASS="filename"
>/bin/mail</TT
>, use the following commands:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>cd</B
> /etc/smrsh
[root@deep ]/smrsh# <B
CLASS="command"
>ln</B
> -s /bin/mail mail
</PRE
></TD
></TR
></TABLE
>
To allow the procmail program <TT
CLASS="filename"
>/usr/bin/procmail</TT
>, use the following commands:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# <B
CLASS="command"
>cd</B
> /etc/smrsh
[root@deep ]/smrsh# <B
CLASS="command"
>ln</B
> -s /usr/bin/procmail procmail
</PRE
></TD
></TR
></TABLE
>
This will allow the mail and procmail programs to be run from a user's <TT
CLASS="filename"
>.forward</TT
> file or an <TT
CLASS="filename"
>aliases</TT
> file which uses the program syntax.
<DIV
CLASS="important"
><BLOCKQUOTE
CLASS="important"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Important.gif"
ALT="Important"
></IMG
></SPAN
>: </B
>
Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured
your system as a Local Client Server then skip the procmail step above.
</P
></BLOCKQUOTE
></DIV
>
</P
></LI
><LI
><P
>&#13; We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file, <TT
CLASS="filename"
>/etc/mail/sendmail.cf</TT
>. You must modify this single
line Mprog definition in the <TT
CLASS="filename"
>sendmail.cf</TT
> file, by replacing the /bin/sh specification with <TT
CLASS="filename"
>/usr/sbin/smrsh</TT
>.
Edit the <TT
CLASS="filename"
>sendmail.cf</TT
> file, <B
CLASS="command"
>vi</B
> <TT
CLASS="filename"
>/etc/mail/sendmail.cf</TT
> and change the line:
<DIV
CLASS="example"
><A
NAME="AEN12549"
></A
><P
><B
>Example 22-3. <TT
CLASS="filename"
>sendmail.cf</TT
></B
></P
><P
>&#13; <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
</PRE
></TD
></TR
></TABLE
>
Which should be changed to:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
</PRE
></TD
></TR
></TABLE
>
</P
></DIV
>
</P
></LI
><LI
><P
>&#13; Now re-start the sendmail process manually with the following command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# /etc/rc.d/init.d/sendmail <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
</P
></LI
></OL
></DIV
><DIV
CLASS="note"
><BLOCKQUOTE
CLASS="note"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Note.gif"
ALT="Note"
></IMG
></SPAN
>: </B
>
In our <TT
CLASS="filename"
>sendmail.mc</TT
> configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell <TT
CLASS="filename"
>/usr/sbin/smrsh</TT
>
with the m4 macro <TT
CLASS="envar"
>FEATURE(`smrsh',`/usr/sbin/smrsh')</TT
>, so don't be surprised if the <TT
CLASS="filename"
>/usr/sbin/smrsh</TT
>specification is already set in your <TT
CLASS="filename"
>/etc/mail/sendmail.cf</TT
>
file for the Mail Hub relay.
</P
><P
>&#13; Instead, use the technique shown above for other <TT
CLASS="filename"
>/etc/mail/sendmail.cf</TT
> files in your network like the <EM
>one for the nullclient local or neighbor client and servers</EM
> that use the <TT
CLASS="filename"
>null.mc</TT
> macro configuration file to generate the <TT
CLASS="filename"
>/etc/mail/sendmail.cf</TT
> file.
</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="chap22sec181.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chap22sec183.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The <TT
CLASS="filename"
>/etc/rc.d/init.d/sendmail</TT
> script file</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="soser-mailn.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>The <TT
CLASS="filename"
>/etc/mail/aliases</TT
> file</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink