Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




22.10. Secure Sendmail using smrsh

The smrsh program is intended as a replacement for /bin/sh in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability to specify, through the /etc/smrsh directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under /usr/sbin/smrsh.

  1. The first thing we need to do is to determine the list of commands that smrsh should allow Sendmail to run. By default we include, but are not limited to:

    • /bin/mail -if you have it installed on your system

    • /usr/bin/procmail -if you have it installed on your system


    You should not include interpreter programs such as sh(1), csh(1), perl(1), uudecode(1) or sed(1) -the stream editor, in your list of acceptable commands.

  2. You will next need to populate the /etc/smrsh directory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better to establish links to the allowable programs from /etc/smrsh rather than copy programs to this directory. To allow the mail program /bin/mail, use the following commands:
         [[email protected]] /# cd /etc/smrsh
             [[email protected] ]/smrsh# ln -s /bin/mail mail
    To allow the procmail program /usr/bin/procmail, use the following commands:
         [[email protected]] /# cd /etc/smrsh
             [[email protected] ]/smrsh# ln -s /usr/bin/procmail procmail
    This will allow the mail and procmail programs to be run from a user's .forward file or an aliases file which uses the program syntax.

    Important: Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured your system as a Local Client Server then skip the procmail step above.

  3. We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file, /etc/mail/ You must modify this single line Mprog definition in the file, by replacing the /bin/sh specification with /usr/sbin/smrsh. Edit the file, vi /etc/mail/ and change the line:

    Example 22-3.

         Mprog,  P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
    Which should be changed to:
         Mprog,  P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u

  4. Now re-start the sendmail process manually with the following command:
         [[email protected]] /# /etc/rc.d/init.d/sendmail restart

Note: In our configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell /usr/sbin/smrsh with the m4 macro FEATURE(`smrsh',`/usr/sbin/smrsh'), so don't be surprised if the /usr/sbin/smrshspecification is already set in your /etc/mail/ file for the Mail Hub relay.

Instead, use the technique shown above for other /etc/mail/ files in your network like the one for the nullclient local or neighbor client and servers that use the macro configuration file to generate the /etc/mail/ file.

  Published under the terms of the Open Publication License Design by Interspire