blob: 40e3b5f8cb5d99ac94a361af7925dfd28b851b79 [file] [log] [blame]
Richard Lowec10c16d2011-03-14 14:05:30 -04001'\" te
2.\" Copyright (c) 1983 Eric P. Allman
3.\" Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved.
4.\" Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
5.\" 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display
6.\" the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific
7.\" prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
8.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
9.\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
10.\" Copyright (c) 1998-2006, 2008 Sendmail, Inc. and its suppliers. All rights reserved.
11.\" The following license terms and conditions apply, unless a different license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor, Emeryville, CA 94608, USA, or by electronic mail at license@sendmail.com. License Terms: Use, Modification and Redistribution
12.\" (including distribution of any modified or derived work) in source and binary forms is permitted only if each of the following conditions is met: 1. Redistributions qualify as "freeware" or "Open Source Software" under one of the following terms: (a) Redistributions are made at no charge
Yuri Pankoved22c712011-10-03 04:36:40 -070013.\" beyond the reasonable cost of materials and delivery. (b) Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery. Such redistributions
Richard Lowec10c16d2011-03-14 14:05:30 -040014.\" must allow further use, modification, and redistribution of the Source Code under substantially the same terms as this license. For the purposes of redistribution "Source Code" means the complete compilable and linkable source code of sendmail including all modifications.
15.\" 2. Redistributions of source code must retain the copyright notices as they appear in each source code file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 3. Redistributions in binary form must reproduce the Copyright Notice, these license
16.\" terms, and the disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other materials provided with the distribution. For the purposes of binary distribution the "Copyright Notice" refers to the following language: "Copyright (c) 1998-2004 Sendmail,
17.\" Inc. All rights reserved." 4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. The name "sendmail" is a trademark
18.\" of Sendmail, Inc. 5. All redistributions must comply with the conditions imposed by the University of California on certain embedded code, whose copyright notice and conditions for redistribution are as follows: (a) Copyright (c) 1988, 1993 The Regents of the University of California.
19.\" All rights reserved. (b) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: (i) Redistributions of source code must retain the above copyright notice, this list of
Yuri Pankoved22c712011-10-03 04:36:40 -070020.\" conditions and the following disclaimer. (ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Richard Lowec10c16d2011-03-14 14:05:30 -040021.\" (iii) Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL,
22.\" INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR CONTRIBUTORS
23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
24.\" IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
25.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
Peter Tribble9dd2e6b2021-06-08 18:29:08 +010026.TH SMRSH 1M "May 23, 2021"
Richard Lowec10c16d2011-03-14 14:05:30 -040027.SH NAME
28smrsh \- restricted shell for sendmail
29.SH SYNOPSIS
Richard Lowec10c16d2011-03-14 14:05:30 -040030.nf
31\fBsmrsh\fR \fB-c\fR \fIcommand\fR
32.fi
33
34.SH DESCRIPTION
Richard Lowec10c16d2011-03-14 14:05:30 -040035The \fBsmrsh\fR program is intended as a replacement for the \fBsh\fR command
36in the \fBprog\fR mailer in \fBsendmail\fR(1M) configuration files. The
37\fBsmrsh\fR program sharply limits commands that can be run using the
38\fB|program\fR syntax of \fBsendmail\fR. This improves overall system security.
39\fBsmrsh\fR limits the set of programs that a programmer can execute, even if
40\fBsendmail\fR runs a program without going through an \fBalias\fR or
41\fBforward\fR file.
42.sp
43.LP
44Briefly, \fBsmrsh\fR limits programs to be in the directory
45\fB/var/adm/sm.bin\fR, allowing system administrators to choose the set of
46acceptable commands. It also rejects any commands with the characters: \fB,\fR,
47\fB<\fR, \fB>\fR, \fB|\fR, \fB;\fR, \fB&\fR, \fB$\fR, \fB\er\fR (RETURN), or
48\fB\en\fR (NEWLINE) on the command line to prevent end run attacks.
49.sp
50.LP
51Initial pathnames on programs are stripped, so forwarding to
52\fB/usr/ucb/vacation\fR, \fB/usr/bin/vacation\fR,
53\fB/home/server/mydir/bin/vacation\fR, and \fBvacation\fR all actually forward
54to\fB/var/adm/sm.bin/vacation\fR.
55.sp
56.LP
57System administrators should be conservative about populating
58\fB/var/adm/sm.bin\fR. Reasonable additions are utilities such as
59\fBvacation\fR(1) and \fBprocmail\fR. Never include any shell or shell-like
60program (for example, \fBperl\fR) in the \fBsm.bin\fR directory. This does not
61restrict the use of \fBshell\fR or \fBperl\fR scrips in the \fBsm.bin\fR
62directory (using the \fB#!\fR syntax); it simply disallows the execution of
63arbitrary programs.
64.SH OPTIONS
Richard Lowec10c16d2011-03-14 14:05:30 -040065The following options are supported:
66.sp
67.ne 2
Richard Lowec10c16d2011-03-14 14:05:30 -040068.na
69\fB\fB-c\fR \fIcommand\fR\fR
70.ad
71.RS 14n
Richard Lowec10c16d2011-03-14 14:05:30 -040072Where \fIcommand\fR is a valid command, executes \fIcommand\fR.
73.RE
74
75.SH FILES
Richard Lowec10c16d2011-03-14 14:05:30 -040076.ne 2
Richard Lowec10c16d2011-03-14 14:05:30 -040077.na
78\fB\fB/var/adm/sm.bin\fR\fR
79.ad
80.RS 19n
Richard Lowec10c16d2011-03-14 14:05:30 -040081directory for restricted programs
82.RE
83
84.SH SEE ALSO
Peter Tribble9dd2e6b2021-06-08 18:29:08 +010085\fBsendmail\fR(1M), \fBattributes\fR(5)