22.10. Secure Sendmail using smrsh

The smrsh program is intended as a replacement for /bin/sh in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability to specify, through the /etc/smrsh directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under /usr/sbin/smrsh.

  1. The first thing we need to do is to determine the list of commands that smrsh should allow Sendmail to run. By default we include, but are not limited to:

    • /bin/mail -if you have it installed on your system

    • /usr/bin/procmail -if you have it installed on your system

    Warning

    You should not include interpreter programs such as sh(1), csh(1), perl(1), uudecode(1) or sed(1) -the stream editor, in your list of acceptable commands.

  2. You will next need to populate the /etc/smrsh directory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better to establish links to the allowable programs from /etc/smrsh rather than copy programs to this directory. To allow the mail program /bin/mail, use the following commands:
    
         [root@deep] /# cd /etc/smrsh
             [root@deep ]/smrsh# ln -s /bin/mail mail
             
    To allow the procmail program /usr/bin/procmail, use the following commands:
    
         [root@deep] /# cd /etc/smrsh
             [root@deep ]/smrsh# ln -s /usr/bin/procmail procmail
             
    This will allow the mail and procmail programs to be run from a user's .forward file or an aliases file which uses the program syntax.

    Important: Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured your system as a Local Client Server then skip the procmail step above.

  3. We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file, /etc/mail/sendmail.cf. You must modify this single line Mprog definition in the sendmail.cf file, by replacing the /bin/sh specification with /usr/sbin/smrsh. Edit the sendmail.cf file, vi /etc/mail/sendmail.cf and change the line:

    Example 22-3. sendmail.cf

    
         Mprog,  P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
             
    Which should be changed to:
    
         Mprog,  P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
             

  4. Now re-start the sendmail process manually with the following command:
    
         [root@deep] /# /etc/rc.d/init.d/sendmail restart
             

Note: In our sendmail.mc configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell /usr/sbin/smrsh with the m4 macro FEATURE(`smrsh',`/usr/sbin/smrsh'), so don't be surprised if the /usr/sbin/smrshspecification is already set in your /etc/mail/sendmail.cf file for the Mail Hub relay.

Instead, use the technique shown above for other /etc/mail/sendmail.cf files in your network like the one for the nullclient local or neighbor client and servers that use the null.mc macro configuration file to generate the /etc/mail/sendmail.cf file.