Installing and Administering Internet Services
190 Chapter4
Installing and Administering sendmail
Security
Security
sendmail on HP-UX 10.30 and later allows the aliases file or a user’s
.forward file to specify programs to be run. These programs are by
default invoked through /usr/bin/sh -c. The sendmail restricted shell
(smrsh) program allows you to restrict the programs that can be run
through the aliases file or through a .forward file; only programs that
are linked to the /var/adm/sm.bin directory can be invoked.
To use the smrsh program:
1. In the /etc/mail/sendmail.cf file, comment out the following lines
(by inserting a pound sign [#] before each line):
#Mprog, P=/usr/bin/sh, F=lsDFMoeu, S=10/30, R=20/40,
D=$z:/,
# T=X-Unix,
# A=sh -c $u
2. In the /etc/mail/sendmail.cf file, uncomment the following lines
(by deleting the pound sign [#] before each line):
Mprog, P=/usr/bin/smrsh, F=lsDFMoeu, S=10/30, R=20/40,
D=$z:/,
T=X-Unix,
A=smrsh -c $u
3. Create the directory /var/adm/sm.bin/ with root:bin ownership and
755 permissions. Place the binaries of the programs that you want to
allow into this directory. Typically, programs such as vacation,
rmail, and AutoReply are placed in this directory. (You can also
specify hard links to the binaries.) You should not place shells such as
ksh, sh, csh, and perl in this directory because they have too many
security issues.
Turning Off Standard Security Checks
Sendmail has security checks that limit reading and writing to certain
files in a directory. These checks protect files that may reside in unsafe
directories or that may be tampered with by users other than the owner.
You can turn these safety checks off by editing the “DontBlameSendmail”
option in the configuration file.