Installing and Administering Internet Services
Chapter 4 151
Installing and Administering sendmail
Security
Security
sendmail on HP-UX 10.30 and later allows the aliases file or a user’s
.forward file to specify programs to be run. These programs are by
default invoked through /usr/bin/sh -c. The sendmail restricted
shell (smrsh) program allows you to restrict the programs that can be
run through the aliases file or through a .forward file; only programs
that are linked to the /var/adm/sm.bin directory can be invoked.
To use the smrsh program:
1. In the /etc/mail/sendmail.cf file, comment out the following
lines (by inserting a pound sign [#] before each line):
#Mprog, P=/usr/bin/sh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/,
# T=X-Unix,
# A=sh -c $u
2. In the /etc/mail/sendmail.cf file, uncomment the following lines
(by deleting the pound sign [#] before each line):
Mprog, P=/usr/bin/smrsh, F=lsDFMoeu, S=10/30, R=20/40, D=$z:/,
T=X-Unix,
A=smrsh -c $u
3. Create the directory /var/adm/sm.bin/ with root:bin ownership
and 755 permissions. Place the binaries of the programs that you
want to allow into this directory. Typically, programs such as
vacation, rmail, and AutoReply are placed in this directory. (You
can also specify hard links to the binaries.) You should not place
shells such as ksh, sh, csh, and perl in this directory because they
have too many security issues.