Securing-Optimizing-RH-Linux-1_2_265
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
265
RETVAL=$?
;;
status)
status sendmail
RETVAL=$?
;;
*)
echo "Usage: sendmail {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
Now, make this script executable and change its default permission:
[root@deep /]# chmod 700 /etc/rc.d/init.d/sendmail
Create the symbolic rc.d links for Sendmail with the command:
[root@deep /]# chkconfig --add sendmail
Start your Sendmail Server manually with the following command
[root@deep /]# /etc/rc.d/init.d/sendmail start
Starting sendmail: [ OK ]
Cleanup after work
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf sendmail-version/ sendmail.version.tar.gz
The rm command will remove all the source files we have used to compile and install Sendmail.
It will also remove the Sendmail compressed archive from the /var/tmp directory.
Securing Sendmail
The Sendmail restricted shell smrsh
The smrsh program is intended as a replacement for /bin/sh in the program mailer definition of
Sendmail. Its a restricted shell utility that provides the ability to specify, through the /etc/smrsh
directory, an explicit list of executable programs by Sendmail. To be more accurate, even if a
bad guy can get Sendmail to run a program without going through an aliases or forward file,
smrsh limits the set of programs that he/she can execute. When used in conjunction with
Sendmail, smrsh effectively limits Sendmail's scope of program execution to only those programs
specified in smrsh's directory. If you are follow what we do above, smrsh program is already
compiled and installed on your computer under /usr/sbin/smrsh.
Step 1
The first thing we need to do is to determine the list of commands that smrsh should allow
Sendmail to run.
By default we include but not limited to:
/bin/mail (if you have it installed on your system)
/usr/bin/procmail (if you have it installed on your system)
NOTE: You should NOT include interpreter programs such as sh(1), csh(1), perl(1), uudecode(1)
or the stream editor sed(1) in your list of acceptable commands.
Step 2