HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_265
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 265         RETVAL=$?         ;;   status)         status sendmail         RETVAL=$?         ;;   *)         echo "Usage: sendmail {start|stop|restart|status}"         exit 1 esac exit $RETVAL Now, make this script executable and change its default permission: [root@deep /]# chmod 700 /etc/rc.d/init.d/sendmail Create the symbolic rc.d links for Sendmail with the command: [root@deep /]# chkconfig --add sendmail Start your Sendmail Server manually with the following command [root@deep /]# /etc/rc.d/init.d/sendmail start Starting sendmail:                                         [  OK  ] Cleanup after work [root@deep /]# cd /var/tmp [root@deep tmp]# rm -rf sendmail-version/ sendmail.version.tar.gz The “rm” command will remove all the source files we have used to compile and install Sendmail. It will also remove the Sendmail compressed archive from the “/var/tmp” directory. Securing Sendmail The Sendmail restricted shell “smrsh” The smrsh program is intended as a replacement for “/bin/sh” in the program mailer definition of Sendmail. It’s a restricted shell utility that provides the ability to specify, through the “/etc/smrsh” directory, an explicit list of executable programs by Sendmail. To be more accurate, even if a “bad guy” can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he/she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's scope of program execution to only those programs specified in smrsh's directory. If you are follow what we do above, smrsh program is already compiled and installed on your computer under “/usr/sbin/smrsh”. Step 1 The first thing we need to do is to determine the list of commands that “smrsh” should allow Sendmail to run. By default we include but not limited to: “/bin/mail” (if you have it installed on your system) “/usr/bin/procmail” (if you have it installed on your system) NOTE: You should NOT include interpreter programs such as sh(1), csh(1), perl(1), uudecode(1) or the stream editor sed(1) in your list of acceptable commands. Step 2