1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
/*
* Copyright (c) 1998 Sendmail, Inc. All rights reserved.
* Copyright (c) 1993 Eric P. Allman. All rights reserved.
* Copyright (c) 1993
* The Regents of the University of California. All rights reserved.
*
* By using this file, you agree to the terms and conditions set
* forth in the LICENSE file which can be found at the top level of
* the sendmail distribution.
*
*/
#ifndef lint
static char sccsid[] = "@(#)smrsh.c 8.11 (Berkeley) 5/19/1998";
#endif /* not lint */
/*
** SMRSH -- sendmail restricted shell
**
** This is a patch to get around the prog mailer bugs in most
** versions of sendmail.
**
** Use this in place of /bin/sh in the "prog" mailer definition
** in your sendmail.cf file. You then create CMDDIR (owned by
** root, mode 755) and put links to any programs you want
** available to prog mailers in that directory. This should
** include things like "vacation" and "procmail", but not "sed"
** or "sh".
**
** Leading pathnames are stripped from program names so that
** existing .forward files that reference things like
** "/usr/ucb/vacation" will continue to work.
**
** The following characters are completely illegal:
** < > | ^ ; & $ ` ( ) \n \r
** This is more restrictive than strictly necessary.
**
** To use this, edit /etc/sendmail.cf, search for ^Mprog, and
** change P=/bin/sh to P=/usr/local/etc/smrsh, where this compiled
** binary is installed /usr/local/etc/smrsh.
**
** This can be used on any version of sendmail.
**
** In loving memory of RTM. 11/02/93.
*/
#include <unistd.h>
#include <stdio.h>
#include <sys/file.h>
#include <string.h>
#include <ctype.h>
#ifdef EX_OK
# undef EX_OK
#endif
#include <sysexits.h>
#include <syslog.h>
#include <stdlib.h>
/* directory in which all commands must reside */
#ifndef CMDDIR
# define CMDDIR "/usr/adm/sm.bin"
#endif
/* characters disallowed in the shell "-c" argument */
#define SPECIALS "<|>^();&`$\r\n"
/* default search path */
#ifndef PATH
# define PATH "/bin:/usr/bin:/usr/ucb"
#endif
int
main(argc, argv)
int argc;
char **argv;
{
register char *p;
register char *q;
register char *cmd;
int i;
char *newenv[2];
char cmdbuf[1000];
char pathbuf[1000];
#ifndef LOG_MAIL
openlog("smrsh", 0);
#else
openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL);
#endif
strcpy(pathbuf, "PATH=");
strcat(pathbuf, PATH);
newenv[0] = pathbuf;
newenv[1] = NULL;
/*
** Do basic argv usage checking
*/
if (argc != 3 || strcmp(argv[1], "-c") != 0)
{
fprintf(stderr, "Usage: %s -c command\n", argv[0]);
syslog(LOG_ERR, "usage");
exit(EX_USAGE);
}
/*
** Disallow special shell syntax. This is overly restrictive,
** but it should shut down all attacks.
** Be sure to include 8-bit versions, since many shells strip
** the address to 7 bits before checking.
*/
strcpy(cmdbuf, SPECIALS);
for (p = cmdbuf; *p != '\0'; p++)
*p |= '\200';
strcat(cmdbuf, SPECIALS);
p = strpbrk(argv[2], cmdbuf);
if (p != NULL)
{
fprintf(stderr, "%s: cannot use %c in command\n",
argv[0], *p);
syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s",
getuid(), *p, argv[2]);
exit(EX_UNAVAILABLE);
}
/*
** Do a quick sanity check on command line length.
*/
i = strlen(argv[2]);
if (i > (sizeof cmdbuf - sizeof CMDDIR - 2))
{
fprintf(stderr, "%s: command too long: %s\n", argv[0], argv[2]);
syslog(LOG_WARNING, "command too long: %.40s", argv[2]);
exit(EX_UNAVAILABLE);
}
/*
** Strip off a leading pathname on the command name. For
** example, change /usr/ucb/vacation to vacation.
*/
/* strip leading spaces */
for (q = argv[2]; *q != '\0' && isascii(*q) && isspace(*q); )
q++;
/* find the end of the command name */
p = strpbrk(q, " \t");
if (p == NULL)
cmd = &q[strlen(q)];
else
{
*p = '\0';
cmd = p;
}
/* search backwards for last / (allow for 0200 bit) */
while (cmd > q)
{
if ((*--cmd & 0177) == '/')
{
cmd++;
break;
}
}
/* cmd now points at final component of path name */
/*
** Check to see if the command name is legal.
*/
(void) strcpy(cmdbuf, CMDDIR);
(void) strcat(cmdbuf, "/");
(void) strcat(cmdbuf, cmd);
#ifdef DEBUG
printf("Trying %s\n", cmdbuf);
#endif
if (access(cmdbuf, X_OK) < 0)
{
/* oops.... crack attack possiblity */
fprintf(stderr, "%s: %s not available for sendmail programs\n",
argv[0], cmd);
if (p != NULL)
*p = ' ';
syslog(LOG_CRIT, "uid %d: attempt to use %s", getuid(), cmd);
exit(EX_UNAVAILABLE);
}
if (p != NULL)
*p = ' ';
/*
** Create the actual shell input.
*/
strcpy(cmdbuf, CMDDIR);
strcat(cmdbuf, "/");
strcat(cmdbuf, cmd);
/*
** Now invoke the shell
*/
#ifdef DEBUG
printf("%s\n", cmdbuf);
#endif
execle("/bin/sh", "/bin/sh", "-c", cmdbuf, NULL, newenv);
syslog(LOG_CRIT, "Cannot exec /bin/sh: %m");
perror("/bin/sh");
exit(EX_OSFILE);
}
|
