|
|
smrsh limits programs available in the directory /usr/adm/sm.bin, allowing the system administrator to choose the set of acceptable commands. It also rejects any commands with the characters `, <, >, ;, $, (, ), <Return>, or (newline) on the command line to prevent ``end run'' attacks. It allows ``||'' and ``&&'' to enable commands like: ``"|exec /usr/local/bin/procmail -f- /etc/procmailrcs/user || exit 75"''
Initial path names on programs are stripped.
System administrators should be conservative about populating /usr/adm/sm.bin. Never include any shell or shell-like program such as perl in the sm.bin directory. This does not restrict the use of shell or perl scripts in the sm.bin directory (using the #! syntax); it simply disallows execution of arbitrary programs.
Compilation should be trivial on most systems. You may need to use -DPATH=path to adjust the default search path (defaults to /bin:/usr/bin:/usr/ucb) or -DCMDBIN=dir to change the default program directory (defaults to /usr/adm/sm.bin).