sendmail Security Options - 4.8.3 The /etc/shells File

(Page 4 of 6 )

To prevent certain users from running programs or writing to files by way of the aliases or ~/.forward files, V8 sendmail introduced the concept of a “valid shell.” Just before allowing delivery via an alias so:

To prevent certain users from running programs or writing to files by way of the or files, V8 introduced the concept of a “valid shell.” Just before allowing delivery via an alias so:

  |"/some/program"
  /save/to/a/file

the user’s password entry is looked up. If the shell entry from that password entry is a valid one, delivery is allowed. A shell is valid if it is listed in the /etc/shells file.* If that file does not exist, sendmail looks up the shell in its internal list, which looks (more or less) like this:†

  /bin/bsh
  /bin/csh
  /bin/ksh
  /bin/pam
  /bin/posix/sh
  /bin/rksh
  /bin/rsh
  /bin/sh
  /bin/tcsh
  /usr/bin/bsh
  /usr/bin/csh
  /usr/bin/keysh
  /usr/bin/ksh
  /usr/bin/pam
  /usr/bin/posix/sh
  /usr/bin/rksh
  /usr/bin/rsh
  /usr/bin/sh
  /usr/bin/tcsh

With this technique it is possible to prevent certain users from having sendmail running programs or delivering to files on their behalf. To illustrate, consider the need to prevent the ftp pseudouser from misusing sendmail:

  ftp:*:1092:255:File Transfer Protocol Program:/u/ftp:/no/shell

Here, any attempt by ftp to send mail through a program or into a file will fail because the shell /no/shell is not a valid shell. Such mail will bounce with one of these two errors:

  User ftp@here.us.edu doesn't have a valid shell for mailing to programs
  User ftp@here.us.edu doesn't have a valid shell for mailing to files

Note that unusual circumstances might require you to allow users with invalid shells to run programs or deliver to files. To enable this for all such users (as on a mail server with restricted logins), place the following line directly in the /etc/shells file:

  /SENDMAIL/ANY/SHELL/

To enable this for selected users, just replace their shell with a bogus one that is listed in /etc/shells:

  ftp:*:1092:255:File Transfer Protocol Program:/u/ftp:/bogus/shell

We recommend that all pseudousers (such as bin and ftp) be given invalid shells in the password file and that /SENDMAIL/ANY/SHELL/ never be used. 

Be warned, however, that if a user can get into your machine as ftp, it can be possible for that user to run another shell, such as csh(1). Thus, in addition to listing a bogus shell, you might need to take further steps to prevent such access.

Next: 4.9 Other Security Information >>
 

More Server Administration Articles
More By O'Reilly Media

Comments On: sendmail Security Options

· This article is an excerpt from the book "sendmail, fourth edition," published by...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter four of sendmail, fourth edition, written by Bryan Costales, Claus Assmann, George Jansen and Gregory Shapiro (O'Reilly, 2007; ISBN: 0596510292). Check it out today at your favorite bookstore. Buy this book now.