Summary: vacation

From: Anita D Litteer <amc_at_inel.gov>
Date: Thu, 6 Jun 1996 10:23:27 -0600 (MDT)

Thanks to the following for their help:

Patrick O'Brien
Bruce B. Platt
Jon Reeves
Phil Rand

My problem was that my sendmail.cf was pointing to the sendmail secure
shell, smrsh and I didn't have it installed on my system. I didn't have
time to pursue it, since I'm leaving on vacation. I ended up switching
my mail to a platform where vacation is already set up. Here are the
replies:

________________________________________________________________________
Your sendmail.cf is set up to use the Sendmail Restricted Shell for
programs such as vacation. It sounds as though the Sendmail Restricted
Shell is not installed on your system. Installing and configuring it
is one option. The other option is to change the Mprog definition
in sendmail.cf to /sbin/sh, which is not advisable.

-Pat O'Brien

Systems Administrator
Harvard-Smithsonian Center for Astrophysics
60 Garden Street
Cambridge, MA 02138

________________________________________________________________________

I do it as follows. I have a file in my home directory called .forward.VACATION

It contains the following:

\bbp, "|vacation bbp"

When I am ready to leave, I do a:

cp .forward.VACATION .forward

Then I edit .vacation.msg so it has something like the following in it:

"From: bbp_at_comport.com (Bruce B. Platt)
Subject: I am on vacation

I will be on vacation from May 9th through May 19th. Your mail message will
be answered by me
after that time.

Regards,"

This works for me. Take a look at your path by using a "printenv" command.
If /usr/bin is
in your path, you shouldn't need to fully specify the path. The second
sentence of your message bothers me. I assume you are just testing this by
sending mail to yourself, i.e., amc_at_inel.gov



>
>
+-----------------------------------------------------+
Bruce B. Platt, Ph.D. Director of Product Developoment
Comport Consulting Corporation
78 Orchard Street
Ramsey, NJ 07446
Phone: 201-236-0505 Fax: 201-236-1335
bbp_at_comport.com

________________________________________________________________________
>From bbp_at_comport.comThu Jun 6 10:14:21 1996
Date: Wed, 05 Jun 1996 17:10:14 -0400
From: "Bruce B. Platt, Ph.D." <bbp_at_comport.com>
To: Anita D Litteer <amc_at_inel.gov>,
    OSF Managers <alpha-osf-managers_at_ornl.gov>
Subject: vacation: http://wsspinfo.cern.ch...cert/tools/smrsh/README

http://wsspinfo.cern.ch/sec/cert/tools/smrsh/README

Look at this URL. On reflection, the error message you included was the
clue. Your system is using sendmail restricted shell.

This document suggests that /usr/bin/vacation is not in the list of
programs that smrsh will execute.

After reading the document , it appears that you will need to do the
equivalent of:

"To allow the popular vacation(1) program by creating a link in the
/usr/adm/sm.bin directory, you should:

host.domain# cd /usr/adm/sm.bin
host.domain# ln -s /usr/ucb/vacation vacation"

Hope this gets to you in time.

-- 
+-----------------------------------------------------+
Bruce B. Platt, Ph.D. Director of Product Developoment
Comport Consulting Corporation
78 Orchard Street
Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp_at_comport.com
  [ Part 2: "Attached Text" ]
README  smrsh - sendmail restricted shell.
	_at_(#)README	8.2	11/11/95
This README file is provided as a courtesy of the CERT Coordination Center,
Software Engineering Institute, Carnegie Mellon University.  This file is 
intended as a supplement to the CERT advisory CA-93:16.sendmail.vulnerability,
and to the software, smrsh.c, written by Eric Allman.
The smrsh(8) program is intended as a replacement for /bin/sh in the
program mailer definition of sendmail(8).  This README file describes
the steps needed to compile and install smrsh.
smrsh is a restricted shell utility that provides the ability to
specify, through a configuration, an explicit list of executable
programs.  When used in conjunction with sendmail, smrsh effectively
limits sendmail's scope of program execution to only those programs
specified in smrsh's configuration.
smrsh has been written with portability in mind, and uses traditional 
Unix library utilities.  As such, smrsh should compile on most
Unix C compilers.
To compile smrsh.c, use the following command:
host.domain% cc -o smrsh smrsh.c
For machines that provide dynamic linking, it is advisable to compile
smrsh without dynamic linking.  As an example with the Sun Microsystems
compiler, you should compile with the -Bstatic option.
host.domain% cc -Bstatic -o smrsh smrsh.c
Choose a directory that smrsh will reside in.  We will use the traditional 
/usr/local/etc directory for the remainder of this document.
As root, install smrsh in /usr/local/etc directory, with mode 511.
host.domain# mv smrsh /usr/local/etc
host.domain# chmod 511 /usr/local/etc/smrsh
Next, determine the list of commands that smrsh should allow sendmail
to run.  This list of allowable commands can be determined by:
   1.  examining your /etc/aliases file, to indicate what commands 
       are being used by the system. 
   2.  surveying your host's .forward files, to determine what 
       commands users have specified.  
See the man page for aliases(5) if you are unfamiliar with the format of 
these specifications. Additionally, you should include in the list, 
popular commands such as /usr/ucb/vacation.
You should NOT include interpreter programs such as sh(1), csh(1),
perl(1), uudecode(1) or the stream editor sed(1) in your list of 
acceptable commands.
You will next need to create the directory /usr/adm/sm.bin and populate 
it with the programs that your site feels are allowable for sendmail
to execute.   This directory is explicitly specified in the source
code for smrsh, so changing this directory must be accompanied with
a change in smrsh.c.
You will have to be root to make these modifications.
After creating the /usr/adm/sm.bin directory, either copy the programs
to the directory, or establish links to the allowable programs from
/usr/adm/sm.bin.  Change the file permissions, so that these programs
can not be modified by non-root users.  If you use links, you should
ensure that the target programs are not modifiable.
To allow the popular vacation(1) program by creating a link in the 
/usr/adm/sm.bin directory, you should:
host.domain# cd /usr/adm/sm.bin
host.domain# ln -s /usr/ucb/vacation vacation
After populating the /usr/adm/sm.bin directory, you can now configure
sendmail to use the restricted shell.  Save the current sendmail.cf
file prior to modifying it, as a prudent precaution.
Typically, the program mailer is defined by a single line in the 
sendmail configuration file, sendmail.cf.  This file is traditionally
found in the /etc, /usr/lib or /etc/mail directories, depending on 
the UNIX vendor.
If you are unsure of the location of the actual sendmail configuration
file, a search of the strings(1) output of the sendmail binary, will
help to locate it.
In order to configure sendmail to use smrsh, you must modify the Mprog 
definition in the sendmail.cf file, by replacing the /bin/sh specification 
with /usr/local/etc/smrsh.
As an example:
In most Sun Microsystems' sendmail.cf files, the line is:
Mprog,	P=/bin/sh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
which should be changed to:
Mprog,	P=/usr/local/etc/smrsh,   F=lsDFMeuP,  S=10, R=20, A=sh -c $u
          ^^^^^^^^^^^^^^^^^^^^
A more generic line may be:
Mprog,		P=/bin/sh, F=lsDFM, A=sh -c $u
and should be changed to;
Mprog,		P=/usr/local/etc/smrsh, F=lsDFM, A=sh -c $u
After modifying the Mprog definition in the sendmail.cf file, if a frozen 
configuration file is being used, it is essential to create a new one.
You can determine if you need a frozen configuration by discovering
if a sendmail.fc file currently exists in either the /etc/, /usr/lib,
or /etc/mail directories.  The specific location can be determined using
a search of the strings(1) output of the sendmail binary.
In order to create a new frozen configuration, if it is required:
host.domain# /usr/lib/sendmail -bz
Now re-start the sendmail process.  An example of how to do this on 
a typical system follows:
 
host.domain# /usr/bin/ps aux | /usr/bin/grep sendmail
root 130  0.0  0.0  168    0 ?  IW   Oct  2  0:10 /usr/lib/sendmail -bd -q
host.domain# /bin/kill -9 130
host.domain# /usr/lib/sendmail -bd -q30m
________________________________________________________________________
Anita, it looks like you have the Sendmail Restricted Shell, smrsh, 
installed on your system.  This is a special shell that plugs some
gaping security holes in the Sendmail program by restricting what 
programs can be invoked from an email alias or from a .forward file.
My guess is that smrsh hasn't been installed correctly.  It IS possible
to make vacation run correctly even with smrsh installed -- we do it
here at my site.  I've forgotten the details, but you have to tell 
smrsh precisely which programs are allowed.  The instructions that 
came with smrsh were pretty clear, so I'd say look there first, but 
I'll take followup questions if that doesn't do it for you.
--
-- Phil Rand <prand_at_spu.edu> aka <postmaster_at_spu.edu> 
-- http://paul.spu.edu/~prand/         (206) 281-2428
-- Computer & Information Systems                  
-- Seattle Pacific University
-- 3307 3rd Ave W, Seattle, WA  98119
---------------------------------------------------------------------------
______________________________________________________________________
Anita D. Litteer                                amc_at_inel.gov
Idaho National Engineering Lab.                 (208) 526-9357
P.O. Box 1625                            FAX:   (208) 526-9936        
Idaho Falls, ID 83415-2603
______________________________________________________________________

Received on Thu Jun 06 1996 - 19:11:29 NZST