Recipe 10.16 Restricting Command-Line Options

Previous page
Table of content
Next page

Problem

You want to limit which users can run the sendmail program with the -q , -bp , -v , and -bv options.

Solution

Add the confPRIVACY_FLAGS define to the sendmail configuration. Set the restrictexpand , restrictmailq and restrictqrun flags, as in this example: 

 dnl Limit use of expand, mailq and qrun flags define(`confPRIVACY_FLAGS', `restrictexpand,restrictmailq,restrictqrun')

Rebuild and install sendmail.cf , then restart sendmail as shown in Recipe 1.8.

Discussion

The PrivacyOptions flags restrictexpand , restrictmailq , and restrictqrun add to the restrictions on who can use certain sendmail command-line options. The flags and the options they affect are:


restrictexpand

The restrictexpand flag limits the -bv and -v command-line options to root and the TrustedUser . The -bv option verifies an email address. In the process, it performs aliasing on the address and displays the result. The -v option puts the sendmail program into verbose mode, which displays additional information about the delivery process. Use restrictexpand to prevent nonprivileged users from discovering information about how mail is delivered to other users on the system.


restrictmailq

When the restrictmailq flag is set, only members of the group that owns the queue directory can examine the contents of the queue by running sendmail with the -bp option or by running mailq . mailq and sendmail -bp are synonymous. Both of these commands print the contents of the queue.


restrictqrun

The queue is processed whenever the sendmail program is executed with the -q option. The restrictqrun flag tells sendmail that it should only process the queue if the sendmail -q command was run by the root user or the queue directory owner.

Most of the PrivacyOptions flags ”those discussed in Recipe 10.14 and Recipe 10.15 ”impact how sendmail interacts with remote systems. Those flags are used by sendmail when it is run as a daemon. The three flags used in this recipe affect sendmail when it is run from the command line. Because the default for sendmail 8.12 is to no longer run sendmail as set-user-ID root , these flags are most useful with earlier versions of sendmail.

See Also

Recipe 10.14 and Recipe 10.15 provide other examples of using PrivacyOptions . The sendmail book covers restrictexpand in Section 24.9.80.13, the restrictmailq flag in Section 24.9.80.14, and restrictqrun in Section 24.9.80.15.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Ruby Cookbook (Cookbooks (OReilly))
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
.NET System Management Services
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy