1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 * must display the following acknowledgement:
16 * This product includes software developed by the University of
17 * California, Berkeley and its contributors.
18 * 4. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #ifndef lint
36 static char sccsid[] = "@(#)recipient.c 8.44 (Berkeley) 2/28/94";
37 #endif /* not lint */
38
39 # include "sendmail.h"
40 # include <pwd.h>
41
42 /*
43 ** SENDTOLIST -- Designate a send list.
44 **
45 ** The parameter is a comma-separated list of people to send to.
46 ** This routine arranges to send to all of them.
47 **
48 ** Parameters:
49 ** list -- the send list.
50 ** ctladdr -- the address template for the person to
51 ** send to -- effective uid/gid are important.
52 ** This is typically the alias that caused this
53 ** expansion.
54 ** sendq -- a pointer to the head of a queue to put
55 ** these people into.
56 ** e -- the envelope in which to add these recipients.
57 **
58 ** Returns:
59 ** The number of addresses actually on the list.
60 **
61 ** Side Effects:
62 ** none.
63 */
64
65 # define MAXRCRSN 10
66
sendtolist(list,ctladdr,sendq,e)67 sendtolist(list, ctladdr, sendq, e)
68 char *list;
69 ADDRESS *ctladdr;
70 ADDRESS **sendq;
71 register ENVELOPE *e;
72 {
73 register char *p;
74 register ADDRESS *al; /* list of addresses to send to */
75 bool firstone; /* set on first address sent */
76 char delimiter; /* the address delimiter */
77 int naddrs;
78 char *oldto = e->e_to;
79
80 if (list == NULL)
81 {
82 syserr("sendtolist: null list");
83 return 0;
84 }
85
86 if (tTd(25, 1))
87 {
88 printf("sendto: %s\n ctladdr=", list);
89 printaddr(ctladdr, FALSE);
90 }
91
92 /* heuristic to determine old versus new style addresses */
93 if (ctladdr == NULL &&
94 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
95 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
96 e->e_flags &= ~EF_OLDSTYLE;
97 delimiter = ' ';
98 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
99 delimiter = ',';
100
101 firstone = TRUE;
102 al = NULL;
103 naddrs = 0;
104
105 for (p = list; *p != '\0'; )
106 {
107 auto char *delimptr;
108 register ADDRESS *a;
109
110 /* parse the address */
111 while ((isascii(*p) && isspace(*p)) || *p == ',')
112 p++;
113 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
114 p = delimptr;
115 if (a == NULL)
116 continue;
117 a->q_next = al;
118 a->q_alias = ctladdr;
119
120 /* see if this should be marked as a primary address */
121 if (ctladdr == NULL ||
122 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
123 a->q_flags |= QPRIMARY;
124
125 if (ctladdr != NULL && sameaddr(ctladdr, a))
126 ctladdr->q_flags |= QSELFREF;
127 al = a;
128 firstone = FALSE;
129 }
130
131 /* arrange to send to everyone on the local send list */
132 while (al != NULL)
133 {
134 register ADDRESS *a = al;
135
136 al = a->q_next;
137 a = recipient(a, sendq, e);
138
139 /* arrange to inherit full name */
140 if (a->q_fullname == NULL && ctladdr != NULL)
141 a->q_fullname = ctladdr->q_fullname;
142 naddrs++;
143 }
144
145 e->e_to = oldto;
146 return (naddrs);
147 }
148 /*
149 ** RECIPIENT -- Designate a message recipient
150 **
151 ** Saves the named person for future mailing.
152 **
153 ** Parameters:
154 ** a -- the (preparsed) address header for the recipient.
155 ** sendq -- a pointer to the head of a queue to put the
156 ** recipient in. Duplicate supression is done
157 ** in this queue.
158 ** e -- the current envelope.
159 **
160 ** Returns:
161 ** The actual address in the queue. This will be "a" if
162 ** the address is not a duplicate, else the original address.
163 **
164 ** Side Effects:
165 ** none.
166 */
167
168 ADDRESS *
recipient(a,sendq,e)169 recipient(a, sendq, e)
170 register ADDRESS *a;
171 register ADDRESS **sendq;
172 register ENVELOPE *e;
173 {
174 register ADDRESS *q;
175 ADDRESS **pq;
176 register struct mailer *m;
177 register char *p;
178 bool quoted = FALSE; /* set if the addr has a quote bit */
179 int findusercount = 0;
180 char buf[MAXNAME]; /* unquoted image of the user name */
181 extern int safefile();
182
183 e->e_to = a->q_paddr;
184 m = a->q_mailer;
185 errno = 0;
186 if (tTd(26, 1))
187 {
188 printf("\nrecipient: ");
189 printaddr(a, FALSE);
190 }
191
192 /* if this is primary, add it to the original recipient list */
193 if (a->q_alias == NULL)
194 {
195 if (e->e_origrcpt == NULL)
196 e->e_origrcpt = a->q_paddr;
197 else if (e->e_origrcpt != a->q_paddr)
198 e->e_origrcpt = "";
199 }
200
201 /* break aliasing loops */
202 if (AliasLevel > MAXRCRSN)
203 {
204 usrerr("554 aliasing/forwarding loop broken");
205 return (a);
206 }
207
208 /*
209 ** Finish setting up address structure.
210 */
211
212 /* set the queue timeout */
213 a->q_timeout = TimeOuts.to_q_return;
214
215 /* get unquoted user for file, program or user.name check */
216 (void) strcpy(buf, a->q_user);
217 for (p = buf; *p != '\0' && !quoted; p++)
218 {
219 if (*p == '\\')
220 quoted = TRUE;
221 }
222 stripquotes(buf);
223
224 /* check for direct mailing to restricted mailers */
225 if (m == ProgMailer)
226 {
227 if (a->q_alias == NULL)
228 {
229 a->q_flags |= QBADADDR;
230 usrerr("550 Cannot mail directly to programs");
231 }
232 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
233 {
234 a->q_flags |= QBADADDR;
235 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
236 a->q_alias->q_ruser, MyHostName);
237 }
238 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
239 {
240 a->q_flags |= QBADADDR;
241 usrerr("550 Address %s is unsafe for mailing to programs",
242 a->q_alias->q_paddr);
243 }
244 }
245
246 /*
247 ** Look up this person in the recipient list.
248 ** If they are there already, return, otherwise continue.
249 ** If the list is empty, just add it. Notice the cute
250 ** hack to make from addresses suppress things correctly:
251 ** the QDONTSEND bit will be set in the send list.
252 ** [Please note: the emphasis is on "hack."]
253 */
254
255 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
256 {
257 if (sameaddr(q, a))
258 {
259 if (tTd(26, 1))
260 {
261 printf("%s in sendq: ", a->q_paddr);
262 printaddr(q, FALSE);
263 }
264 if (!bitset(QPRIMARY, q->q_flags))
265 {
266 if (!bitset(QDONTSEND, a->q_flags))
267 message("duplicate suppressed");
268 q->q_flags |= a->q_flags;
269 }
270 else if (bitset(QSELFREF, q->q_flags))
271 q->q_flags |= a->q_flags & ~QDONTSEND;
272 a = q;
273 goto testselfdestruct;
274 }
275 }
276
277 /* add address on list */
278 *pq = a;
279 a->q_next = NULL;
280
281 /*
282 ** Alias the name and handle special mailer types.
283 */
284
285 trylocaluser:
286 if (tTd(29, 7))
287 printf("at trylocaluser %s\n", a->q_user);
288
289 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
290 goto testselfdestruct;
291
292 if (m == InclMailer)
293 {
294 a->q_flags |= QDONTSEND;
295 if (a->q_alias == NULL)
296 {
297 a->q_flags |= QBADADDR;
298 usrerr("550 Cannot mail directly to :include:s");
299 }
300 else
301 {
302 int ret;
303
304 message("including file %s", a->q_user);
305 ret = include(a->q_user, FALSE, a, sendq, e);
306 if (transienterror(ret))
307 {
308 #ifdef LOG
309 if (LogLevel > 2)
310 syslog(LOG_ERR, "%s: include %s: transient error: %s",
311 e->e_id == NULL ? "NOQUEUE" : e->e_id,
312 a->q_user, errstring(ret));
313 #endif
314 a->q_flags |= QQUEUEUP;
315 a->q_flags &= ~QDONTSEND;
316 usrerr("451 Cannot open %s: %s",
317 a->q_user, errstring(ret));
318 }
319 else if (ret != 0)
320 {
321 a->q_flags |= QBADADDR;
322 usrerr("550 Cannot open %s: %s",
323 a->q_user, errstring(ret));
324 }
325 }
326 }
327 else if (m == FileMailer)
328 {
329 extern bool writable();
330
331 /* check if writable or creatable */
332 if (a->q_alias == NULL)
333 {
334 a->q_flags |= QBADADDR;
335 usrerr("550 Cannot mail directly to files");
336 }
337 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
338 {
339 a->q_flags |= QBADADDR;
340 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
341 a->q_alias->q_ruser, MyHostName);
342 }
343 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
344 {
345 a->q_flags |= QBADADDR;
346 usrerr("550 Address %s is unsafe for mailing to files",
347 a->q_alias->q_paddr);
348 }
349 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
350 {
351 a->q_flags |= QBADADDR;
352 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
353 }
354 }
355
356 if (m != LocalMailer)
357 {
358 if (!bitset(QDONTSEND, a->q_flags))
359 e->e_nrcpts++;
360 goto testselfdestruct;
361 }
362
363 /* try aliasing */
364 alias(a, sendq, e);
365
366 # ifdef USERDB
367 /* if not aliased, look it up in the user database */
368 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags))
369 {
370 extern int udbexpand();
371
372 if (udbexpand(a, sendq, e) == EX_TEMPFAIL)
373 {
374 a->q_flags |= QQUEUEUP;
375 if (e->e_message == NULL)
376 e->e_message = newstr("Deferred: user database error");
377 # ifdef LOG
378 if (LogLevel > 8)
379 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
380 e->e_id == NULL ? "NOQUEUE" : e->e_id,
381 errstring(errno));
382 # endif
383 message("queued (user database error): %s",
384 errstring(errno));
385 e->e_nrcpts++;
386 goto testselfdestruct;
387 }
388 }
389 # endif
390
391 /* if it was an alias or a UDB expansion, just return now */
392 if (bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags))
393 goto testselfdestruct;
394
395 /*
396 ** If we have a level two config file, then pass the name through
397 ** Ruleset 5 before sending it off. Ruleset 5 has the right
398 ** to send rewrite it to another mailer. This gives us a hook
399 ** after local aliasing has been done.
400 */
401
402 if (tTd(29, 5))
403 {
404 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
405 ConfigLevel, RewriteRules[5]);
406 printaddr(a, FALSE);
407 }
408 if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 &&
409 RewriteRules[5] != NULL)
410 {
411 maplocaluser(a, sendq, e);
412 }
413
414 /*
415 ** If it didn't get rewritten to another mailer, go ahead
416 ** and deliver it.
417 */
418
419 if (!bitset(QDONTSEND|QQUEUEUP, a->q_flags))
420 {
421 auto bool fuzzy;
422 register struct passwd *pw;
423 extern struct passwd *finduser();
424
425 /* warning -- finduser may trash buf */
426 pw = finduser(buf, &fuzzy);
427 if (pw == NULL)
428 {
429 a->q_flags |= QBADADDR;
430 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
431 }
432 else
433 {
434 char nbuf[MAXNAME];
435
436 if (fuzzy)
437 {
438 /* name was a fuzzy match */
439 a->q_user = newstr(pw->pw_name);
440 if (findusercount++ > 3)
441 {
442 a->q_flags |= QBADADDR;
443 usrerr("554 aliasing/forwarding loop for %s broken",
444 pw->pw_name);
445 return (a);
446 }
447
448 /* see if it aliases */
449 (void) strcpy(buf, pw->pw_name);
450 goto trylocaluser;
451 }
452 if (strcmp(pw->pw_dir, "/") == 0)
453 a->q_home = "";
454 else
455 a->q_home = newstr(pw->pw_dir);
456 a->q_uid = pw->pw_uid;
457 a->q_gid = pw->pw_gid;
458 a->q_ruser = newstr(pw->pw_name);
459 a->q_flags |= QGOODUID;
460 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
461 if (nbuf[0] != '\0')
462 a->q_fullname = newstr(nbuf);
463 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
464 !usershellok(pw->pw_shell))
465 {
466 a->q_flags |= QBOGUSSHELL;
467 }
468 if (!quoted)
469 forward(a, sendq, e);
470 }
471 }
472 if (!bitset(QDONTSEND, a->q_flags))
473 e->e_nrcpts++;
474
475 testselfdestruct:
476 if (tTd(26, 8))
477 {
478 printf("testselfdestruct: ");
479 printaddr(a, TRUE);
480 }
481 if (a->q_alias == NULL && a != &e->e_from &&
482 bitset(QDONTSEND, a->q_flags))
483 {
484 q = *sendq;
485 while (q != NULL && bitset(QDONTSEND, q->q_flags))
486 q = q->q_next;
487 if (q == NULL)
488 {
489 a->q_flags |= QBADADDR;
490 usrerr("554 aliasing/forwarding loop broken");
491 }
492 }
493 return (a);
494 }
495 /*
496 ** FINDUSER -- find the password entry for a user.
497 **
498 ** This looks a lot like getpwnam, except that it may want to
499 ** do some fancier pattern matching in /etc/passwd.
500 **
501 ** This routine contains most of the time of many sendmail runs.
502 ** It deserves to be optimized.
503 **
504 ** Parameters:
505 ** name -- the name to match against.
506 ** fuzzyp -- an outarg that is set to TRUE if this entry
507 ** was found using the fuzzy matching algorithm;
508 ** set to FALSE otherwise.
509 **
510 ** Returns:
511 ** A pointer to a pw struct.
512 ** NULL if name is unknown or ambiguous.
513 **
514 ** Side Effects:
515 ** may modify name.
516 */
517
518 struct passwd *
finduser(name,fuzzyp)519 finduser(name, fuzzyp)
520 char *name;
521 bool *fuzzyp;
522 {
523 register struct passwd *pw;
524 register char *p;
525 extern struct passwd *getpwent();
526 extern struct passwd *getpwnam();
527
528 if (tTd(29, 4))
529 printf("finduser(%s): ", name);
530
531 *fuzzyp = FALSE;
532
533 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
534 for (p = name; *p != '\0'; p++)
535 if (!isascii(*p) || !isdigit(*p))
536 break;
537 if (*p == '\0')
538 {
539 if (tTd(29, 4))
540 printf("failed (numeric input)\n");
541 return NULL;
542 }
543
544 /* look up this login name using fast path */
545 if ((pw = getpwnam(name)) != NULL)
546 {
547 if (tTd(29, 4))
548 printf("found (non-fuzzy)\n");
549 return (pw);
550 }
551
552 #ifdef MATCHGECOS
553 /* see if fuzzy matching allowed */
554 if (!MatchGecos)
555 {
556 if (tTd(29, 4))
557 printf("not found (fuzzy disabled)\n");
558 return NULL;
559 }
560
561 /* search for a matching full name instead */
562 for (p = name; *p != '\0'; p++)
563 {
564 if (*p == (SpaceSub & 0177) || *p == '_')
565 *p = ' ';
566 }
567 (void) setpwent();
568 while ((pw = getpwent()) != NULL)
569 {
570 char buf[MAXNAME];
571
572 buildfname(pw->pw_gecos, pw->pw_name, buf);
573 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
574 {
575 if (tTd(29, 4))
576 printf("fuzzy matches %s\n", pw->pw_name);
577 message("sending to login name %s", pw->pw_name);
578 *fuzzyp = TRUE;
579 return (pw);
580 }
581 }
582 if (tTd(29, 4))
583 printf("no fuzzy match found\n");
584 #else
585 if (tTd(29, 4))
586 printf("not found (fuzzy disabled)\n");
587 #endif
588 return (NULL);
589 }
590 /*
591 ** WRITABLE -- predicate returning if the file is writable.
592 **
593 ** This routine must duplicate the algorithm in sys/fio.c.
594 ** Unfortunately, we cannot use the access call since we
595 ** won't necessarily be the real uid when we try to
596 ** actually open the file.
597 **
598 ** Notice that ANY file with ANY execute bit is automatically
599 ** not writable. This is also enforced by mailfile.
600 **
601 ** Parameters:
602 ** filename -- the file name to check.
603 ** ctladdr -- the controlling address for this file.
604 ** flags -- SFF_* flags to control the function.
605 **
606 ** Returns:
607 ** TRUE -- if we will be able to write this file.
608 ** FALSE -- if we cannot write this file.
609 **
610 ** Side Effects:
611 ** none.
612 */
613
614 bool
writable(filename,ctladdr,flags)615 writable(filename, ctladdr, flags)
616 char *filename;
617 ADDRESS *ctladdr;
618 int flags;
619 {
620 uid_t euid;
621 gid_t egid;
622 int bits;
623 register char *p;
624 char *uname;
625 struct stat stb;
626 extern char RealUserName[];
627
628 if (tTd(29, 5))
629 printf("writable(%s, %x)\n", filename, flags);
630
631 #ifdef HASLSTAT
632 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
633 : stat(filename, &stb)) < 0)
634 #else
635 if (stat(filename, &stb) < 0)
636 #endif
637 {
638 /* file does not exist -- see if directory is safe */
639 p = strrchr(filename, '/');
640 if (p == NULL)
641 {
642 errno = ENOTDIR;
643 return FALSE;
644 }
645 *p = '\0';
646 errno = safefile(filename, RealUid, RealGid, RealUserName,
647 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
648 *p = '/';
649 return errno == 0;
650 }
651
652 #ifdef SUID_ROOT_FILES_OK
653 /* really ought to be passed down -- and not a good idea */
654 flags |= SFF_ROOTOK;
655 #endif
656
657 /*
658 ** File does exist -- check that it is writable.
659 */
660
661 if (bitset(0111, stb.st_mode))
662 {
663 if (tTd(29, 5))
664 printf("failed (mode %o: x bits)\n", stb.st_mode);
665 errno = EPERM;
666 return (FALSE);
667 }
668
669 if (ctladdr != NULL && geteuid() == 0)
670 {
671 euid = ctladdr->q_uid;
672 egid = ctladdr->q_gid;
673 uname = ctladdr->q_user;
674 }
675 else
676 {
677 euid = RealUid;
678 egid = RealGid;
679 uname = RealUserName;
680 }
681 if (euid == 0)
682 {
683 euid = DefUid;
684 uname = DefUser;
685 }
686 if (egid == 0)
687 egid = DefGid;
688 if (geteuid() == 0)
689 {
690 if (bitset(S_ISUID, stb.st_mode) &&
691 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
692 {
693 euid = stb.st_uid;
694 uname = NULL;
695 }
696 if (bitset(S_ISGID, stb.st_mode) &&
697 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
698 egid = stb.st_gid;
699 }
700
701 if (tTd(29, 5))
702 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
703 euid, egid, stb.st_uid, stb.st_gid);
704
705 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
706 return errno == 0;
707 }
708 /*
709 ** INCLUDE -- handle :include: specification.
710 **
711 ** Parameters:
712 ** fname -- filename to include.
713 ** forwarding -- if TRUE, we are reading a .forward file.
714 ** if FALSE, it's a :include: file.
715 ** ctladdr -- address template to use to fill in these
716 ** addresses -- effective user/group id are
717 ** the important things.
718 ** sendq -- a pointer to the head of the send queue
719 ** to put these addresses in.
720 **
721 ** Returns:
722 ** open error status
723 **
724 ** Side Effects:
725 ** reads the :include: file and sends to everyone
726 ** listed in that file.
727 **
728 ** Security Note:
729 ** If you have restricted chown (that is, you can't
730 ** give a file away), it is reasonable to allow programs
731 ** and files called from this :include: file to be to be
732 ** run as the owner of the :include: file. This is bogus
733 ** if there is any chance of someone giving away a file.
734 ** We assume that pre-POSIX systems can give away files.
735 **
736 ** There is an additional restriction that if you
737 ** forward to a :include: file, it will not take on
738 ** the ownership of the :include: file. This may not
739 ** be necessary, but shouldn't hurt.
740 */
741
742 static jmp_buf CtxIncludeTimeout;
743 static int includetimeout();
744
745 #ifndef S_IWOTH
746 # define S_IWOTH (S_IWRITE >> 6)
747 #endif
748
749 int
include(fname,forwarding,ctladdr,sendq,e)750 include(fname, forwarding, ctladdr, sendq, e)
751 char *fname;
752 bool forwarding;
753 ADDRESS *ctladdr;
754 ADDRESS **sendq;
755 ENVELOPE *e;
756 {
757 register FILE *fp = NULL;
758 char *oldto = e->e_to;
759 char *oldfilename = FileName;
760 int oldlinenumber = LineNumber;
761 register EVENT *ev = NULL;
762 int nincludes;
763 register ADDRESS *ca;
764 uid_t saveduid, uid;
765 gid_t savedgid, gid;
766 char *uname;
767 int rval = 0;
768 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
769 struct stat st;
770 char buf[MAXLINE];
771 #ifdef _POSIX_CHOWN_RESTRICTED
772 /*# if _POSIX_CHOWN_RESTRICTED == -1
773 # define safechown FALSE
774 # else */
775 # define safechown TRUE
776 /* # endif */
777 #else
778 # ifdef _PC_CHOWN_RESTRICTED
779 bool safechown;
780 # else
781 # ifdef BSD
782 # define safechown TRUE
783 # else
784 # define safechown FALSE
785 # endif
786 # endif
787 #endif
788 extern bool chownsafe();
789
790 if (tTd(27, 2))
791 printf("include(%s)\n", fname);
792 if (tTd(27, 4))
793 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
794 if (tTd(27, 14))
795 {
796 printf("ctladdr ");
797 printaddr(ctladdr, FALSE);
798 }
799
800 if (tTd(27, 9))
801 printf("include: old uid = %d/%d\n", getuid(), geteuid());
802
803 ca = getctladdr(ctladdr);
804 if (ca == NULL)
805 {
806 uid = DefUid;
807 gid = DefGid;
808 uname = DefUser;
809 saveduid = -1;
810 }
811 else
812 {
813 uid = ca->q_uid;
814 gid = ca->q_gid;
815 uname = ca->q_user;
816 #ifdef HASSETREUID
817 saveduid = geteuid();
818 savedgid = getegid();
819 if (saveduid == 0)
820 {
821 initgroups(uname, gid);
822 if (uid != 0)
823 (void) setreuid(0, uid);
824 }
825 #endif
826 }
827
828 if (tTd(27, 9))
829 printf("include: new uid = %d/%d\n", getuid(), geteuid());
830
831 /*
832 ** If home directory is remote mounted but server is down,
833 ** this can hang or give errors; use a timeout to avoid this
834 */
835
836 if (setjmp(CtxIncludeTimeout) != 0)
837 {
838 ctladdr->q_flags |= QQUEUEUP;
839 errno = 0;
840
841 /* return pseudo-error code */
842 rval = EOPENTIMEOUT;
843 goto resetuid;
844 }
845 ev = setevent((time_t) 60, includetimeout, 0);
846
847 /* the input file must be marked safe */
848 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
849 if (rval != 0)
850 {
851 /* don't use this :include: file */
852 if (tTd(27, 4))
853 printf("include: not safe (uid=%d): %s\n",
854 uid, errstring(rval));
855 }
856 else
857 {
858 fp = fopen(fname, "r");
859 if (fp == NULL)
860 {
861 rval = errno;
862 if (tTd(27, 4))
863 printf("include: open: %s\n", errstring(rval));
864 }
865 }
866 clrevent(ev);
867
868 resetuid:
869
870 #ifdef HASSETREUID
871 if (saveduid == 0)
872 {
873 if (uid != 0)
874 if (setreuid(-1, 0) < 0 || setreuid(RealUid, 0) < 0)
875 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
876 RealUid, getuid(), geteuid());
877 setgid(savedgid);
878 }
879 #endif
880
881 if (tTd(27, 9))
882 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
883
884 if (rval == EOPENTIMEOUT)
885 usrerr("451 open timeout on %s", fname);
886
887 if (fp == NULL)
888 return rval;
889
890 if (fstat(fileno(fp), &st) < 0)
891 {
892 rval = errno;
893 syserr("Cannot fstat %s!", fname);
894 return rval;
895 }
896
897 #ifndef safechown
898 safechown = chownsafe(fileno(fp));
899 #endif
900 if (ca == NULL && safechown)
901 {
902 ctladdr->q_uid = st.st_uid;
903 ctladdr->q_gid = st.st_gid;
904 ctladdr->q_flags |= QGOODUID;
905 }
906 if (ca != NULL && ca->q_uid == st.st_uid)
907 {
908 /* optimization -- avoid getpwuid if we already have info */
909 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
910 ctladdr->q_ruser = ca->q_ruser;
911 }
912 else
913 {
914 char *sh;
915 register struct passwd *pw;
916
917 sh = "/SENDMAIL/ANY/SHELL/";
918 pw = getpwuid(st.st_uid);
919 if (pw != NULL)
920 {
921 ctladdr->q_ruser = newstr(pw->pw_name);
922 if (safechown)
923 sh = pw->pw_shell;
924 }
925 if (pw == NULL)
926 ctladdr->q_flags |= QBOGUSSHELL;
927 else if(!usershellok(sh))
928 {
929 if (safechown)
930 ctladdr->q_flags |= QBOGUSSHELL;
931 else
932 ctladdr->q_flags |= QUNSAFEADDR;
933 }
934 }
935
936 if (bitset(EF_VRFYONLY, e->e_flags))
937 {
938 /* don't do any more now */
939 ctladdr->q_flags |= QVERIFIED;
940 e->e_nrcpts++;
941 xfclose(fp, "include", fname);
942 return rval;
943 }
944
945 /*
946 ** Check to see if some bad guy can write this file
947 **
948 ** This should really do something clever with group
949 ** permissions; currently we just view world writable
950 ** as unsafe. Also, we don't check for writable
951 ** directories in the path. We've got to leave
952 ** something for the local sysad to do.
953 */
954
955 if (bitset(S_IWOTH, st.st_mode))
956 ctladdr->q_flags |= QUNSAFEADDR;
957
958 /* read the file -- each line is a comma-separated list. */
959 FileName = fname;
960 LineNumber = 0;
961 ctladdr->q_flags &= ~QSELFREF;
962 nincludes = 0;
963 while (fgets(buf, sizeof buf, fp) != NULL)
964 {
965 register char *p = strchr(buf, '\n');
966
967 LineNumber++;
968 if (p != NULL)
969 *p = '\0';
970 if (buf[0] == '#' || buf[0] == '\0')
971 continue;
972 e->e_to = NULL;
973 message("%s to %s",
974 forwarding ? "forwarding" : "sending", buf);
975 #ifdef LOG
976 if (forwarding && LogLevel > 9)
977 syslog(LOG_INFO, "%s: forward %s => %s",
978 e->e_id == NULL ? "NOQUEUE" : e->e_id,
979 oldto, buf);
980 #endif
981
982 AliasLevel++;
983 nincludes += sendtolist(buf, ctladdr, sendq, e);
984 AliasLevel--;
985 }
986
987 if (ferror(fp) && tTd(27, 3))
988 printf("include: read error: %s\n", errstring(errno));
989 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
990 {
991 if (tTd(27, 5))
992 {
993 printf("include: QDONTSEND ");
994 printaddr(ctladdr, FALSE);
995 }
996 ctladdr->q_flags |= QDONTSEND;
997 }
998
999 (void) xfclose(fp, "include", fname);
1000 FileName = oldfilename;
1001 LineNumber = oldlinenumber;
1002 e->e_to = oldto;
1003 return rval;
1004 }
1005
1006 static
includetimeout()1007 includetimeout()
1008 {
1009 longjmp(CtxIncludeTimeout, 1);
1010 }
1011 /*
1012 ** SENDTOARGV -- send to an argument vector.
1013 **
1014 ** Parameters:
1015 ** argv -- argument vector to send to.
1016 ** e -- the current envelope.
1017 **
1018 ** Returns:
1019 ** none.
1020 **
1021 ** Side Effects:
1022 ** puts all addresses on the argument vector onto the
1023 ** send queue.
1024 */
1025
sendtoargv(argv,e)1026 sendtoargv(argv, e)
1027 register char **argv;
1028 register ENVELOPE *e;
1029 {
1030 register char *p;
1031
1032 while ((p = *argv++) != NULL)
1033 {
1034 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
1035 }
1036 }
1037 /*
1038 ** GETCTLADDR -- get controlling address from an address header.
1039 **
1040 ** If none, get one corresponding to the effective userid.
1041 **
1042 ** Parameters:
1043 ** a -- the address to find the controller of.
1044 **
1045 ** Returns:
1046 ** the controlling address.
1047 **
1048 ** Side Effects:
1049 ** none.
1050 */
1051
1052 ADDRESS *
getctladdr(a)1053 getctladdr(a)
1054 register ADDRESS *a;
1055 {
1056 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1057 a = a->q_alias;
1058 return (a);
1059 }
1060