1 /* $NetBSD: mbox_open.c,v 1.1.1.1 2009/06/23 10:08:47 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* mbox_open 3 6 /* SUMMARY 7 /* mailbox access 8 /* SYNOPSIS 9 /* #include <mbox_open.h> 10 /* 11 /* typedef struct { 12 /* .in +4 13 /* /* public members... */ 14 /* VSTREAM *fp; 15 /* .in -4 16 /* } MBOX; 17 /* 18 /* MBOX *mbox_open(path, flags, mode, st, user, group, lock_style, 19 /* def_dsn, why) 20 /* const char *path; 21 /* int flags; 22 /* mode_t mode; 23 /* struct stat *st; 24 /* uid_t user; 25 /* gid_t group; 26 /* int lock_style; 27 /* const char *def_dsn; 28 /* DSN_BUF *why; 29 /* 30 /* void mbox_release(mbox) 31 /* MBOX *mbox; 32 /* 33 /* const char *mbox_dsn(err, def_dsn) 34 /* int err; 35 /* const char *def_dsn; 36 /* DESCRIPTION 37 /* This module manages access to UNIX mailbox-style files. 38 /* 39 /* mbox_open() acquires exclusive access to the named file. 40 /* The \fBpath, flags, mode, st, user, group, why\fR arguments 41 /* are passed to the \fBsafe_open\fR() routine. Attempts to change 42 /* file ownership will succeed only if the process runs with 43 /* adequate effective privileges. 44 /* The \fBlock_style\fR argument specifies a lock style from 45 /* mbox_lock_mask(). Locks are applied to regular files only. 46 /* The result is a handle that must be destroyed by mbox_release(). 47 /* The \fBdef_dsn\fR argument is given to mbox_dsn(). 48 /* 49 /* mbox_release() releases the named mailbox. It is up to the 50 /* application to close the stream. 51 /* 52 /* mbox_dsn() translates an errno value to a mailbox related 53 /* enhanced status code. 54 /* .IP "EAGAIN, ESTALE" 55 /* These result in a 4.2.0 soft error (mailbox problem). 56 /* .IP ENOSPC 57 /* This results in a 4.3.0 soft error (mail system full). 58 /* .IP "EDQUOT, EFBIG" 59 /* These result in a 5.2.2 hard error (mailbox full). 60 /* .PP 61 /* All other errors are assigned the specified default error 62 /* code. Typically, one would specify 4.2.0 or 5.2.0. 63 /* DIAGNOSTICS 64 /* mbox_open() returns a null pointer in case of problems, and 65 /* sets errno to EAGAIN if someone else has exclusive access. 66 /* Other errors are likely to have a more permanent nature. 67 /* LICENSE 68 /* .ad 69 /* .fi 70 /* The Secure Mailer license must be distributed with this software. 71 /* AUTHOR(S) 72 /* Wietse Venema 73 /* IBM T.J. Watson Research 74 /* P.O. Box 704 75 /* Yorktown Heights, NY 10598, USA 76 /*--*/ 77 78 /* System library. */ 79 80 #include <sys_defs.h> 81 #include <sys/stat.h> 82 #include <errno.h> 83 84 #ifndef EDQUOT 85 #define EDQUOT EFBIG 86 #endif 87 88 /* Utility library. */ 89 90 #include <msg.h> 91 #include <vstream.h> 92 #include <vstring.h> 93 #include <safe_open.h> 94 #include <iostuff.h> 95 #include <mymalloc.h> 96 97 /* Global library. */ 98 99 #include <dot_lockfile.h> 100 #include <deliver_flock.h> 101 #include <mbox_conf.h> 102 #include <mbox_open.h> 103 104 /* mbox_open - open mailbox-style file for exclusive access */ 105 106 MBOX *mbox_open(const char *path, int flags, mode_t mode, struct stat * st, 107 uid_t chown_uid, gid_t chown_gid, 108 int lock_style, const char *def_dsn, 109 DSN_BUF *why) 110 { 111 struct stat local_statbuf; 112 MBOX *mp; 113 int locked = 0; 114 VSTREAM *fp; 115 116 if (st == 0) 117 st = &local_statbuf; 118 119 /* 120 * If this is a regular file, create a dotlock file. This locking method 121 * does not work well over NFS, but it is better than some alternatives. 122 * With NFS, creating files atomically is a problem, and a successful 123 * operation can fail with EEXIST. 124 * 125 * If filename.lock can't be created for reasons other than "file exists", 126 * issue only a warning if the application says it is non-fatal. This is 127 * for bass-awkward compatibility with existing installations that 128 * deliver to files in non-writable directories. 129 * 130 * We dot-lock the file before opening, so we must avoid doing silly things 131 * like dot-locking /dev/null. Fortunately, deliveries to non-mailbox 132 * files execute with recipient privileges, so we don't have to worry 133 * about creating dotlock files in places where the recipient would not 134 * be able to write. 135 * 136 * Note: we use stat() to follow symlinks, because safe_open() allows the 137 * target to be a root-owned symlink, and we don't want to create dotlock 138 * files for /dev/null or other non-file objects. 139 */ 140 if ((lock_style & MBOX_DOT_LOCK) 141 && (stat(path, st) < 0 || S_ISREG(st->st_mode))) { 142 if (dot_lockfile(path, why->reason) == 0) { 143 locked |= MBOX_DOT_LOCK; 144 } else if (errno == EEXIST) { 145 dsb_status(why, mbox_dsn(EAGAIN, def_dsn)); 146 return (0); 147 } else if (lock_style & MBOX_DOT_LOCK_MAY_FAIL) { 148 msg_warn("%s", vstring_str(why->reason)); 149 } else { 150 dsb_status(why, mbox_dsn(errno, def_dsn)); 151 return (0); 152 } 153 } 154 155 /* 156 * Open or create the target file. In case of a privileged open, the 157 * privileged user may be attacked with hard/soft link tricks in an 158 * unsafe parent directory. In case of an unprivileged open, the mail 159 * system may be attacked by a malicious user-specified path, or the 160 * unprivileged user may be attacked with hard/soft link tricks in an 161 * unsafe parent directory. Open non-blocking to fend off attacks 162 * involving non-file targets. 163 */ 164 if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st, 165 chown_uid, chown_gid, why->reason)) == 0) { 166 dsb_status(why, mbox_dsn(errno, def_dsn)); 167 if (locked & MBOX_DOT_LOCK) 168 dot_unlockfile(path); 169 return (0); 170 } 171 close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC); 172 173 /* 174 * If this is a regular file, acquire kernel locks. flock() locks are not 175 * intended to work across a network; fcntl() locks are supposed to work 176 * over NFS, but in the real world, NFS lock daemons often have serious 177 * problems. 178 */ 179 #define HUNKY_DORY(lock_mask, myflock_style) ((lock_style & (lock_mask)) == 0 \ 180 || deliver_flock(vstream_fileno(fp), (myflock_style), why->reason) == 0) 181 182 if (S_ISREG(st->st_mode)) { 183 if (HUNKY_DORY(MBOX_FLOCK_LOCK, MYFLOCK_STYLE_FLOCK) 184 && HUNKY_DORY(MBOX_FCNTL_LOCK, MYFLOCK_STYLE_FCNTL)) { 185 locked |= lock_style; 186 } else { 187 dsb_status(why, mbox_dsn(errno, def_dsn)); 188 if (locked & MBOX_DOT_LOCK) 189 dot_unlockfile(path); 190 vstream_fclose(fp); 191 return (0); 192 } 193 } 194 195 /* 196 * Sanity check: reportedly, GNU POP3D creates a new mailbox file and 197 * deletes the old one. This does not play well with software that opens 198 * the mailbox first and then locks it, such as software that that uses 199 * FCNTL or FLOCK locks on open file descriptors (some UNIX systems don't 200 * use dotlock files). 201 * 202 * To detect that GNU POP3D deletes the mailbox file we look at the target 203 * file hard-link count. Note that safe_open() guarantees a hard-link 204 * count of 1, so any change in this count is a sign of trouble. 205 */ 206 if (S_ISREG(st->st_mode) 207 && (fstat(vstream_fileno(fp), st) < 0 || st->st_nlink != 1)) { 208 vstring_sprintf(why->reason, "target file status changed unexpectedly"); 209 dsb_status(why, mbox_dsn(EAGAIN, def_dsn)); 210 msg_warn("%s: file status changed unexpectedly", path); 211 if (locked & MBOX_DOT_LOCK) 212 dot_unlockfile(path); 213 vstream_fclose(fp); 214 return (0); 215 } 216 mp = (MBOX *) mymalloc(sizeof(*mp)); 217 mp->path = mystrdup(path); 218 mp->fp = fp; 219 mp->locked = locked; 220 return (mp); 221 } 222 223 /* mbox_release - release mailbox exclusive access */ 224 225 void mbox_release(MBOX *mp) 226 { 227 228 /* 229 * Unfortunately we can't close the stream, because on some file systems 230 * (AFS), the only way to find out if a file was written successfully is 231 * to close it, and therefore the close() operation is in the mail_copy() 232 * routine. If we really insist on owning the vstream member, then we 233 * should export appropriate methods that mail_copy() can use in order to 234 * manipulate a message stream. 235 */ 236 if (mp->locked & MBOX_DOT_LOCK) 237 dot_unlockfile(mp->path); 238 myfree(mp->path); 239 myfree((char *) mp); 240 } 241 242 /* mbox_dsn - map errno value to mailbox-related DSN detail */ 243 244 const char *mbox_dsn(int err, const char *def_dsn) 245 { 246 #define TRY_AGAIN_ERROR(e) \ 247 (e == EAGAIN || e == ESTALE) 248 #define SYSTEM_FULL_ERROR(e) \ 249 (e == ENOSPC) 250 #define MBOX_FULL_ERROR(e) \ 251 (e == EDQUOT || e == EFBIG) 252 253 return (TRY_AGAIN_ERROR(err) ? "4.2.0" : 254 SYSTEM_FULL_ERROR(err) ? "4.3.0" : 255 MBOX_FULL_ERROR(err) ? "5.2.2" : 256 def_dsn); 257 } 258