1 /*	$NetBSD: mbox_open.c,v 1.1.1.1 2009/06/23 10:08:47 tron Exp $	*/
2 
3 /*++
4 /* NAME
5 /*	mbox_open 3
6 /* SUMMARY
7 /*	mailbox access
8 /* SYNOPSIS
9 /*	#include <mbox_open.h>
10 /*
11 /*	typedef struct {
12 /* .in +4
13 /*		/* public members... */
14 /*		VSTREAM	*fp;
15 /* .in -4
16 /*	} MBOX;
17 /*
18 /*	MBOX	*mbox_open(path, flags, mode, st, user, group, lock_style,
19 /*				def_dsn, why)
20 /*	const char *path;
21 /*	int	flags;
22 /*	mode_t	mode;
23 /*	struct stat *st;
24 /*	uid_t	user;
25 /*	gid_t	group;
26 /*	int	lock_style;
27 /*	const char *def_dsn;
28 /*	DSN_BUF	*why;
29 /*
30 /*	void	mbox_release(mbox)
31 /*	MBOX	*mbox;
32 /*
33 /*	const char *mbox_dsn(err, def_dsn)
34 /*	int	err;
35 /*	const char *def_dsn;
36 /* DESCRIPTION
37 /*	This module manages access to UNIX mailbox-style files.
38 /*
39 /*	mbox_open() acquires exclusive access to the named file.
40 /*	The \fBpath, flags, mode, st, user, group, why\fR arguments
41 /*	are passed to the \fBsafe_open\fR() routine. Attempts to change
42 /*	file ownership will succeed only if the process runs with
43 /*	adequate effective privileges.
44 /*	The \fBlock_style\fR argument specifies a lock style from
45 /*	mbox_lock_mask(). Locks are applied to regular files only.
46 /*	The result is a handle that must be destroyed by mbox_release().
47 /*	The \fBdef_dsn\fR argument is given to mbox_dsn().
48 /*
49 /*	mbox_release() releases the named mailbox. It is up to the
50 /*	application to close the stream.
51 /*
52 /*	mbox_dsn() translates an errno value to a mailbox related
53 /*	enhanced status code.
54 /* .IP "EAGAIN, ESTALE"
55 /*	These result in a 4.2.0 soft error (mailbox problem).
56 /* .IP ENOSPC
57 /*	This results in a 4.3.0 soft error (mail system full).
58 /* .IP "EDQUOT, EFBIG"
59 /*	These result in a 5.2.2 hard error (mailbox full).
60 /* .PP
61 /*	All other errors are assigned the specified default error
62 /*	code. Typically, one would specify 4.2.0 or 5.2.0.
63 /* DIAGNOSTICS
64 /*	mbox_open() returns a null pointer in case of problems, and
65 /*	sets errno to EAGAIN if someone else has exclusive access.
66 /*	Other errors are likely to have a more permanent nature.
67 /* LICENSE
68 /* .ad
69 /* .fi
70 /*	The Secure Mailer license must be distributed with this software.
71 /* AUTHOR(S)
72 /*	Wietse Venema
73 /*	IBM T.J. Watson Research
74 /*	P.O. Box 704
75 /*	Yorktown Heights, NY 10598, USA
76 /*--*/
77 
78 /* System library. */
79 
80 #include <sys_defs.h>
81 #include <sys/stat.h>
82 #include <errno.h>
83 
84 #ifndef EDQUOT
85 #define EDQUOT EFBIG
86 #endif
87 
88 /* Utility library. */
89 
90 #include <msg.h>
91 #include <vstream.h>
92 #include <vstring.h>
93 #include <safe_open.h>
94 #include <iostuff.h>
95 #include <mymalloc.h>
96 
97 /* Global library. */
98 
99 #include <dot_lockfile.h>
100 #include <deliver_flock.h>
101 #include <mbox_conf.h>
102 #include <mbox_open.h>
103 
104 /* mbox_open - open mailbox-style file for exclusive access */
105 
106 MBOX   *mbox_open(const char *path, int flags, mode_t mode, struct stat * st,
107 		          uid_t chown_uid, gid_t chown_gid,
108 		          int lock_style, const char *def_dsn,
109 		          DSN_BUF *why)
110 {
111     struct stat local_statbuf;
112     MBOX   *mp;
113     int     locked = 0;
114     VSTREAM *fp;
115 
116     if (st == 0)
117 	st = &local_statbuf;
118 
119     /*
120      * If this is a regular file, create a dotlock file. This locking method
121      * does not work well over NFS, but it is better than some alternatives.
122      * With NFS, creating files atomically is a problem, and a successful
123      * operation can fail with EEXIST.
124      *
125      * If filename.lock can't be created for reasons other than "file exists",
126      * issue only a warning if the application says it is non-fatal. This is
127      * for bass-awkward compatibility with existing installations that
128      * deliver to files in non-writable directories.
129      *
130      * We dot-lock the file before opening, so we must avoid doing silly things
131      * like dot-locking /dev/null. Fortunately, deliveries to non-mailbox
132      * files execute with recipient privileges, so we don't have to worry
133      * about creating dotlock files in places where the recipient would not
134      * be able to write.
135      *
136      * Note: we use stat() to follow symlinks, because safe_open() allows the
137      * target to be a root-owned symlink, and we don't want to create dotlock
138      * files for /dev/null or other non-file objects.
139      */
140     if ((lock_style & MBOX_DOT_LOCK)
141 	&& (stat(path, st) < 0 || S_ISREG(st->st_mode))) {
142 	if (dot_lockfile(path, why->reason) == 0) {
143 	    locked |= MBOX_DOT_LOCK;
144 	} else if (errno == EEXIST) {
145 	    dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
146 	    return (0);
147 	} else if (lock_style & MBOX_DOT_LOCK_MAY_FAIL) {
148 	    msg_warn("%s", vstring_str(why->reason));
149 	} else {
150 	    dsb_status(why, mbox_dsn(errno, def_dsn));
151 	    return (0);
152 	}
153     }
154 
155     /*
156      * Open or create the target file. In case of a privileged open, the
157      * privileged user may be attacked with hard/soft link tricks in an
158      * unsafe parent directory. In case of an unprivileged open, the mail
159      * system may be attacked by a malicious user-specified path, or the
160      * unprivileged user may be attacked with hard/soft link tricks in an
161      * unsafe parent directory. Open non-blocking to fend off attacks
162      * involving non-file targets.
163      */
164     if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st,
165 			chown_uid, chown_gid, why->reason)) == 0) {
166 	dsb_status(why, mbox_dsn(errno, def_dsn));
167 	if (locked & MBOX_DOT_LOCK)
168 	    dot_unlockfile(path);
169 	return (0);
170     }
171     close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
172 
173     /*
174      * If this is a regular file, acquire kernel locks. flock() locks are not
175      * intended to work across a network; fcntl() locks are supposed to work
176      * over NFS, but in the real world, NFS lock daemons often have serious
177      * problems.
178      */
179 #define HUNKY_DORY(lock_mask, myflock_style) ((lock_style & (lock_mask)) == 0 \
180          || deliver_flock(vstream_fileno(fp), (myflock_style), why->reason) == 0)
181 
182     if (S_ISREG(st->st_mode)) {
183 	if (HUNKY_DORY(MBOX_FLOCK_LOCK, MYFLOCK_STYLE_FLOCK)
184 	    && HUNKY_DORY(MBOX_FCNTL_LOCK, MYFLOCK_STYLE_FCNTL)) {
185 	    locked |= lock_style;
186 	} else {
187 	    dsb_status(why, mbox_dsn(errno, def_dsn));
188 	    if (locked & MBOX_DOT_LOCK)
189 		dot_unlockfile(path);
190 	    vstream_fclose(fp);
191 	    return (0);
192 	}
193     }
194 
195     /*
196      * Sanity check: reportedly, GNU POP3D creates a new mailbox file and
197      * deletes the old one. This does not play well with software that opens
198      * the mailbox first and then locks it, such as software that that uses
199      * FCNTL or FLOCK locks on open file descriptors (some UNIX systems don't
200      * use dotlock files).
201      *
202      * To detect that GNU POP3D deletes the mailbox file we look at the target
203      * file hard-link count. Note that safe_open() guarantees a hard-link
204      * count of 1, so any change in this count is a sign of trouble.
205      */
206     if (S_ISREG(st->st_mode)
207 	&& (fstat(vstream_fileno(fp), st) < 0 || st->st_nlink != 1)) {
208 	vstring_sprintf(why->reason, "target file status changed unexpectedly");
209 	dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
210 	msg_warn("%s: file status changed unexpectedly", path);
211 	if (locked & MBOX_DOT_LOCK)
212 	    dot_unlockfile(path);
213 	vstream_fclose(fp);
214 	return (0);
215     }
216     mp = (MBOX *) mymalloc(sizeof(*mp));
217     mp->path = mystrdup(path);
218     mp->fp = fp;
219     mp->locked = locked;
220     return (mp);
221 }
222 
223 /* mbox_release - release mailbox exclusive access */
224 
225 void    mbox_release(MBOX *mp)
226 {
227 
228     /*
229      * Unfortunately we can't close the stream, because on some file systems
230      * (AFS), the only way to find out if a file was written successfully is
231      * to close it, and therefore the close() operation is in the mail_copy()
232      * routine. If we really insist on owning the vstream member, then we
233      * should export appropriate methods that mail_copy() can use in order to
234      * manipulate a message stream.
235      */
236     if (mp->locked & MBOX_DOT_LOCK)
237 	dot_unlockfile(mp->path);
238     myfree(mp->path);
239     myfree((char *) mp);
240 }
241 
242 /* mbox_dsn - map errno value to mailbox-related DSN detail */
243 
244 const char *mbox_dsn(int err, const char *def_dsn)
245 {
246 #define TRY_AGAIN_ERROR(e) \
247 	(e == EAGAIN || e == ESTALE)
248 #define SYSTEM_FULL_ERROR(e) \
249 	(e == ENOSPC)
250 #define MBOX_FULL_ERROR(e) \
251 	(e == EDQUOT || e == EFBIG)
252 
253     return (TRY_AGAIN_ERROR(err) ? "4.2.0" :
254 	    SYSTEM_FULL_ERROR(err) ? "4.3.0" :
255 	    MBOX_FULL_ERROR(err) ? "5.2.2" :
256 	    def_dsn);
257 }
258