1 /* 2 * Copyright (c) 1983 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.44 (Berkeley) 02/28/94"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 # include <pwd.h> 15 16 /* 17 ** SENDTOLIST -- Designate a send list. 18 ** 19 ** The parameter is a comma-separated list of people to send to. 20 ** This routine arranges to send to all of them. 21 ** 22 ** Parameters: 23 ** list -- the send list. 24 ** ctladdr -- the address template for the person to 25 ** send to -- effective uid/gid are important. 26 ** This is typically the alias that caused this 27 ** expansion. 28 ** sendq -- a pointer to the head of a queue to put 29 ** these people into. 30 ** e -- the envelope in which to add these recipients. 31 ** 32 ** Returns: 33 ** The number of addresses actually on the list. 34 ** 35 ** Side Effects: 36 ** none. 37 */ 38 39 # define MAXRCRSN 10 40 41 sendtolist(list, ctladdr, sendq, e) 42 char *list; 43 ADDRESS *ctladdr; 44 ADDRESS **sendq; 45 register ENVELOPE *e; 46 { 47 register char *p; 48 register ADDRESS *al; /* list of addresses to send to */ 49 bool firstone; /* set on first address sent */ 50 char delimiter; /* the address delimiter */ 51 int naddrs; 52 char *oldto = e->e_to; 53 54 if (list == NULL) 55 { 56 syserr("sendtolist: null list"); 57 return 0; 58 } 59 60 if (tTd(25, 1)) 61 { 62 printf("sendto: %s\n ctladdr=", list); 63 printaddr(ctladdr, FALSE); 64 } 65 66 /* heuristic to determine old versus new style addresses */ 67 if (ctladdr == NULL && 68 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 69 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 70 e->e_flags &= ~EF_OLDSTYLE; 71 delimiter = ' '; 72 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 73 delimiter = ','; 74 75 firstone = TRUE; 76 al = NULL; 77 naddrs = 0; 78 79 for (p = list; *p != '\0'; ) 80 { 81 auto char *delimptr; 82 register ADDRESS *a; 83 84 /* parse the address */ 85 while ((isascii(*p) && isspace(*p)) || *p == ',') 86 p++; 87 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 88 p = delimptr; 89 if (a == NULL) 90 continue; 91 a->q_next = al; 92 a->q_alias = ctladdr; 93 94 /* see if this should be marked as a primary address */ 95 if (ctladdr == NULL || 96 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags))) 97 a->q_flags |= QPRIMARY; 98 99 if (ctladdr != NULL && sameaddr(ctladdr, a)) 100 ctladdr->q_flags |= QSELFREF; 101 al = a; 102 firstone = FALSE; 103 } 104 105 /* arrange to send to everyone on the local send list */ 106 while (al != NULL) 107 { 108 register ADDRESS *a = al; 109 110 al = a->q_next; 111 a = recipient(a, sendq, e); 112 113 /* arrange to inherit full name */ 114 if (a->q_fullname == NULL && ctladdr != NULL) 115 a->q_fullname = ctladdr->q_fullname; 116 naddrs++; 117 } 118 119 e->e_to = oldto; 120 return (naddrs); 121 } 122 /* 123 ** RECIPIENT -- Designate a message recipient 124 ** 125 ** Saves the named person for future mailing. 126 ** 127 ** Parameters: 128 ** a -- the (preparsed) address header for the recipient. 129 ** sendq -- a pointer to the head of a queue to put the 130 ** recipient in. Duplicate supression is done 131 ** in this queue. 132 ** e -- the current envelope. 133 ** 134 ** Returns: 135 ** The actual address in the queue. This will be "a" if 136 ** the address is not a duplicate, else the original address. 137 ** 138 ** Side Effects: 139 ** none. 140 */ 141 142 ADDRESS * 143 recipient(a, sendq, e) 144 register ADDRESS *a; 145 register ADDRESS **sendq; 146 register ENVELOPE *e; 147 { 148 register ADDRESS *q; 149 ADDRESS **pq; 150 register struct mailer *m; 151 register char *p; 152 bool quoted = FALSE; /* set if the addr has a quote bit */ 153 int findusercount = 0; 154 char buf[MAXNAME]; /* unquoted image of the user name */ 155 extern int safefile(); 156 157 e->e_to = a->q_paddr; 158 m = a->q_mailer; 159 errno = 0; 160 if (tTd(26, 1)) 161 { 162 printf("\nrecipient: "); 163 printaddr(a, FALSE); 164 } 165 166 /* if this is primary, add it to the original recipient list */ 167 if (a->q_alias == NULL) 168 { 169 if (e->e_origrcpt == NULL) 170 e->e_origrcpt = a->q_paddr; 171 else if (e->e_origrcpt != a->q_paddr) 172 e->e_origrcpt = ""; 173 } 174 175 /* break aliasing loops */ 176 if (AliasLevel > MAXRCRSN) 177 { 178 usrerr("554 aliasing/forwarding loop broken"); 179 return (a); 180 } 181 182 /* 183 ** Finish setting up address structure. 184 */ 185 186 /* set the queue timeout */ 187 a->q_timeout = TimeOuts.to_q_return; 188 189 /* get unquoted user for file, program or user.name check */ 190 (void) strcpy(buf, a->q_user); 191 for (p = buf; *p != '\0' && !quoted; p++) 192 { 193 if (*p == '\\') 194 quoted = TRUE; 195 } 196 stripquotes(buf); 197 198 /* check for direct mailing to restricted mailers */ 199 if (m == ProgMailer) 200 { 201 if (a->q_alias == NULL) 202 { 203 a->q_flags |= QBADADDR; 204 usrerr("550 Cannot mail directly to programs"); 205 } 206 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 207 { 208 a->q_flags |= QBADADDR; 209 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 210 a->q_alias->q_ruser, MyHostName); 211 } 212 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 213 { 214 a->q_flags |= QBADADDR; 215 usrerr("550 Address %s is unsafe for mailing to programs", 216 a->q_alias->q_paddr); 217 } 218 } 219 220 /* 221 ** Look up this person in the recipient list. 222 ** If they are there already, return, otherwise continue. 223 ** If the list is empty, just add it. Notice the cute 224 ** hack to make from addresses suppress things correctly: 225 ** the QDONTSEND bit will be set in the send list. 226 ** [Please note: the emphasis is on "hack."] 227 */ 228 229 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 230 { 231 if (sameaddr(q, a)) 232 { 233 if (tTd(26, 1)) 234 { 235 printf("%s in sendq: ", a->q_paddr); 236 printaddr(q, FALSE); 237 } 238 if (!bitset(QPRIMARY, q->q_flags)) 239 { 240 if (!bitset(QDONTSEND, a->q_flags)) 241 message("duplicate suppressed"); 242 q->q_flags |= a->q_flags; 243 } 244 else if (bitset(QSELFREF, q->q_flags)) 245 q->q_flags |= a->q_flags & ~QDONTSEND; 246 a = q; 247 goto testselfdestruct; 248 } 249 } 250 251 /* add address on list */ 252 *pq = a; 253 a->q_next = NULL; 254 255 /* 256 ** Alias the name and handle special mailer types. 257 */ 258 259 trylocaluser: 260 if (tTd(29, 7)) 261 printf("at trylocaluser %s\n", a->q_user); 262 263 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 264 goto testselfdestruct; 265 266 if (m == InclMailer) 267 { 268 a->q_flags |= QDONTSEND; 269 if (a->q_alias == NULL) 270 { 271 a->q_flags |= QBADADDR; 272 usrerr("550 Cannot mail directly to :include:s"); 273 } 274 else 275 { 276 int ret; 277 278 message("including file %s", a->q_user); 279 ret = include(a->q_user, FALSE, a, sendq, e); 280 if (transienterror(ret)) 281 { 282 #ifdef LOG 283 if (LogLevel > 2) 284 syslog(LOG_ERR, "%s: include %s: transient error: %s", 285 e->e_id == NULL ? "NOQUEUE" : e->e_id, 286 a->q_user, errstring(ret)); 287 #endif 288 a->q_flags |= QQUEUEUP; 289 a->q_flags &= ~QDONTSEND; 290 usrerr("451 Cannot open %s: %s", 291 a->q_user, errstring(ret)); 292 } 293 else if (ret != 0) 294 { 295 a->q_flags |= QBADADDR; 296 usrerr("550 Cannot open %s: %s", 297 a->q_user, errstring(ret)); 298 } 299 } 300 } 301 else if (m == FileMailer) 302 { 303 extern bool writable(); 304 305 /* check if writable or creatable */ 306 if (a->q_alias == NULL) 307 { 308 a->q_flags |= QBADADDR; 309 usrerr("550 Cannot mail directly to files"); 310 } 311 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 312 { 313 a->q_flags |= QBADADDR; 314 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 315 a->q_alias->q_ruser, MyHostName); 316 } 317 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 318 { 319 a->q_flags |= QBADADDR; 320 usrerr("550 Address %s is unsafe for mailing to files", 321 a->q_alias->q_paddr); 322 } 323 else if (!writable(buf, getctladdr(a), SFF_ANYFILE)) 324 { 325 a->q_flags |= QBADADDR; 326 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e); 327 } 328 } 329 330 if (m != LocalMailer) 331 { 332 if (!bitset(QDONTSEND, a->q_flags)) 333 e->e_nrcpts++; 334 goto testselfdestruct; 335 } 336 337 /* try aliasing */ 338 alias(a, sendq, e); 339 340 # ifdef USERDB 341 /* if not aliased, look it up in the user database */ 342 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags)) 343 { 344 extern int udbexpand(); 345 346 if (udbexpand(a, sendq, e) == EX_TEMPFAIL) 347 { 348 a->q_flags |= QQUEUEUP; 349 if (e->e_message == NULL) 350 e->e_message = newstr("Deferred: user database error"); 351 # ifdef LOG 352 if (LogLevel > 8) 353 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 354 e->e_id == NULL ? "NOQUEUE" : e->e_id, 355 errstring(errno)); 356 # endif 357 message("queued (user database error): %s", 358 errstring(errno)); 359 e->e_nrcpts++; 360 goto testselfdestruct; 361 } 362 } 363 # endif 364 365 /* if it was an alias or a UDB expansion, just return now */ 366 if (bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags)) 367 goto testselfdestruct; 368 369 /* 370 ** If we have a level two config file, then pass the name through 371 ** Ruleset 5 before sending it off. Ruleset 5 has the right 372 ** to send rewrite it to another mailer. This gives us a hook 373 ** after local aliasing has been done. 374 */ 375 376 if (tTd(29, 5)) 377 { 378 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 379 ConfigLevel, RewriteRules[5]); 380 printaddr(a, FALSE); 381 } 382 if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 && 383 RewriteRules[5] != NULL) 384 { 385 maplocaluser(a, sendq, e); 386 } 387 388 /* 389 ** If it didn't get rewritten to another mailer, go ahead 390 ** and deliver it. 391 */ 392 393 if (!bitset(QDONTSEND|QQUEUEUP, a->q_flags)) 394 { 395 auto bool fuzzy; 396 register struct passwd *pw; 397 extern struct passwd *finduser(); 398 399 /* warning -- finduser may trash buf */ 400 pw = finduser(buf, &fuzzy); 401 if (pw == NULL) 402 { 403 a->q_flags |= QBADADDR; 404 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e); 405 } 406 else 407 { 408 char nbuf[MAXNAME]; 409 410 if (fuzzy) 411 { 412 /* name was a fuzzy match */ 413 a->q_user = newstr(pw->pw_name); 414 if (findusercount++ > 3) 415 { 416 a->q_flags |= QBADADDR; 417 usrerr("554 aliasing/forwarding loop for %s broken", 418 pw->pw_name); 419 return (a); 420 } 421 422 /* see if it aliases */ 423 (void) strcpy(buf, pw->pw_name); 424 goto trylocaluser; 425 } 426 if (strcmp(pw->pw_dir, "/") == 0) 427 a->q_home = ""; 428 else 429 a->q_home = newstr(pw->pw_dir); 430 a->q_uid = pw->pw_uid; 431 a->q_gid = pw->pw_gid; 432 a->q_ruser = newstr(pw->pw_name); 433 a->q_flags |= QGOODUID; 434 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 435 if (nbuf[0] != '\0') 436 a->q_fullname = newstr(nbuf); 437 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 438 !usershellok(pw->pw_shell)) 439 { 440 a->q_flags |= QBOGUSSHELL; 441 } 442 if (!quoted) 443 forward(a, sendq, e); 444 } 445 } 446 if (!bitset(QDONTSEND, a->q_flags)) 447 e->e_nrcpts++; 448 449 testselfdestruct: 450 if (tTd(26, 8)) 451 { 452 printf("testselfdestruct: "); 453 printaddr(a, TRUE); 454 } 455 if (a->q_alias == NULL && a != &e->e_from && 456 bitset(QDONTSEND, a->q_flags)) 457 { 458 q = *sendq; 459 while (q != NULL && bitset(QDONTSEND, q->q_flags)) 460 q = q->q_next; 461 if (q == NULL) 462 { 463 a->q_flags |= QBADADDR; 464 usrerr("554 aliasing/forwarding loop broken"); 465 } 466 } 467 return (a); 468 } 469 /* 470 ** FINDUSER -- find the password entry for a user. 471 ** 472 ** This looks a lot like getpwnam, except that it may want to 473 ** do some fancier pattern matching in /etc/passwd. 474 ** 475 ** This routine contains most of the time of many sendmail runs. 476 ** It deserves to be optimized. 477 ** 478 ** Parameters: 479 ** name -- the name to match against. 480 ** fuzzyp -- an outarg that is set to TRUE if this entry 481 ** was found using the fuzzy matching algorithm; 482 ** set to FALSE otherwise. 483 ** 484 ** Returns: 485 ** A pointer to a pw struct. 486 ** NULL if name is unknown or ambiguous. 487 ** 488 ** Side Effects: 489 ** may modify name. 490 */ 491 492 struct passwd * 493 finduser(name, fuzzyp) 494 char *name; 495 bool *fuzzyp; 496 { 497 register struct passwd *pw; 498 register char *p; 499 extern struct passwd *getpwent(); 500 extern struct passwd *getpwnam(); 501 502 if (tTd(29, 4)) 503 printf("finduser(%s): ", name); 504 505 *fuzzyp = FALSE; 506 507 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 508 for (p = name; *p != '\0'; p++) 509 if (!isascii(*p) || !isdigit(*p)) 510 break; 511 if (*p == '\0') 512 { 513 if (tTd(29, 4)) 514 printf("failed (numeric input)\n"); 515 return NULL; 516 } 517 518 /* look up this login name using fast path */ 519 if ((pw = getpwnam(name)) != NULL) 520 { 521 if (tTd(29, 4)) 522 printf("found (non-fuzzy)\n"); 523 return (pw); 524 } 525 526 #ifdef MATCHGECOS 527 /* see if fuzzy matching allowed */ 528 if (!MatchGecos) 529 { 530 if (tTd(29, 4)) 531 printf("not found (fuzzy disabled)\n"); 532 return NULL; 533 } 534 535 /* search for a matching full name instead */ 536 for (p = name; *p != '\0'; p++) 537 { 538 if (*p == (SpaceSub & 0177) || *p == '_') 539 *p = ' '; 540 } 541 (void) setpwent(); 542 while ((pw = getpwent()) != NULL) 543 { 544 char buf[MAXNAME]; 545 546 buildfname(pw->pw_gecos, pw->pw_name, buf); 547 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 548 { 549 if (tTd(29, 4)) 550 printf("fuzzy matches %s\n", pw->pw_name); 551 message("sending to login name %s", pw->pw_name); 552 *fuzzyp = TRUE; 553 return (pw); 554 } 555 } 556 if (tTd(29, 4)) 557 printf("no fuzzy match found\n"); 558 #else 559 if (tTd(29, 4)) 560 printf("not found (fuzzy disabled)\n"); 561 #endif 562 return (NULL); 563 } 564 /* 565 ** WRITABLE -- predicate returning if the file is writable. 566 ** 567 ** This routine must duplicate the algorithm in sys/fio.c. 568 ** Unfortunately, we cannot use the access call since we 569 ** won't necessarily be the real uid when we try to 570 ** actually open the file. 571 ** 572 ** Notice that ANY file with ANY execute bit is automatically 573 ** not writable. This is also enforced by mailfile. 574 ** 575 ** Parameters: 576 ** filename -- the file name to check. 577 ** ctladdr -- the controlling address for this file. 578 ** flags -- SFF_* flags to control the function. 579 ** 580 ** Returns: 581 ** TRUE -- if we will be able to write this file. 582 ** FALSE -- if we cannot write this file. 583 ** 584 ** Side Effects: 585 ** none. 586 */ 587 588 bool 589 writable(filename, ctladdr, flags) 590 char *filename; 591 ADDRESS *ctladdr; 592 int flags; 593 { 594 uid_t euid; 595 gid_t egid; 596 int bits; 597 register char *p; 598 char *uname; 599 struct stat stb; 600 extern char RealUserName[]; 601 602 if (tTd(29, 5)) 603 printf("writable(%s, %x)\n", filename, flags); 604 605 #ifdef HASLSTAT 606 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb) 607 : stat(filename, &stb)) < 0) 608 #else 609 if (stat(filename, &stb) < 0) 610 #endif 611 { 612 /* file does not exist -- see if directory is safe */ 613 p = strrchr(filename, '/'); 614 if (p == NULL) 615 { 616 errno = ENOTDIR; 617 return FALSE; 618 } 619 *p = '\0'; 620 errno = safefile(filename, RealUid, RealGid, RealUserName, 621 SFF_MUSTOWN, S_IWRITE|S_IEXEC); 622 *p = '/'; 623 return errno == 0; 624 } 625 626 #ifdef SUID_ROOT_FILES_OK 627 /* really ought to be passed down -- and not a good idea */ 628 flags |= SFF_ROOTOK; 629 #endif 630 631 /* 632 ** File does exist -- check that it is writable. 633 */ 634 635 if (bitset(0111, stb.st_mode)) 636 { 637 if (tTd(29, 5)) 638 printf("failed (mode %o: x bits)\n", stb.st_mode); 639 errno = EPERM; 640 return (FALSE); 641 } 642 643 if (ctladdr != NULL && geteuid() == 0) 644 { 645 euid = ctladdr->q_uid; 646 egid = ctladdr->q_gid; 647 uname = ctladdr->q_user; 648 } 649 else 650 { 651 euid = RealUid; 652 egid = RealGid; 653 uname = RealUserName; 654 } 655 if (euid == 0) 656 { 657 euid = DefUid; 658 uname = DefUser; 659 } 660 if (egid == 0) 661 egid = DefGid; 662 if (geteuid() == 0) 663 { 664 if (bitset(S_ISUID, stb.st_mode) && 665 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags))) 666 { 667 euid = stb.st_uid; 668 uname = NULL; 669 } 670 if (bitset(S_ISGID, stb.st_mode) && 671 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags))) 672 egid = stb.st_gid; 673 } 674 675 if (tTd(29, 5)) 676 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n", 677 euid, egid, stb.st_uid, stb.st_gid); 678 679 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE); 680 return errno == 0; 681 } 682 /* 683 ** INCLUDE -- handle :include: specification. 684 ** 685 ** Parameters: 686 ** fname -- filename to include. 687 ** forwarding -- if TRUE, we are reading a .forward file. 688 ** if FALSE, it's a :include: file. 689 ** ctladdr -- address template to use to fill in these 690 ** addresses -- effective user/group id are 691 ** the important things. 692 ** sendq -- a pointer to the head of the send queue 693 ** to put these addresses in. 694 ** 695 ** Returns: 696 ** open error status 697 ** 698 ** Side Effects: 699 ** reads the :include: file and sends to everyone 700 ** listed in that file. 701 ** 702 ** Security Note: 703 ** If you have restricted chown (that is, you can't 704 ** give a file away), it is reasonable to allow programs 705 ** and files called from this :include: file to be to be 706 ** run as the owner of the :include: file. This is bogus 707 ** if there is any chance of someone giving away a file. 708 ** We assume that pre-POSIX systems can give away files. 709 ** 710 ** There is an additional restriction that if you 711 ** forward to a :include: file, it will not take on 712 ** the ownership of the :include: file. This may not 713 ** be necessary, but shouldn't hurt. 714 */ 715 716 static jmp_buf CtxIncludeTimeout; 717 static int includetimeout(); 718 719 #ifndef S_IWOTH 720 # define S_IWOTH (S_IWRITE >> 6) 721 #endif 722 723 int 724 include(fname, forwarding, ctladdr, sendq, e) 725 char *fname; 726 bool forwarding; 727 ADDRESS *ctladdr; 728 ADDRESS **sendq; 729 ENVELOPE *e; 730 { 731 register FILE *fp = NULL; 732 char *oldto = e->e_to; 733 char *oldfilename = FileName; 734 int oldlinenumber = LineNumber; 735 register EVENT *ev = NULL; 736 int nincludes; 737 register ADDRESS *ca; 738 uid_t saveduid, uid; 739 gid_t savedgid, gid; 740 char *uname; 741 int rval = 0; 742 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE; 743 struct stat st; 744 char buf[MAXLINE]; 745 #ifdef _POSIX_CHOWN_RESTRICTED 746 # if _POSIX_CHOWN_RESTRICTED == -1 747 # define safechown FALSE 748 # else 749 # define safechown TRUE 750 # endif 751 #else 752 # ifdef _PC_CHOWN_RESTRICTED 753 bool safechown; 754 # else 755 # ifdef BSD 756 # define safechown TRUE 757 # else 758 # define safechown FALSE 759 # endif 760 # endif 761 #endif 762 extern bool chownsafe(); 763 764 if (tTd(27, 2)) 765 printf("include(%s)\n", fname); 766 if (tTd(27, 4)) 767 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 768 if (tTd(27, 14)) 769 { 770 printf("ctladdr "); 771 printaddr(ctladdr, FALSE); 772 } 773 774 if (tTd(27, 9)) 775 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 776 777 ca = getctladdr(ctladdr); 778 if (ca == NULL) 779 { 780 uid = DefUid; 781 gid = DefGid; 782 uname = DefUser; 783 saveduid = -1; 784 } 785 else 786 { 787 uid = ca->q_uid; 788 gid = ca->q_gid; 789 uname = ca->q_user; 790 #ifdef HASSETREUID 791 saveduid = geteuid(); 792 savedgid = getegid(); 793 if (saveduid == 0) 794 { 795 initgroups(uname, gid); 796 if (uid != 0) 797 (void) setreuid(0, uid); 798 } 799 #endif 800 } 801 802 if (tTd(27, 9)) 803 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 804 805 /* 806 ** If home directory is remote mounted but server is down, 807 ** this can hang or give errors; use a timeout to avoid this 808 */ 809 810 if (setjmp(CtxIncludeTimeout) != 0) 811 { 812 ctladdr->q_flags |= QQUEUEUP; 813 errno = 0; 814 815 /* return pseudo-error code */ 816 rval = EOPENTIMEOUT; 817 goto resetuid; 818 } 819 ev = setevent((time_t) 60, includetimeout, 0); 820 821 /* the input file must be marked safe */ 822 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD); 823 if (rval != 0) 824 { 825 /* don't use this :include: file */ 826 if (tTd(27, 4)) 827 printf("include: not safe (uid=%d): %s\n", 828 uid, errstring(rval)); 829 } 830 else 831 { 832 fp = fopen(fname, "r"); 833 if (fp == NULL) 834 { 835 rval = errno; 836 if (tTd(27, 4)) 837 printf("include: open: %s\n", errstring(rval)); 838 } 839 } 840 clrevent(ev); 841 842 resetuid: 843 844 #ifdef HASSETREUID 845 if (saveduid == 0) 846 { 847 if (uid != 0) 848 if (setreuid(-1, 0) < 0 || setreuid(RealUid, 0) < 0) 849 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 850 RealUid, getuid(), geteuid()); 851 setgid(savedgid); 852 } 853 #endif 854 855 if (tTd(27, 9)) 856 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 857 858 if (rval == EOPENTIMEOUT) 859 usrerr("451 open timeout on %s", fname); 860 861 if (fp == NULL) 862 return rval; 863 864 if (fstat(fileno(fp), &st) < 0) 865 { 866 rval = errno; 867 syserr("Cannot fstat %s!", fname); 868 return rval; 869 } 870 871 #ifndef safechown 872 safechown = chownsafe(fileno(fp)); 873 #endif 874 if (ca == NULL && safechown) 875 { 876 ctladdr->q_uid = st.st_uid; 877 ctladdr->q_gid = st.st_gid; 878 ctladdr->q_flags |= QGOODUID; 879 } 880 if (ca != NULL && ca->q_uid == st.st_uid) 881 { 882 /* optimization -- avoid getpwuid if we already have info */ 883 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 884 ctladdr->q_ruser = ca->q_ruser; 885 } 886 else 887 { 888 char *sh; 889 register struct passwd *pw; 890 891 sh = "/SENDMAIL/ANY/SHELL/"; 892 pw = getpwuid(st.st_uid); 893 if (pw != NULL) 894 { 895 ctladdr->q_ruser = newstr(pw->pw_name); 896 if (safechown) 897 sh = pw->pw_shell; 898 } 899 if (pw == NULL) 900 ctladdr->q_flags |= QBOGUSSHELL; 901 else if(!usershellok(sh)) 902 { 903 if (safechown) 904 ctladdr->q_flags |= QBOGUSSHELL; 905 else 906 ctladdr->q_flags |= QUNSAFEADDR; 907 } 908 } 909 910 if (bitset(EF_VRFYONLY, e->e_flags)) 911 { 912 /* don't do any more now */ 913 ctladdr->q_flags |= QVERIFIED; 914 e->e_nrcpts++; 915 xfclose(fp, "include", fname); 916 return rval; 917 } 918 919 /* 920 ** Check to see if some bad guy can write this file 921 ** 922 ** This should really do something clever with group 923 ** permissions; currently we just view world writable 924 ** as unsafe. Also, we don't check for writable 925 ** directories in the path. We've got to leave 926 ** something for the local sysad to do. 927 */ 928 929 if (bitset(S_IWOTH, st.st_mode)) 930 ctladdr->q_flags |= QUNSAFEADDR; 931 932 /* read the file -- each line is a comma-separated list. */ 933 FileName = fname; 934 LineNumber = 0; 935 ctladdr->q_flags &= ~QSELFREF; 936 nincludes = 0; 937 while (fgets(buf, sizeof buf, fp) != NULL) 938 { 939 register char *p = strchr(buf, '\n'); 940 941 LineNumber++; 942 if (p != NULL) 943 *p = '\0'; 944 if (buf[0] == '#' || buf[0] == '\0') 945 continue; 946 e->e_to = NULL; 947 message("%s to %s", 948 forwarding ? "forwarding" : "sending", buf); 949 #ifdef LOG 950 if (forwarding && LogLevel > 9) 951 syslog(LOG_INFO, "%s: forward %s => %s", 952 e->e_id == NULL ? "NOQUEUE" : e->e_id, 953 oldto, buf); 954 #endif 955 956 AliasLevel++; 957 nincludes += sendtolist(buf, ctladdr, sendq, e); 958 AliasLevel--; 959 } 960 961 if (ferror(fp) && tTd(27, 3)) 962 printf("include: read error: %s\n", errstring(errno)); 963 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 964 { 965 if (tTd(27, 5)) 966 { 967 printf("include: QDONTSEND "); 968 printaddr(ctladdr, FALSE); 969 } 970 ctladdr->q_flags |= QDONTSEND; 971 } 972 973 (void) xfclose(fp, "include", fname); 974 FileName = oldfilename; 975 LineNumber = oldlinenumber; 976 e->e_to = oldto; 977 return rval; 978 } 979 980 static 981 includetimeout() 982 { 983 longjmp(CtxIncludeTimeout, 1); 984 } 985 /* 986 ** SENDTOARGV -- send to an argument vector. 987 ** 988 ** Parameters: 989 ** argv -- argument vector to send to. 990 ** e -- the current envelope. 991 ** 992 ** Returns: 993 ** none. 994 ** 995 ** Side Effects: 996 ** puts all addresses on the argument vector onto the 997 ** send queue. 998 */ 999 1000 sendtoargv(argv, e) 1001 register char **argv; 1002 register ENVELOPE *e; 1003 { 1004 register char *p; 1005 1006 while ((p = *argv++) != NULL) 1007 { 1008 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e); 1009 } 1010 } 1011 /* 1012 ** GETCTLADDR -- get controlling address from an address header. 1013 ** 1014 ** If none, get one corresponding to the effective userid. 1015 ** 1016 ** Parameters: 1017 ** a -- the address to find the controller of. 1018 ** 1019 ** Returns: 1020 ** the controlling address. 1021 ** 1022 ** Side Effects: 1023 ** none. 1024 */ 1025 1026 ADDRESS * 1027 getctladdr(a) 1028 register ADDRESS *a; 1029 { 1030 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1031 a = a->q_alias; 1032 return (a); 1033 } 1034