1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.58 (Berkeley) 11/25/94";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** aliaslevel -- the current alias nesting depth -- to
31 ** diagnose loops.
32 ** e -- the envelope in which to add these recipients.
33 **
34 ** Returns:
35 ** The number of addresses actually on the list.
36 **
37 ** Side Effects:
38 ** none.
39 */
40
41 #define MAXRCRSN 10 /* maximum levels of alias recursion */
42
43 /* q_flags bits inherited from ctladdr */
44 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHAS_RET_PARAM|QRET_HDRS)
45
46 int
47 sendtolist(list, ctladdr, sendq, aliaslevel, e)
48 char *list;
49 ADDRESS *ctladdr;
50 ADDRESS **sendq;
51 int aliaslevel;
52 register ENVELOPE *e;
53 {
54 register char *p;
55 register ADDRESS *al; /* list of addresses to send to */
56 bool firstone; /* set on first address sent */
57 char delimiter; /* the address delimiter */
58 int naddrs;
59 char *oldto = e->e_to;
60 static char *bufp = NULL;
61 static int buflen;
62 char buf[MAXNAME + 1];
63
64 if (list == NULL)
65 {
66 syserr("sendtolist: null list");
67 return 0;
68 }
69
70 if (tTd(25, 1))
71 {
72 printf("sendto: %s\n ctladdr=", list);
73 printaddr(ctladdr, FALSE);
74 }
75
76 /* heuristic to determine old versus new style addresses */
77 if (ctladdr == NULL &&
78 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
79 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
80 e->e_flags &= ~EF_OLDSTYLE;
81 delimiter = ' ';
82 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
83 delimiter = ',';
84
85 firstone = TRUE;
86 al = NULL;
87 naddrs = 0;
88
89 if (buf == NULL)
90 {
91 bufp = buf;
92 buflen = sizeof buf - 1;
93 }
94 if (strlen(list) > buflen)
95 {
96 /* allocate additional space */
97 if (bufp != buf)
98 free(bufp);
99 buflen = strlen(list);
100 bufp = malloc(buflen + 1);
101 }
102 strcpy(bufp, list);
103
104 for (p = bufp; *p != '\0'; )
105 {
106 auto char *delimptr;
107 register ADDRESS *a;
108
109 /* parse the address */
110 while ((isascii(*p) && isspace(*p)) || *p == ',')
111 p++;
112 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
113 p = delimptr;
114 if (a == NULL)
115 continue;
116 a->q_next = al;
117 a->q_alias = ctladdr;
118
119 /* see if this should be marked as a primary address */
120 if (ctladdr == NULL ||
121 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
122 a->q_flags |= QPRIMARY;
123
124 /* arrange to inherit attributes from parent */
125 if (ctladdr != NULL)
126 {
127 /* self reference test */
128 if (sameaddr(ctladdr, a))
129 ctladdr->q_flags |= QSELFREF;
130
131 /* full name */
132 if (a->q_fullname == NULL)
133 a->q_fullname = ctladdr->q_fullname;
134
135 /* various flag bits */
136 a->q_flags &= ~QINHERITEDBITS;
137 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
138
139 /* original recipient information */
140 a->q_orcpt = ctladdr->q_orcpt;
141 }
142
143 al = a;
144 firstone = FALSE;
145 }
146
147 /* arrange to send to everyone on the local send list */
148 while (al != NULL)
149 {
150 register ADDRESS *a = al;
151
152 al = a->q_next;
153 a = recipient(a, sendq, aliaslevel, e);
154 naddrs++;
155 }
156
157 e->e_to = oldto;
158 return (naddrs);
159 }
160 �/*
161 ** RECIPIENT -- Designate a message recipient
162 **
163 ** Saves the named person for future mailing.
164 **
165 ** Parameters:
166 ** a -- the (preparsed) address header for the recipient.
167 ** sendq -- a pointer to the head of a queue to put the
168 ** recipient in. Duplicate supression is done
169 ** in this queue.
170 ** aliaslevel -- the current alias nesting depth.
171 ** e -- the current envelope.
172 **
173 ** Returns:
174 ** The actual address in the queue. This will be "a" if
175 ** the address is not a duplicate, else the original address.
176 **
177 ** Side Effects:
178 ** none.
179 */
180
181 ADDRESS *
182 recipient(a, sendq, aliaslevel, e)
183 register ADDRESS *a;
184 register ADDRESS **sendq;
185 int aliaslevel;
186 register ENVELOPE *e;
187 {
188 register ADDRESS *q;
189 ADDRESS **pq;
190 register struct mailer *m;
191 register char *p;
192 bool quoted = FALSE; /* set if the addr has a quote bit */
193 int findusercount = 0;
194 int i;
195 char *buf;
196 char buf0[MAXNAME]; /* unquoted image of the user name */
197 extern int safefile();
198
199 e->e_to = a->q_paddr;
200 m = a->q_mailer;
201 errno = 0;
202 if (tTd(26, 1))
203 {
204 printf("\nrecipient: ");
205 printaddr(a, FALSE);
206 }
207
208 /* if this is primary, add it to the original recipient list */
209 if (a->q_alias == NULL)
210 {
211 if (e->e_origrcpt == NULL)
212 e->e_origrcpt = a->q_paddr;
213 else if (e->e_origrcpt != a->q_paddr)
214 e->e_origrcpt = "";
215 }
216
217 /* break aliasing loops */
218 if (aliaslevel > MAXRCRSN)
219 {
220 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
221 aliaslevel, MAXRCRSN);
222 return (a);
223 }
224
225 /*
226 ** Finish setting up address structure.
227 */
228
229 /* get unquoted user for file, program or user.name check */
230 i = strlen(a->q_user);
231 if (i >= sizeof buf)
232 buf = xalloc(i + 1);
233 else
234 buf = buf0;
235 (void) strcpy(buf, a->q_user);
236 for (p = buf; *p != '\0' && !quoted; p++)
237 {
238 if (*p == '\\')
239 quoted = TRUE;
240 }
241 stripquotes(buf);
242
243 /* check for direct mailing to restricted mailers */
244 if (m == ProgMailer)
245 {
246 if (a->q_alias == NULL)
247 {
248 a->q_flags |= QBADADDR;
249 usrerr("550 Cannot mail directly to programs");
250 }
251 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
252 {
253 a->q_flags |= QBADADDR;
254 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
255 a->q_alias->q_ruser, MyHostName);
256 }
257 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
258 {
259 a->q_flags |= QBADADDR;
260 usrerr("550 Address %s is unsafe for mailing to programs",
261 a->q_alias->q_paddr);
262 }
263 }
264
265 /*
266 ** Look up this person in the recipient list.
267 ** If they are there already, return, otherwise continue.
268 ** If the list is empty, just add it. Notice the cute
269 ** hack to make from addresses suppress things correctly:
270 ** the QDONTSEND bit will be set in the send list.
271 ** [Please note: the emphasis is on "hack."]
272 */
273
274 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
275 {
276 if (sameaddr(q, a))
277 {
278 if (tTd(26, 1))
279 {
280 printf("%s in sendq: ", a->q_paddr);
281 printaddr(q, FALSE);
282 }
283 if (!bitset(QPRIMARY, q->q_flags))
284 {
285 if (!bitset(QDONTSEND, a->q_flags))
286 message("duplicate suppressed");
287 q->q_flags |= a->q_flags;
288 }
289 else if (bitset(QSELFREF, q->q_flags))
290 q->q_flags |= a->q_flags & ~QDONTSEND;
291 a = q;
292 goto testselfdestruct;
293 }
294 }
295
296 /* add address on list */
297 *pq = a;
298 a->q_next = NULL;
299
300 /*
301 ** Alias the name and handle special mailer types.
302 */
303
304 trylocaluser:
305 if (tTd(29, 7))
306 printf("at trylocaluser %s\n", a->q_user);
307
308 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
309 goto testselfdestruct;
310
311 if (m == InclMailer)
312 {
313 a->q_flags |= QDONTSEND;
314 if (a->q_alias == NULL)
315 {
316 a->q_flags |= QBADADDR;
317 usrerr("550 Cannot mail directly to :include:s");
318 }
319 else
320 {
321 int ret;
322
323 message("including file %s", a->q_user);
324 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
325 if (transienterror(ret))
326 {
327 #ifdef LOG
328 if (LogLevel > 2)
329 syslog(LOG_ERR, "%s: include %s: transient error: %s",
330 e->e_id == NULL ? "NOQUEUE" : e->e_id,
331 a->q_user, errstring(ret));
332 #endif
333 a->q_flags |= QQUEUEUP;
334 a->q_flags &= ~QDONTSEND;
335 usrerr("451 Cannot open %s: %s",
336 a->q_user, errstring(ret));
337 }
338 else if (ret != 0)
339 {
340 a->q_flags |= QBADADDR;
341 usrerr("550 Cannot open %s: %s",
342 a->q_user, errstring(ret));
343 }
344 }
345 }
346 else if (m == FileMailer)
347 {
348 extern bool writable();
349
350 /* check if writable or creatable */
351 if (a->q_alias == NULL)
352 {
353 a->q_flags |= QBADADDR;
354 usrerr("550 Cannot mail directly to files");
355 }
356 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
357 {
358 a->q_flags |= QBADADDR;
359 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
360 a->q_alias->q_ruser, MyHostName);
361 }
362 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
363 {
364 a->q_flags |= QBADADDR;
365 usrerr("550 Address %s is unsafe for mailing to files",
366 a->q_alias->q_paddr);
367 }
368 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
369 {
370 a->q_flags |= QBADADDR;
371 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
372 }
373 }
374
375 /* try aliasing */
376 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
377 alias(a, sendq, aliaslevel, e);
378
379 # ifdef USERDB
380 /* if not aliased, look it up in the user database */
381 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
382 bitnset(M_CHECKUDB, m->m_flags))
383 {
384 extern int udbexpand();
385
386 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
387 {
388 a->q_flags |= QQUEUEUP;
389 if (e->e_message == NULL)
390 e->e_message = newstr("Deferred: user database error");
391 # ifdef LOG
392 if (LogLevel > 8)
393 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
394 e->e_id == NULL ? "NOQUEUE" : e->e_id,
395 errstring(errno));
396 # endif
397 message("queued (user database error): %s",
398 errstring(errno));
399 e->e_nrcpts++;
400 goto testselfdestruct;
401 }
402 }
403 # endif
404
405 /*
406 ** If we have a level two config file, then pass the name through
407 ** Ruleset 5 before sending it off. Ruleset 5 has the right
408 ** to send rewrite it to another mailer. This gives us a hook
409 ** after local aliasing has been done.
410 */
411
412 if (tTd(29, 5))
413 {
414 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
415 ConfigLevel, RewriteRules[5]);
416 printaddr(a, FALSE);
417 }
418 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
419 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
420 bitnset(M_TRYRULESET5, m->m_flags))
421 {
422 maplocaluser(a, sendq, aliaslevel, e);
423 }
424
425 /*
426 ** If it didn't get rewritten to another mailer, go ahead
427 ** and deliver it.
428 */
429
430 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
431 bitnset(M_HASPWENT, m->m_flags))
432 {
433 auto bool fuzzy;
434 register struct passwd *pw;
435 extern struct passwd *finduser();
436
437 /* warning -- finduser may trash buf */
438 pw = finduser(buf, &fuzzy);
439 if (pw == NULL)
440 {
441 a->q_flags |= QBADADDR;
442 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
443 }
444 else
445 {
446 char nbuf[MAXNAME];
447
448 if (fuzzy)
449 {
450 /* name was a fuzzy match */
451 a->q_user = newstr(pw->pw_name);
452 if (findusercount++ > 3)
453 {
454 a->q_flags |= QBADADDR;
455 usrerr("554 aliasing/forwarding loop for %s broken",
456 pw->pw_name);
457 goto done;
458 }
459
460 /* see if it aliases */
461 (void) strcpy(buf, pw->pw_name);
462 goto trylocaluser;
463 }
464 if (strcmp(pw->pw_dir, "/") == 0)
465 a->q_home = "";
466 else
467 a->q_home = newstr(pw->pw_dir);
468 a->q_uid = pw->pw_uid;
469 a->q_gid = pw->pw_gid;
470 a->q_ruser = newstr(pw->pw_name);
471 a->q_flags |= QGOODUID;
472 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
473 if (nbuf[0] != '\0')
474 a->q_fullname = newstr(nbuf);
475 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
476 !usershellok(pw->pw_shell))
477 {
478 a->q_flags |= QBOGUSSHELL;
479 }
480 if (!quoted)
481 forward(a, sendq, aliaslevel, e);
482 }
483 }
484 if (!bitset(QDONTSEND, a->q_flags))
485 e->e_nrcpts++;
486
487 testselfdestruct:
488 if (tTd(26, 8))
489 {
490 printf("testselfdestruct: ");
491 printaddr(a, TRUE);
492 }
493 if (a->q_alias == NULL && a != &e->e_from &&
494 bitset(QDONTSEND, a->q_flags))
495 {
496 q = *sendq;
497 while (q != NULL && bitset(QDONTSEND, q->q_flags))
498 q = q->q_next;
499 if (q == NULL)
500 {
501 a->q_flags |= QBADADDR;
502 usrerr("554 aliasing/forwarding loop broken");
503 }
504 }
505
506 done:
507 if (buf != buf0)
508 free(buf);
509 return (a);
510 }
511 �/*
512 ** FINDUSER -- find the password entry for a user.
513 **
514 ** This looks a lot like getpwnam, except that it may want to
515 ** do some fancier pattern matching in /etc/passwd.
516 **
517 ** This routine contains most of the time of many sendmail runs.
518 ** It deserves to be optimized.
519 **
520 ** Parameters:
521 ** name -- the name to match against.
522 ** fuzzyp -- an outarg that is set to TRUE if this entry
523 ** was found using the fuzzy matching algorithm;
524 ** set to FALSE otherwise.
525 **
526 ** Returns:
527 ** A pointer to a pw struct.
528 ** NULL if name is unknown or ambiguous.
529 **
530 ** Side Effects:
531 ** may modify name.
532 */
533
534 struct passwd *
535 finduser(name, fuzzyp)
536 char *name;
537 bool *fuzzyp;
538 {
539 register struct passwd *pw;
540 register char *p;
541 extern struct passwd *getpwent();
542 extern struct passwd *getpwnam();
543
544 if (tTd(29, 4))
545 printf("finduser(%s): ", name);
546
547 *fuzzyp = FALSE;
548
549 #ifdef HESIOD
550 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
551 for (p = name; *p != '\0'; p++)
552 if (!isascii(*p) || !isdigit(*p))
553 break;
554 if (*p == '\0')
555 {
556 if (tTd(29, 4))
557 printf("failed (numeric input)\n");
558 return NULL;
559 }
560 #endif
561
562 /* look up this login name using fast path */
563 if ((pw = getpwnam(name)) != NULL)
564 {
565 if (tTd(29, 4))
566 printf("found (non-fuzzy)\n");
567 return (pw);
568 }
569
570 #ifdef MATCHGECOS
571 /* see if fuzzy matching allowed */
572 if (!MatchGecos)
573 {
574 if (tTd(29, 4))
575 printf("not found (fuzzy disabled)\n");
576 return NULL;
577 }
578
579 /* search for a matching full name instead */
580 for (p = name; *p != '\0'; p++)
581 {
582 if (*p == (SpaceSub & 0177) || *p == '_')
583 *p = ' ';
584 }
585 (void) setpwent();
586 while ((pw = getpwent()) != NULL)
587 {
588 char buf[MAXNAME];
589
590 buildfname(pw->pw_gecos, pw->pw_name, buf);
591 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
592 {
593 if (tTd(29, 4))
594 printf("fuzzy matches %s\n", pw->pw_name);
595 message("sending to login name %s", pw->pw_name);
596 *fuzzyp = TRUE;
597 return (pw);
598 }
599 }
600 if (tTd(29, 4))
601 printf("no fuzzy match found\n");
602 #else
603 if (tTd(29, 4))
604 printf("not found (fuzzy disabled)\n");
605 #endif
606 return (NULL);
607 }
608 �/*
609 ** WRITABLE -- predicate returning if the file is writable.
610 **
611 ** This routine must duplicate the algorithm in sys/fio.c.
612 ** Unfortunately, we cannot use the access call since we
613 ** won't necessarily be the real uid when we try to
614 ** actually open the file.
615 **
616 ** Notice that ANY file with ANY execute bit is automatically
617 ** not writable. This is also enforced by mailfile.
618 **
619 ** Parameters:
620 ** filename -- the file name to check.
621 ** ctladdr -- the controlling address for this file.
622 ** flags -- SFF_* flags to control the function.
623 **
624 ** Returns:
625 ** TRUE -- if we will be able to write this file.
626 ** FALSE -- if we cannot write this file.
627 **
628 ** Side Effects:
629 ** none.
630 */
631
632 bool
633 writable(filename, ctladdr, flags)
634 char *filename;
635 ADDRESS *ctladdr;
636 int flags;
637 {
638 uid_t euid;
639 gid_t egid;
640 int bits;
641 register char *p;
642 char *uname;
643 struct stat stb;
644 extern char RealUserName[];
645
646 if (tTd(29, 5))
647 printf("writable(%s, %x)\n", filename, flags);
648
649 #ifdef HASLSTAT
650 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
651 : stat(filename, &stb)) < 0)
652 #else
653 if (stat(filename, &stb) < 0)
654 #endif
655 {
656 /* file does not exist -- see if directory is safe */
657 p = strrchr(filename, '/');
658 if (p == NULL)
659 {
660 errno = ENOTDIR;
661 return FALSE;
662 }
663 *p = '\0';
664 errno = safefile(filename, RealUid, RealGid, RealUserName,
665 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
666 *p = '/';
667 return errno == 0;
668 }
669
670 #ifdef SUID_ROOT_FILES_OK
671 /* really ought to be passed down -- and not a good idea */
672 flags |= SFF_ROOTOK;
673 #endif
674
675 /*
676 ** File does exist -- check that it is writable.
677 */
678
679 if (bitset(0111, stb.st_mode))
680 {
681 if (tTd(29, 5))
682 printf("failed (mode %o: x bits)\n", stb.st_mode);
683 errno = EPERM;
684 return (FALSE);
685 }
686
687 if (ctladdr != NULL && geteuid() == 0)
688 {
689 euid = ctladdr->q_uid;
690 egid = ctladdr->q_gid;
691 uname = ctladdr->q_user;
692 }
693 #ifdef RUN_AS_REAL_UID
694 else
695 {
696 euid = RealUid;
697 egid = RealGid;
698 uname = RealUserName;
699 }
700 #else
701 else if (FileMailer != NULL)
702 {
703 euid = FileMailer->m_uid;
704 egid = FileMailer->m_gid;
705 }
706 else
707 {
708 euid = egid = 0;
709 }
710 #endif
711 if (euid == 0)
712 {
713 euid = DefUid;
714 uname = DefUser;
715 }
716 if (egid == 0)
717 egid = DefGid;
718 if (geteuid() == 0)
719 {
720 if (bitset(S_ISUID, stb.st_mode) &&
721 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
722 {
723 euid = stb.st_uid;
724 uname = NULL;
725 }
726 if (bitset(S_ISGID, stb.st_mode) &&
727 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
728 egid = stb.st_gid;
729 }
730
731 if (tTd(29, 5))
732 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
733 euid, egid, stb.st_uid, stb.st_gid);
734
735 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
736 return errno == 0;
737 }
738 �/*
739 ** INCLUDE -- handle :include: specification.
740 **
741 ** Parameters:
742 ** fname -- filename to include.
743 ** forwarding -- if TRUE, we are reading a .forward file.
744 ** if FALSE, it's a :include: file.
745 ** ctladdr -- address template to use to fill in these
746 ** addresses -- effective user/group id are
747 ** the important things.
748 ** sendq -- a pointer to the head of the send queue
749 ** to put these addresses in.
750 ** aliaslevel -- the alias nesting depth.
751 ** e -- the current envelope.
752 **
753 ** Returns:
754 ** open error status
755 **
756 ** Side Effects:
757 ** reads the :include: file and sends to everyone
758 ** listed in that file.
759 **
760 ** Security Note:
761 ** If you have restricted chown (that is, you can't
762 ** give a file away), it is reasonable to allow programs
763 ** and files called from this :include: file to be to be
764 ** run as the owner of the :include: file. This is bogus
765 ** if there is any chance of someone giving away a file.
766 ** We assume that pre-POSIX systems can give away files.
767 **
768 ** There is an additional restriction that if you
769 ** forward to a :include: file, it will not take on
770 ** the ownership of the :include: file. This may not
771 ** be necessary, but shouldn't hurt.
772 */
773
774 static jmp_buf CtxIncludeTimeout;
775 static int includetimeout();
776
777 #ifndef S_IWOTH
778 # define S_IWOTH (S_IWRITE >> 6)
779 #endif
780
781 int
782 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
783 char *fname;
784 bool forwarding;
785 ADDRESS *ctladdr;
786 ADDRESS **sendq;
787 int aliaslevel;
788 ENVELOPE *e;
789 {
790 register FILE *fp = NULL;
791 char *oldto = e->e_to;
792 char *oldfilename = FileName;
793 int oldlinenumber = LineNumber;
794 register EVENT *ev = NULL;
795 int nincludes;
796 register ADDRESS *ca;
797 uid_t saveduid, uid;
798 gid_t savedgid, gid;
799 char *uname;
800 int rval = 0;
801 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
802 struct stat st;
803 char buf[MAXLINE];
804 #ifdef _POSIX_CHOWN_RESTRICTED
805 # if _POSIX_CHOWN_RESTRICTED == -1
806 # define safechown FALSE
807 # else
808 # define safechown TRUE
809 # endif
810 #else
811 # ifdef _PC_CHOWN_RESTRICTED
812 bool safechown;
813 # else
814 # ifdef BSD
815 # define safechown TRUE
816 # else
817 # define safechown FALSE
818 # endif
819 # endif
820 #endif
821 extern bool chownsafe();
822
823 if (tTd(27, 2))
824 printf("include(%s)\n", fname);
825 if (tTd(27, 4))
826 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
827 if (tTd(27, 14))
828 {
829 printf("ctladdr ");
830 printaddr(ctladdr, FALSE);
831 }
832
833 if (tTd(27, 9))
834 printf("include: old uid = %d/%d\n", getuid(), geteuid());
835
836 ca = getctladdr(ctladdr);
837 if (ca == NULL)
838 {
839 uid = DefUid;
840 gid = DefGid;
841 uname = DefUser;
842 saveduid = -1;
843 }
844 else
845 {
846 uid = ca->q_uid;
847 gid = ca->q_gid;
848 uname = ca->q_user;
849 #ifdef HASSETREUID
850 saveduid = geteuid();
851 savedgid = getegid();
852 if (saveduid == 0)
853 {
854 initgroups(uname, gid);
855 if (uid != 0)
856 {
857 if (setreuid(0, uid) < 0)
858 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
859 uid, getuid(), geteuid());
860 }
861 }
862 #endif
863 }
864
865 if (tTd(27, 9))
866 printf("include: new uid = %d/%d\n", getuid(), geteuid());
867
868 /*
869 ** If home directory is remote mounted but server is down,
870 ** this can hang or give errors; use a timeout to avoid this
871 */
872
873 if (setjmp(CtxIncludeTimeout) != 0)
874 {
875 ctladdr->q_flags |= QQUEUEUP;
876 errno = 0;
877
878 /* return pseudo-error code */
879 rval = EOPENTIMEOUT;
880 goto resetuid;
881 }
882 if (TimeOuts.to_fileopen > 0)
883 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
884 else
885 ev = NULL;
886
887 /* the input file must be marked safe */
888 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
889 if (rval != 0)
890 {
891 /* don't use this :include: file */
892 if (tTd(27, 4))
893 printf("include: not safe (uid=%d): %s\n",
894 uid, errstring(rval));
895 }
896 else
897 {
898 fp = fopen(fname, "r");
899 if (fp == NULL)
900 {
901 rval = errno;
902 if (tTd(27, 4))
903 printf("include: open: %s\n", errstring(rval));
904 }
905 }
906 if (ev != NULL)
907 clrevent(ev);
908
909 resetuid:
910
911 #ifdef HASSETREUID
912 if (saveduid == 0)
913 {
914 if (uid != 0)
915 {
916 if (setreuid(-1, 0) < 0)
917 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
918 getuid(), geteuid());
919 if (setreuid(RealUid, 0) < 0)
920 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
921 RealUid, getuid(), geteuid());
922 }
923 setgid(savedgid);
924 }
925 #endif
926
927 if (tTd(27, 9))
928 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
929
930 if (rval == EOPENTIMEOUT)
931 usrerr("451 open timeout on %s", fname);
932
933 if (fp == NULL)
934 return rval;
935
936 if (fstat(fileno(fp), &st) < 0)
937 {
938 rval = errno;
939 syserr("Cannot fstat %s!", fname);
940 return rval;
941 }
942
943 #ifndef safechown
944 safechown = chownsafe(fileno(fp));
945 #endif
946 if (ca == NULL && safechown)
947 {
948 ctladdr->q_uid = st.st_uid;
949 ctladdr->q_gid = st.st_gid;
950 ctladdr->q_flags |= QGOODUID;
951 }
952 if (ca != NULL && ca->q_uid == st.st_uid)
953 {
954 /* optimization -- avoid getpwuid if we already have info */
955 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
956 ctladdr->q_ruser = ca->q_ruser;
957 }
958 else
959 {
960 register struct passwd *pw;
961
962 pw = getpwuid(st.st_uid);
963 if (pw == NULL)
964 ctladdr->q_flags |= QBOGUSSHELL;
965 else
966 {
967 char *sh;
968
969 ctladdr->q_ruser = newstr(pw->pw_name);
970 if (safechown)
971 sh = pw->pw_shell;
972 else
973 sh = "/SENDMAIL/ANY/SHELL/";
974 if (!usershellok(sh))
975 {
976 if (safechown)
977 ctladdr->q_flags |= QBOGUSSHELL;
978 else
979 ctladdr->q_flags |= QUNSAFEADDR;
980 }
981 }
982 }
983
984 if (bitset(EF_VRFYONLY, e->e_flags))
985 {
986 /* don't do any more now */
987 ctladdr->q_flags |= QVERIFIED;
988 e->e_nrcpts++;
989 xfclose(fp, "include", fname);
990 return rval;
991 }
992
993 /*
994 ** Check to see if some bad guy can write this file
995 **
996 ** This should really do something clever with group
997 ** permissions; currently we just view world writable
998 ** as unsafe. Also, we don't check for writable
999 ** directories in the path. We've got to leave
1000 ** something for the local sysad to do.
1001 */
1002
1003 if (bitset(S_IWOTH, st.st_mode))
1004 ctladdr->q_flags |= QUNSAFEADDR;
1005
1006 /* read the file -- each line is a comma-separated list. */
1007 FileName = fname;
1008 LineNumber = 0;
1009 ctladdr->q_flags &= ~QSELFREF;
1010 nincludes = 0;
1011 while (fgets(buf, sizeof buf, fp) != NULL)
1012 {
1013 register char *p = strchr(buf, '\n');
1014
1015 LineNumber++;
1016 if (p != NULL)
1017 *p = '\0';
1018 if (buf[0] == '#' || buf[0] == '\0')
1019 continue;
1020 e->e_to = NULL;
1021 message("%s to %s",
1022 forwarding ? "forwarding" : "sending", buf);
1023 #ifdef LOG
1024 if (forwarding && LogLevel > 9)
1025 syslog(LOG_INFO, "%s: forward %s => %s",
1026 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1027 oldto, buf);
1028 #endif
1029
1030 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1031 }
1032
1033 if (ferror(fp) && tTd(27, 3))
1034 printf("include: read error: %s\n", errstring(errno));
1035 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1036 {
1037 if (tTd(27, 5))
1038 {
1039 printf("include: QDONTSEND ");
1040 printaddr(ctladdr, FALSE);
1041 }
1042 ctladdr->q_flags |= QDONTSEND;
1043 }
1044
1045 (void) xfclose(fp, "include", fname);
1046 FileName = oldfilename;
1047 LineNumber = oldlinenumber;
1048 e->e_to = oldto;
1049 return rval;
1050 }
1051
1052 static
1053 includetimeout()
1054 {
1055 longjmp(CtxIncludeTimeout, 1);
1056 }
1057 �/*
1058 ** SENDTOARGV -- send to an argument vector.
1059 **
1060 ** Parameters:
1061 ** argv -- argument vector to send to.
1062 ** e -- the current envelope.
1063 **
1064 ** Returns:
1065 ** none.
1066 **
1067 ** Side Effects:
1068 ** puts all addresses on the argument vector onto the
1069 ** send queue.
1070 */
1071
1072 sendtoargv(argv, e)
1073 register char **argv;
1074 register ENVELOPE *e;
1075 {
1076 register char *p;
1077
1078 while ((p = *argv++) != NULL)
1079 {
1080 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1081 }
1082 }
1083 �/*
1084 ** GETCTLADDR -- get controlling address from an address header.
1085 **
1086 ** If none, get one corresponding to the effective userid.
1087 **
1088 ** Parameters:
1089 ** a -- the address to find the controller of.
1090 **
1091 ** Returns:
1092 ** the controlling address.
1093 **
1094 ** Side Effects:
1095 ** none.
1096 */
1097
1098 ADDRESS *
1099 getctladdr(a)
1100 register ADDRESS *a;
1101 {
1102 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1103 a = a->q_alias;
1104 return (a);
1105 }
1106