1 /* 2 * Copyright (c) 1983 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.75 (Berkeley) 03/27/95"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 # include <pwd.h> 15 16 /* 17 ** SENDTOLIST -- Designate a send list. 18 ** 19 ** The parameter is a comma-separated list of people to send to. 20 ** This routine arranges to send to all of them. 21 ** 22 ** Parameters: 23 ** list -- the send list. 24 ** ctladdr -- the address template for the person to 25 ** send to -- effective uid/gid are important. 26 ** This is typically the alias that caused this 27 ** expansion. 28 ** sendq -- a pointer to the head of a queue to put 29 ** these people into. 30 ** aliaslevel -- the current alias nesting depth -- to 31 ** diagnose loops. 32 ** e -- the envelope in which to add these recipients. 33 ** 34 ** Returns: 35 ** The number of addresses actually on the list. 36 ** 37 ** Side Effects: 38 ** none. 39 */ 40 41 #define MAXRCRSN 10 /* maximum levels of alias recursion */ 42 43 /* q_flags bits inherited from ctladdr */ 44 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 45 46 int 47 sendtolist(list, ctladdr, sendq, aliaslevel, e) 48 char *list; 49 ADDRESS *ctladdr; 50 ADDRESS **sendq; 51 int aliaslevel; 52 register ENVELOPE *e; 53 { 54 register char *p; 55 register ADDRESS *al; /* list of addresses to send to */ 56 bool firstone; /* set on first address sent */ 57 char delimiter; /* the address delimiter */ 58 int naddrs; 59 int i; 60 char *oldto = e->e_to; 61 char *bufp; 62 char buf[MAXNAME + 1]; 63 64 if (list == NULL) 65 { 66 syserr("sendtolist: null list"); 67 return 0; 68 } 69 70 if (tTd(25, 1)) 71 { 72 printf("sendto: %s\n ctladdr=", list); 73 printaddr(ctladdr, FALSE); 74 } 75 76 /* heuristic to determine old versus new style addresses */ 77 if (ctladdr == NULL && 78 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 79 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 80 e->e_flags &= ~EF_OLDSTYLE; 81 delimiter = ' '; 82 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 83 delimiter = ','; 84 85 firstone = TRUE; 86 al = NULL; 87 naddrs = 0; 88 89 /* make sure we have enough space to copy the string */ 90 i = strlen(list) + 1; 91 if (i <= sizeof buf) 92 bufp = buf; 93 else 94 bufp = xalloc(i); 95 strcpy(bufp, denlstring(list, FALSE, TRUE)); 96 97 for (p = bufp; *p != '\0'; ) 98 { 99 auto char *delimptr; 100 register ADDRESS *a; 101 102 /* parse the address */ 103 while ((isascii(*p) && isspace(*p)) || *p == ',') 104 p++; 105 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 106 p = delimptr; 107 if (a == NULL) 108 continue; 109 a->q_next = al; 110 a->q_alias = ctladdr; 111 112 /* arrange to inherit attributes from parent */ 113 if (ctladdr != NULL) 114 { 115 /* self reference test */ 116 if (sameaddr(ctladdr, a)) 117 ctladdr->q_flags |= QSELFREF; 118 119 /* full name */ 120 if (a->q_fullname == NULL) 121 a->q_fullname = ctladdr->q_fullname; 122 123 /* various flag bits */ 124 a->q_flags &= ~QINHERITEDBITS; 125 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 126 127 /* original recipient information */ 128 a->q_orcpt = ctladdr->q_orcpt; 129 } 130 131 al = a; 132 firstone = FALSE; 133 } 134 135 /* arrange to send to everyone on the local send list */ 136 while (al != NULL) 137 { 138 register ADDRESS *a = al; 139 140 al = a->q_next; 141 a = recipient(a, sendq, aliaslevel, e); 142 naddrs++; 143 } 144 145 e->e_to = oldto; 146 if (bufp != buf) 147 free(bufp); 148 return (naddrs); 149 } 150 /* 151 ** RECIPIENT -- Designate a message recipient 152 ** 153 ** Saves the named person for future mailing. 154 ** 155 ** Parameters: 156 ** a -- the (preparsed) address header for the recipient. 157 ** sendq -- a pointer to the head of a queue to put the 158 ** recipient in. Duplicate supression is done 159 ** in this queue. 160 ** aliaslevel -- the current alias nesting depth. 161 ** e -- the current envelope. 162 ** 163 ** Returns: 164 ** The actual address in the queue. This will be "a" if 165 ** the address is not a duplicate, else the original address. 166 ** 167 ** Side Effects: 168 ** none. 169 */ 170 171 ADDRESS * 172 recipient(a, sendq, aliaslevel, e) 173 register ADDRESS *a; 174 register ADDRESS **sendq; 175 int aliaslevel; 176 register ENVELOPE *e; 177 { 178 register ADDRESS *q; 179 ADDRESS **pq; 180 register struct mailer *m; 181 register char *p; 182 bool quoted = FALSE; /* set if the addr has a quote bit */ 183 int findusercount = 0; 184 bool initialdontsend = bitset(QDONTSEND, a->q_flags); 185 int i; 186 char *buf; 187 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 188 extern int safefile(); 189 190 e->e_to = a->q_paddr; 191 m = a->q_mailer; 192 errno = 0; 193 if (aliaslevel == 0) 194 a->q_flags |= QPRIMARY; 195 if (tTd(26, 1)) 196 { 197 printf("\nrecipient (%d): ", aliaslevel); 198 printaddr(a, FALSE); 199 } 200 201 /* if this is primary, add it to the original recipient list */ 202 if (a->q_alias == NULL) 203 { 204 if (e->e_origrcpt == NULL) 205 e->e_origrcpt = a->q_paddr; 206 else if (e->e_origrcpt != a->q_paddr) 207 e->e_origrcpt = ""; 208 } 209 210 /* break aliasing loops */ 211 if (aliaslevel > MAXRCRSN) 212 { 213 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max", 214 aliaslevel, MAXRCRSN); 215 return (a); 216 } 217 218 /* 219 ** Finish setting up address structure. 220 */ 221 222 /* get unquoted user for file, program or user.name check */ 223 i = strlen(a->q_user); 224 if (i >= sizeof buf0) 225 buf = xalloc(i + 1); 226 else 227 buf = buf0; 228 (void) strcpy(buf, a->q_user); 229 for (p = buf; *p != '\0' && !quoted; p++) 230 { 231 if (*p == '\\') 232 quoted = TRUE; 233 } 234 stripquotes(buf); 235 236 /* check for direct mailing to restricted mailers */ 237 if (m == ProgMailer) 238 { 239 if (a->q_alias == NULL) 240 { 241 a->q_flags |= QBADADDR; 242 usrerr("550 Cannot mail directly to programs"); 243 } 244 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 245 { 246 a->q_flags |= QBADADDR; 247 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 248 a->q_alias->q_ruser, MyHostName); 249 } 250 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 251 { 252 a->q_flags |= QBADADDR; 253 usrerr("550 Address %s is unsafe for mailing to programs", 254 a->q_alias->q_paddr); 255 } 256 } 257 258 /* 259 ** Look up this person in the recipient list. 260 ** If they are there already, return, otherwise continue. 261 ** If the list is empty, just add it. Notice the cute 262 ** hack to make from addresses suppress things correctly: 263 ** the QDONTSEND bit will be set in the send list. 264 ** [Please note: the emphasis is on "hack."] 265 */ 266 267 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 268 { 269 if (sameaddr(q, a)) 270 { 271 if (tTd(26, 1)) 272 { 273 printf("%s in sendq: ", a->q_paddr); 274 printaddr(q, FALSE); 275 } 276 if (!bitset(QPRIMARY, q->q_flags)) 277 { 278 if (!bitset(QDONTSEND, a->q_flags)) 279 message("duplicate suppressed"); 280 q->q_flags |= a->q_flags; 281 } 282 else if (bitset(QSELFREF, q->q_flags)) 283 q->q_flags |= a->q_flags & ~QDONTSEND; 284 a = q; 285 goto done; 286 } 287 } 288 289 /* add address on list */ 290 *pq = a; 291 a->q_next = NULL; 292 293 /* 294 ** Alias the name and handle special mailer types. 295 */ 296 297 trylocaluser: 298 if (tTd(29, 7)) 299 printf("at trylocaluser %s\n", a->q_user); 300 301 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 302 goto testselfdestruct; 303 304 if (m == InclMailer) 305 { 306 a->q_flags |= QDONTSEND; 307 if (a->q_alias == NULL) 308 { 309 a->q_flags |= QBADADDR; 310 usrerr("550 Cannot mail directly to :include:s"); 311 } 312 else 313 { 314 int ret; 315 316 message("including file %s", a->q_user); 317 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e); 318 if (transienterror(ret)) 319 { 320 #ifdef LOG 321 if (LogLevel > 2) 322 syslog(LOG_ERR, "%s: include %s: transient error: %s", 323 e->e_id == NULL ? "NOQUEUE" : e->e_id, 324 a->q_user, errstring(ret)); 325 #endif 326 a->q_flags |= QQUEUEUP; 327 a->q_flags &= ~QDONTSEND; 328 usrerr("451 Cannot open %s: %s", 329 a->q_user, errstring(ret)); 330 } 331 else if (ret != 0) 332 { 333 a->q_flags |= QBADADDR; 334 usrerr("550 Cannot open %s: %s", 335 a->q_user, errstring(ret)); 336 } 337 } 338 } 339 else if (m == FileMailer) 340 { 341 extern bool writable(); 342 343 /* check if writable or creatable */ 344 if (a->q_alias == NULL) 345 { 346 a->q_flags |= QBADADDR; 347 usrerr("550 Cannot mail directly to files"); 348 } 349 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 350 { 351 a->q_flags |= QBADADDR; 352 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 353 a->q_alias->q_ruser, MyHostName); 354 } 355 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 356 { 357 a->q_flags |= QBADADDR; 358 usrerr("550 Address %s is unsafe for mailing to files", 359 a->q_alias->q_paddr); 360 } 361 else if (!writable(buf, getctladdr(a), SFF_CREAT)) 362 { 363 a->q_flags |= QBADADDR; 364 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, 365 (time_t) 0, e); 366 } 367 } 368 369 /* try aliasing */ 370 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags)) 371 alias(a, sendq, aliaslevel, e); 372 373 # ifdef USERDB 374 /* if not aliased, look it up in the user database */ 375 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) && 376 bitnset(M_CHECKUDB, m->m_flags)) 377 { 378 extern int udbexpand(); 379 380 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL) 381 { 382 a->q_flags |= QQUEUEUP; 383 if (e->e_message == NULL) 384 e->e_message = newstr("Deferred: user database error"); 385 # ifdef LOG 386 if (LogLevel > 8) 387 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 388 e->e_id == NULL ? "NOQUEUE" : e->e_id, 389 errstring(errno)); 390 # endif 391 message("queued (user database error): %s", 392 errstring(errno)); 393 e->e_nrcpts++; 394 goto testselfdestruct; 395 } 396 } 397 # endif 398 399 /* 400 ** If we have a level two config file, then pass the name through 401 ** Ruleset 5 before sending it off. Ruleset 5 has the right 402 ** to send rewrite it to another mailer. This gives us a hook 403 ** after local aliasing has been done. 404 */ 405 406 if (tTd(29, 5)) 407 { 408 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 409 ConfigLevel, RewriteRules[5]); 410 printaddr(a, FALSE); 411 } 412 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 413 ConfigLevel >= 2 && RewriteRules[5] != NULL && 414 bitnset(M_TRYRULESET5, m->m_flags)) 415 { 416 maplocaluser(a, sendq, aliaslevel + 1, e); 417 } 418 419 /* 420 ** If it didn't get rewritten to another mailer, go ahead 421 ** and deliver it. 422 */ 423 424 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 425 bitnset(M_HASPWENT, m->m_flags)) 426 { 427 auto bool fuzzy; 428 register struct passwd *pw; 429 extern struct passwd *finduser(); 430 431 /* warning -- finduser may trash buf */ 432 pw = finduser(buf, &fuzzy); 433 if (pw == NULL) 434 { 435 a->q_flags |= QBADADDR; 436 giveresponse(EX_NOUSER, m, NULL, a->q_alias, 437 (time_t) 0, e); 438 } 439 else 440 { 441 char nbuf[MAXNAME + 1]; 442 443 if (fuzzy) 444 { 445 /* name was a fuzzy match */ 446 a->q_user = newstr(pw->pw_name); 447 if (findusercount++ > 3) 448 { 449 a->q_flags |= QBADADDR; 450 usrerr("554 aliasing/forwarding loop for %s broken", 451 pw->pw_name); 452 goto done; 453 } 454 455 /* see if it aliases */ 456 (void) strcpy(buf, pw->pw_name); 457 goto trylocaluser; 458 } 459 if (strcmp(pw->pw_dir, "/") == 0) 460 a->q_home = ""; 461 else 462 a->q_home = newstr(pw->pw_dir); 463 a->q_uid = pw->pw_uid; 464 a->q_gid = pw->pw_gid; 465 a->q_ruser = newstr(pw->pw_name); 466 a->q_flags |= QGOODUID; 467 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 468 if (nbuf[0] != '\0') 469 a->q_fullname = newstr(nbuf); 470 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 471 !usershellok(pw->pw_shell)) 472 { 473 a->q_flags |= QBOGUSSHELL; 474 } 475 if (!quoted) 476 forward(a, sendq, aliaslevel, e); 477 } 478 } 479 if (!bitset(QDONTSEND, a->q_flags)) 480 e->e_nrcpts++; 481 482 testselfdestruct: 483 a->q_flags |= QTHISPASS; 484 if (tTd(26, 8)) 485 { 486 printf("testselfdestruct: "); 487 printaddr(a, FALSE); 488 if (tTd(26, 10)) 489 { 490 printf("SENDQ:\n"); 491 printaddr(*sendq, TRUE); 492 printf("----\n"); 493 } 494 } 495 if (a->q_alias == NULL && a != &e->e_from && 496 bitset(QDONTSEND, a->q_flags)) 497 { 498 for (q = *sendq; q != NULL; q = q->q_next) 499 { 500 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) && 501 bitset(QTHISPASS, q->q_flags)) 502 break; 503 } 504 if (q == NULL) 505 { 506 a->q_flags |= QBADADDR; 507 usrerr("554 aliasing/forwarding loop broken"); 508 } 509 } 510 511 done: 512 a->q_flags |= QTHISPASS; 513 if (buf != buf0) 514 free(buf); 515 516 /* 517 ** If we are at the top level, check to see if this has 518 ** expanded to exactly one address. If so, it can inherit 519 ** the primaryness of the address. 520 ** 521 ** While we're at it, clear the QTHISPASS bits. 522 */ 523 524 if (aliaslevel == 0) 525 { 526 int nrcpts = 0; 527 ADDRESS *only; 528 529 for (q = *sendq; q != NULL; q = q->q_next) 530 { 531 if (bitset(QTHISPASS, q->q_flags) && 532 !bitset(QDONTSEND|QBADADDR, q->q_flags)) 533 { 534 nrcpts++; 535 only = q; 536 } 537 q->q_flags &= ~QTHISPASS; 538 } 539 if (nrcpts == 1) 540 only->q_flags |= QPRIMARY; 541 else if (!initialdontsend) 542 { 543 /* arrange for return receipt */ 544 e->e_flags |= EF_SENDRECEIPT; 545 a->q_flags |= QEXPLODED; 546 if (e->e_xfp != NULL) 547 fprintf(e->e_xfp, 548 "%s... expanded to multiple addresses\n", 549 a->q_paddr); 550 } 551 } 552 553 return (a); 554 } 555 /* 556 ** FINDUSER -- find the password entry for a user. 557 ** 558 ** This looks a lot like getpwnam, except that it may want to 559 ** do some fancier pattern matching in /etc/passwd. 560 ** 561 ** This routine contains most of the time of many sendmail runs. 562 ** It deserves to be optimized. 563 ** 564 ** Parameters: 565 ** name -- the name to match against. 566 ** fuzzyp -- an outarg that is set to TRUE if this entry 567 ** was found using the fuzzy matching algorithm; 568 ** set to FALSE otherwise. 569 ** 570 ** Returns: 571 ** A pointer to a pw struct. 572 ** NULL if name is unknown or ambiguous. 573 ** 574 ** Side Effects: 575 ** may modify name. 576 */ 577 578 struct passwd * 579 finduser(name, fuzzyp) 580 char *name; 581 bool *fuzzyp; 582 { 583 register struct passwd *pw; 584 register char *p; 585 extern struct passwd *getpwent(); 586 extern struct passwd *getpwnam(); 587 588 if (tTd(29, 4)) 589 printf("finduser(%s): ", name); 590 591 *fuzzyp = FALSE; 592 593 #ifdef HESIOD 594 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 595 for (p = name; *p != '\0'; p++) 596 if (!isascii(*p) || !isdigit(*p)) 597 break; 598 if (*p == '\0') 599 { 600 if (tTd(29, 4)) 601 printf("failed (numeric input)\n"); 602 return NULL; 603 } 604 #endif 605 606 /* look up this login name using fast path */ 607 if ((pw = getpwnam(name)) != NULL) 608 { 609 if (tTd(29, 4)) 610 printf("found (non-fuzzy)\n"); 611 return (pw); 612 } 613 614 #ifdef MATCHGECOS 615 /* see if fuzzy matching allowed */ 616 if (!MatchGecos) 617 { 618 if (tTd(29, 4)) 619 printf("not found (fuzzy disabled)\n"); 620 return NULL; 621 } 622 623 /* search for a matching full name instead */ 624 for (p = name; *p != '\0'; p++) 625 { 626 if (*p == (SpaceSub & 0177) || *p == '_') 627 *p = ' '; 628 } 629 (void) setpwent(); 630 while ((pw = getpwent()) != NULL) 631 { 632 char buf[MAXNAME + 1]; 633 634 buildfname(pw->pw_gecos, pw->pw_name, buf); 635 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 636 { 637 if (tTd(29, 4)) 638 printf("fuzzy matches %s\n", pw->pw_name); 639 message("sending to login name %s", pw->pw_name); 640 *fuzzyp = TRUE; 641 return (pw); 642 } 643 } 644 if (tTd(29, 4)) 645 printf("no fuzzy match found\n"); 646 #else 647 if (tTd(29, 4)) 648 printf("not found (fuzzy disabled)\n"); 649 #endif 650 return (NULL); 651 } 652 /* 653 ** WRITABLE -- predicate returning if the file is writable. 654 ** 655 ** This routine must duplicate the algorithm in sys/fio.c. 656 ** Unfortunately, we cannot use the access call since we 657 ** won't necessarily be the real uid when we try to 658 ** actually open the file. 659 ** 660 ** Notice that ANY file with ANY execute bit is automatically 661 ** not writable. This is also enforced by mailfile. 662 ** 663 ** Parameters: 664 ** filename -- the file name to check. 665 ** ctladdr -- the controlling address for this file. 666 ** flags -- SFF_* flags to control the function. 667 ** 668 ** Returns: 669 ** TRUE -- if we will be able to write this file. 670 ** FALSE -- if we cannot write this file. 671 ** 672 ** Side Effects: 673 ** none. 674 */ 675 676 bool 677 writable(filename, ctladdr, flags) 678 char *filename; 679 ADDRESS *ctladdr; 680 int flags; 681 { 682 uid_t euid; 683 gid_t egid; 684 int bits; 685 register char *p; 686 char *uname; 687 688 if (tTd(29, 5)) 689 printf("writable(%s, %x)\n", filename, flags); 690 691 #ifdef SUID_ROOT_FILES_OK 692 /* really ought to be passed down -- and not a good idea */ 693 flags |= SFF_ROOTOK; 694 #endif 695 696 /* 697 ** File does exist -- check that it is writable. 698 */ 699 700 if (ctladdr != NULL && geteuid() == 0) 701 { 702 euid = ctladdr->q_uid; 703 egid = ctladdr->q_gid; 704 uname = ctladdr->q_user; 705 } 706 #ifdef RUN_AS_REAL_UID 707 else 708 { 709 extern char RealUserName[]; 710 711 euid = RealUid; 712 egid = RealGid; 713 uname = RealUserName; 714 } 715 #else 716 else if (FileMailer != NULL) 717 { 718 euid = FileMailer->m_uid; 719 egid = FileMailer->m_gid; 720 } 721 else 722 { 723 euid = egid = 0; 724 } 725 #endif 726 if (euid == 0) 727 { 728 euid = DefUid; 729 uname = DefUser; 730 } 731 if (egid == 0) 732 egid = DefGid; 733 if (geteuid() == 0) 734 flags |= SFF_SETUIDOK; 735 736 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL); 737 return errno == 0; 738 } 739 /* 740 ** INCLUDE -- handle :include: specification. 741 ** 742 ** Parameters: 743 ** fname -- filename to include. 744 ** forwarding -- if TRUE, we are reading a .forward file. 745 ** if FALSE, it's a :include: file. 746 ** ctladdr -- address template to use to fill in these 747 ** addresses -- effective user/group id are 748 ** the important things. 749 ** sendq -- a pointer to the head of the send queue 750 ** to put these addresses in. 751 ** aliaslevel -- the alias nesting depth. 752 ** e -- the current envelope. 753 ** 754 ** Returns: 755 ** open error status 756 ** 757 ** Side Effects: 758 ** reads the :include: file and sends to everyone 759 ** listed in that file. 760 ** 761 ** Security Note: 762 ** If you have restricted chown (that is, you can't 763 ** give a file away), it is reasonable to allow programs 764 ** and files called from this :include: file to be to be 765 ** run as the owner of the :include: file. This is bogus 766 ** if there is any chance of someone giving away a file. 767 ** We assume that pre-POSIX systems can give away files. 768 ** 769 ** There is an additional restriction that if you 770 ** forward to a :include: file, it will not take on 771 ** the ownership of the :include: file. This may not 772 ** be necessary, but shouldn't hurt. 773 */ 774 775 static jmp_buf CtxIncludeTimeout; 776 static void includetimeout(); 777 778 int 779 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 780 char *fname; 781 bool forwarding; 782 ADDRESS *ctladdr; 783 ADDRESS **sendq; 784 int aliaslevel; 785 ENVELOPE *e; 786 { 787 FILE *fp = NULL; 788 char *oldto = e->e_to; 789 char *oldfilename = FileName; 790 int oldlinenumber = LineNumber; 791 register EVENT *ev = NULL; 792 int nincludes; 793 register ADDRESS *ca; 794 uid_t saveduid, uid; 795 gid_t savedgid, gid; 796 char *uname; 797 int rval = 0; 798 int sfflags = SFF_REGONLY; 799 struct stat st; 800 char buf[MAXLINE]; 801 #ifdef _POSIX_CHOWN_RESTRICTED 802 # if _POSIX_CHOWN_RESTRICTED == -1 803 # define safechown FALSE 804 # else 805 # define safechown TRUE 806 # endif 807 #else 808 # ifdef _PC_CHOWN_RESTRICTED 809 bool safechown; 810 # else 811 # ifdef BSD 812 # define safechown TRUE 813 # else 814 # define safechown FALSE 815 # endif 816 # endif 817 #endif 818 extern bool chownsafe(); 819 820 if (tTd(27, 2)) 821 printf("include(%s)\n", fname); 822 if (tTd(27, 4)) 823 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 824 if (tTd(27, 14)) 825 { 826 printf("ctladdr "); 827 printaddr(ctladdr, FALSE); 828 } 829 830 if (tTd(27, 9)) 831 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 832 833 if (forwarding) 834 sfflags |= SFF_MUSTOWN; 835 836 ca = getctladdr(ctladdr); 837 if (ca == NULL) 838 { 839 uid = DefUid; 840 gid = DefGid; 841 uname = DefUser; 842 } 843 else 844 { 845 uid = ca->q_uid; 846 gid = ca->q_gid; 847 uname = ca->q_user; 848 } 849 #ifdef HASSETREUID 850 saveduid = geteuid(); 851 savedgid = getegid(); 852 if (saveduid == 0) 853 { 854 initgroups(uname, gid); 855 if (uid != 0) 856 { 857 if (setreuid(0, uid) < 0) 858 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 859 uid, getuid(), geteuid()); 860 else 861 sfflags |= SFF_NOPATHCHECK; 862 } 863 } 864 #endif 865 866 if (tTd(27, 9)) 867 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 868 869 /* 870 ** If home directory is remote mounted but server is down, 871 ** this can hang or give errors; use a timeout to avoid this 872 */ 873 874 if (setjmp(CtxIncludeTimeout) != 0) 875 { 876 ctladdr->q_flags |= QQUEUEUP; 877 errno = 0; 878 879 /* return pseudo-error code */ 880 rval = EOPENTIMEOUT; 881 goto resetuid; 882 } 883 if (TimeOuts.to_fileopen > 0) 884 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0); 885 else 886 ev = NULL; 887 888 /* the input file must be marked safe */ 889 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL); 890 if (rval != 0) 891 { 892 /* don't use this :include: file */ 893 if (tTd(27, 4)) 894 printf("include: not safe (uid=%d): %s\n", 895 uid, errstring(rval)); 896 } 897 else 898 { 899 fp = fopen(fname, "r"); 900 if (fp == NULL) 901 { 902 rval = errno; 903 if (tTd(27, 4)) 904 printf("include: open: %s\n", errstring(rval)); 905 } 906 } 907 if (ev != NULL) 908 clrevent(ev); 909 910 resetuid: 911 912 #ifdef HASSETREUID 913 if (saveduid == 0) 914 { 915 if (uid != 0) 916 { 917 if (setreuid(-1, 0) < 0) 918 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", 919 getuid(), geteuid()); 920 if (setreuid(RealUid, 0) < 0) 921 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 922 RealUid, getuid(), geteuid()); 923 } 924 setgid(savedgid); 925 } 926 #endif 927 928 if (tTd(27, 9)) 929 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 930 931 if (rval == EOPENTIMEOUT) 932 usrerr("451 open timeout on %s", fname); 933 934 if (fp == NULL) 935 return rval; 936 937 if (fstat(fileno(fp), &st) < 0) 938 { 939 rval = errno; 940 syserr("Cannot fstat %s!", fname); 941 return rval; 942 } 943 944 #ifndef safechown 945 safechown = chownsafe(fileno(fp)); 946 #endif 947 if (ca == NULL && safechown) 948 { 949 ctladdr->q_uid = st.st_uid; 950 ctladdr->q_gid = st.st_gid; 951 ctladdr->q_flags |= QGOODUID; 952 } 953 if (ca != NULL && ca->q_uid == st.st_uid) 954 { 955 /* optimization -- avoid getpwuid if we already have info */ 956 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 957 ctladdr->q_ruser = ca->q_ruser; 958 } 959 else 960 { 961 register struct passwd *pw; 962 963 pw = getpwuid(st.st_uid); 964 if (pw == NULL) 965 ctladdr->q_flags |= QBOGUSSHELL; 966 else 967 { 968 char *sh; 969 970 ctladdr->q_ruser = newstr(pw->pw_name); 971 if (safechown) 972 sh = pw->pw_shell; 973 else 974 sh = "/SENDMAIL/ANY/SHELL/"; 975 if (!usershellok(sh)) 976 { 977 if (safechown) 978 ctladdr->q_flags |= QBOGUSSHELL; 979 else 980 ctladdr->q_flags |= QUNSAFEADDR; 981 } 982 } 983 } 984 985 if (bitset(EF_VRFYONLY, e->e_flags)) 986 { 987 /* don't do any more now */ 988 ctladdr->q_flags |= QVERIFIED; 989 e->e_nrcpts++; 990 xfclose(fp, "include", fname); 991 return rval; 992 } 993 994 /* 995 ** Check to see if some bad guy can write this file 996 ** 997 ** This should really do something clever with group 998 ** permissions; currently we just view world writable 999 ** as unsafe. Also, we don't check for writable 1000 ** directories in the path. We've got to leave 1001 ** something for the local sysad to do. 1002 */ 1003 1004 if (bitset(S_IWOTH, st.st_mode)) 1005 ctladdr->q_flags |= QUNSAFEADDR; 1006 1007 /* read the file -- each line is a comma-separated list. */ 1008 FileName = fname; 1009 LineNumber = 0; 1010 ctladdr->q_flags &= ~QSELFREF; 1011 nincludes = 0; 1012 while (fgets(buf, sizeof buf, fp) != NULL) 1013 { 1014 register char *p = strchr(buf, '\n'); 1015 1016 LineNumber++; 1017 if (p != NULL) 1018 *p = '\0'; 1019 if (buf[0] == '#' || buf[0] == '\0') 1020 continue; 1021 e->e_to = NULL; 1022 message("%s to %s", 1023 forwarding ? "forwarding" : "sending", buf); 1024 #ifdef LOG 1025 if (forwarding && LogLevel > 9) 1026 syslog(LOG_INFO, "%s: forward %s => %s", 1027 e->e_id == NULL ? "NOQUEUE" : e->e_id, 1028 oldto, buf); 1029 #endif 1030 1031 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1032 } 1033 1034 if (ferror(fp) && tTd(27, 3)) 1035 printf("include: read error: %s\n", errstring(errno)); 1036 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1037 { 1038 if (tTd(27, 5)) 1039 { 1040 printf("include: QDONTSEND "); 1041 printaddr(ctladdr, FALSE); 1042 } 1043 ctladdr->q_flags |= QDONTSEND; 1044 } 1045 1046 (void) xfclose(fp, "include", fname); 1047 FileName = oldfilename; 1048 LineNumber = oldlinenumber; 1049 e->e_to = oldto; 1050 return rval; 1051 } 1052 1053 static void 1054 includetimeout() 1055 { 1056 longjmp(CtxIncludeTimeout, 1); 1057 } 1058 /* 1059 ** SENDTOARGV -- send to an argument vector. 1060 ** 1061 ** Parameters: 1062 ** argv -- argument vector to send to. 1063 ** e -- the current envelope. 1064 ** 1065 ** Returns: 1066 ** none. 1067 ** 1068 ** Side Effects: 1069 ** puts all addresses on the argument vector onto the 1070 ** send queue. 1071 */ 1072 1073 sendtoargv(argv, e) 1074 register char **argv; 1075 register ENVELOPE *e; 1076 { 1077 register char *p; 1078 1079 while ((p = *argv++) != NULL) 1080 { 1081 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1082 } 1083 } 1084 /* 1085 ** GETCTLADDR -- get controlling address from an address header. 1086 ** 1087 ** If none, get one corresponding to the effective userid. 1088 ** 1089 ** Parameters: 1090 ** a -- the address to find the controller of. 1091 ** 1092 ** Returns: 1093 ** the controlling address. 1094 ** 1095 ** Side Effects: 1096 ** none. 1097 */ 1098 1099 ADDRESS * 1100 getctladdr(a) 1101 register ADDRESS *a; 1102 { 1103 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1104 a = a->q_alias; 1105 return (a); 1106 } 1107