1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.75 (Berkeley) 03/27/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** aliaslevel -- the current alias nesting depth -- to
31 ** diagnose loops.
32 ** e -- the envelope in which to add these recipients.
33 **
34 ** Returns:
35 ** The number of addresses actually on the list.
36 **
37 ** Side Effects:
38 ** none.
39 */
40
41 #define MAXRCRSN 10 /* maximum levels of alias recursion */
42
43 /* q_flags bits inherited from ctladdr */
44 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
45
46 int
47 sendtolist(list, ctladdr, sendq, aliaslevel, e)
48 char *list;
49 ADDRESS *ctladdr;
50 ADDRESS **sendq;
51 int aliaslevel;
52 register ENVELOPE *e;
53 {
54 register char *p;
55 register ADDRESS *al; /* list of addresses to send to */
56 bool firstone; /* set on first address sent */
57 char delimiter; /* the address delimiter */
58 int naddrs;
59 int i;
60 char *oldto = e->e_to;
61 char *bufp;
62 char buf[MAXNAME + 1];
63
64 if (list == NULL)
65 {
66 syserr("sendtolist: null list");
67 return 0;
68 }
69
70 if (tTd(25, 1))
71 {
72 printf("sendto: %s\n ctladdr=", list);
73 printaddr(ctladdr, FALSE);
74 }
75
76 /* heuristic to determine old versus new style addresses */
77 if (ctladdr == NULL &&
78 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
79 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
80 e->e_flags &= ~EF_OLDSTYLE;
81 delimiter = ' ';
82 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
83 delimiter = ',';
84
85 firstone = TRUE;
86 al = NULL;
87 naddrs = 0;
88
89 /* make sure we have enough space to copy the string */
90 i = strlen(list) + 1;
91 if (i <= sizeof buf)
92 bufp = buf;
93 else
94 bufp = xalloc(i);
95 strcpy(bufp, denlstring(list, FALSE, TRUE));
96
97 for (p = bufp; *p != '\0'; )
98 {
99 auto char *delimptr;
100 register ADDRESS *a;
101
102 /* parse the address */
103 while ((isascii(*p) && isspace(*p)) || *p == ',')
104 p++;
105 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
106 p = delimptr;
107 if (a == NULL)
108 continue;
109 a->q_next = al;
110 a->q_alias = ctladdr;
111
112 /* arrange to inherit attributes from parent */
113 if (ctladdr != NULL)
114 {
115 /* self reference test */
116 if (sameaddr(ctladdr, a))
117 ctladdr->q_flags |= QSELFREF;
118
119 /* full name */
120 if (a->q_fullname == NULL)
121 a->q_fullname = ctladdr->q_fullname;
122
123 /* various flag bits */
124 a->q_flags &= ~QINHERITEDBITS;
125 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
126
127 /* original recipient information */
128 a->q_orcpt = ctladdr->q_orcpt;
129 }
130
131 al = a;
132 firstone = FALSE;
133 }
134
135 /* arrange to send to everyone on the local send list */
136 while (al != NULL)
137 {
138 register ADDRESS *a = al;
139
140 al = a->q_next;
141 a = recipient(a, sendq, aliaslevel, e);
142 naddrs++;
143 }
144
145 e->e_to = oldto;
146 if (bufp != buf)
147 free(bufp);
148 return (naddrs);
149 }
150 �/*
151 ** RECIPIENT -- Designate a message recipient
152 **
153 ** Saves the named person for future mailing.
154 **
155 ** Parameters:
156 ** a -- the (preparsed) address header for the recipient.
157 ** sendq -- a pointer to the head of a queue to put the
158 ** recipient in. Duplicate supression is done
159 ** in this queue.
160 ** aliaslevel -- the current alias nesting depth.
161 ** e -- the current envelope.
162 **
163 ** Returns:
164 ** The actual address in the queue. This will be "a" if
165 ** the address is not a duplicate, else the original address.
166 **
167 ** Side Effects:
168 ** none.
169 */
170
171 ADDRESS *
172 recipient(a, sendq, aliaslevel, e)
173 register ADDRESS *a;
174 register ADDRESS **sendq;
175 int aliaslevel;
176 register ENVELOPE *e;
177 {
178 register ADDRESS *q;
179 ADDRESS **pq;
180 register struct mailer *m;
181 register char *p;
182 bool quoted = FALSE; /* set if the addr has a quote bit */
183 int findusercount = 0;
184 bool initialdontsend = bitset(QDONTSEND, a->q_flags);
185 int i;
186 char *buf;
187 char buf0[MAXNAME + 1]; /* unquoted image of the user name */
188 extern int safefile();
189
190 e->e_to = a->q_paddr;
191 m = a->q_mailer;
192 errno = 0;
193 if (aliaslevel == 0)
194 a->q_flags |= QPRIMARY;
195 if (tTd(26, 1))
196 {
197 printf("\nrecipient (%d): ", aliaslevel);
198 printaddr(a, FALSE);
199 }
200
201 /* if this is primary, add it to the original recipient list */
202 if (a->q_alias == NULL)
203 {
204 if (e->e_origrcpt == NULL)
205 e->e_origrcpt = a->q_paddr;
206 else if (e->e_origrcpt != a->q_paddr)
207 e->e_origrcpt = "";
208 }
209
210 /* break aliasing loops */
211 if (aliaslevel > MAXRCRSN)
212 {
213 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
214 aliaslevel, MAXRCRSN);
215 return (a);
216 }
217
218 /*
219 ** Finish setting up address structure.
220 */
221
222 /* get unquoted user for file, program or user.name check */
223 i = strlen(a->q_user);
224 if (i >= sizeof buf0)
225 buf = xalloc(i + 1);
226 else
227 buf = buf0;
228 (void) strcpy(buf, a->q_user);
229 for (p = buf; *p != '\0' && !quoted; p++)
230 {
231 if (*p == '\\')
232 quoted = TRUE;
233 }
234 stripquotes(buf);
235
236 /* check for direct mailing to restricted mailers */
237 if (m == ProgMailer)
238 {
239 if (a->q_alias == NULL)
240 {
241 a->q_flags |= QBADADDR;
242 usrerr("550 Cannot mail directly to programs");
243 }
244 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
245 {
246 a->q_flags |= QBADADDR;
247 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
248 a->q_alias->q_ruser, MyHostName);
249 }
250 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
251 {
252 a->q_flags |= QBADADDR;
253 usrerr("550 Address %s is unsafe for mailing to programs",
254 a->q_alias->q_paddr);
255 }
256 }
257
258 /*
259 ** Look up this person in the recipient list.
260 ** If they are there already, return, otherwise continue.
261 ** If the list is empty, just add it. Notice the cute
262 ** hack to make from addresses suppress things correctly:
263 ** the QDONTSEND bit will be set in the send list.
264 ** [Please note: the emphasis is on "hack."]
265 */
266
267 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
268 {
269 if (sameaddr(q, a))
270 {
271 if (tTd(26, 1))
272 {
273 printf("%s in sendq: ", a->q_paddr);
274 printaddr(q, FALSE);
275 }
276 if (!bitset(QPRIMARY, q->q_flags))
277 {
278 if (!bitset(QDONTSEND, a->q_flags))
279 message("duplicate suppressed");
280 q->q_flags |= a->q_flags;
281 }
282 else if (bitset(QSELFREF, q->q_flags))
283 q->q_flags |= a->q_flags & ~QDONTSEND;
284 a = q;
285 goto done;
286 }
287 }
288
289 /* add address on list */
290 *pq = a;
291 a->q_next = NULL;
292
293 /*
294 ** Alias the name and handle special mailer types.
295 */
296
297 trylocaluser:
298 if (tTd(29, 7))
299 printf("at trylocaluser %s\n", a->q_user);
300
301 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
302 goto testselfdestruct;
303
304 if (m == InclMailer)
305 {
306 a->q_flags |= QDONTSEND;
307 if (a->q_alias == NULL)
308 {
309 a->q_flags |= QBADADDR;
310 usrerr("550 Cannot mail directly to :include:s");
311 }
312 else
313 {
314 int ret;
315
316 message("including file %s", a->q_user);
317 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
318 if (transienterror(ret))
319 {
320 #ifdef LOG
321 if (LogLevel > 2)
322 syslog(LOG_ERR, "%s: include %s: transient error: %s",
323 e->e_id == NULL ? "NOQUEUE" : e->e_id,
324 a->q_user, errstring(ret));
325 #endif
326 a->q_flags |= QQUEUEUP;
327 a->q_flags &= ~QDONTSEND;
328 usrerr("451 Cannot open %s: %s",
329 a->q_user, errstring(ret));
330 }
331 else if (ret != 0)
332 {
333 a->q_flags |= QBADADDR;
334 usrerr("550 Cannot open %s: %s",
335 a->q_user, errstring(ret));
336 }
337 }
338 }
339 else if (m == FileMailer)
340 {
341 extern bool writable();
342
343 /* check if writable or creatable */
344 if (a->q_alias == NULL)
345 {
346 a->q_flags |= QBADADDR;
347 usrerr("550 Cannot mail directly to files");
348 }
349 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
350 {
351 a->q_flags |= QBADADDR;
352 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
353 a->q_alias->q_ruser, MyHostName);
354 }
355 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
356 {
357 a->q_flags |= QBADADDR;
358 usrerr("550 Address %s is unsafe for mailing to files",
359 a->q_alias->q_paddr);
360 }
361 else if (!writable(buf, getctladdr(a), SFF_CREAT))
362 {
363 a->q_flags |= QBADADDR;
364 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
365 (time_t) 0, e);
366 }
367 }
368
369 /* try aliasing */
370 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
371 alias(a, sendq, aliaslevel, e);
372
373 # ifdef USERDB
374 /* if not aliased, look it up in the user database */
375 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
376 bitnset(M_CHECKUDB, m->m_flags))
377 {
378 extern int udbexpand();
379
380 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
381 {
382 a->q_flags |= QQUEUEUP;
383 if (e->e_message == NULL)
384 e->e_message = newstr("Deferred: user database error");
385 # ifdef LOG
386 if (LogLevel > 8)
387 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
388 e->e_id == NULL ? "NOQUEUE" : e->e_id,
389 errstring(errno));
390 # endif
391 message("queued (user database error): %s",
392 errstring(errno));
393 e->e_nrcpts++;
394 goto testselfdestruct;
395 }
396 }
397 # endif
398
399 /*
400 ** If we have a level two config file, then pass the name through
401 ** Ruleset 5 before sending it off. Ruleset 5 has the right
402 ** to send rewrite it to another mailer. This gives us a hook
403 ** after local aliasing has been done.
404 */
405
406 if (tTd(29, 5))
407 {
408 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
409 ConfigLevel, RewriteRules[5]);
410 printaddr(a, FALSE);
411 }
412 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
413 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
414 bitnset(M_TRYRULESET5, m->m_flags))
415 {
416 maplocaluser(a, sendq, aliaslevel + 1, e);
417 }
418
419 /*
420 ** If it didn't get rewritten to another mailer, go ahead
421 ** and deliver it.
422 */
423
424 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
425 bitnset(M_HASPWENT, m->m_flags))
426 {
427 auto bool fuzzy;
428 register struct passwd *pw;
429 extern struct passwd *finduser();
430
431 /* warning -- finduser may trash buf */
432 pw = finduser(buf, &fuzzy);
433 if (pw == NULL)
434 {
435 a->q_flags |= QBADADDR;
436 giveresponse(EX_NOUSER, m, NULL, a->q_alias,
437 (time_t) 0, e);
438 }
439 else
440 {
441 char nbuf[MAXNAME + 1];
442
443 if (fuzzy)
444 {
445 /* name was a fuzzy match */
446 a->q_user = newstr(pw->pw_name);
447 if (findusercount++ > 3)
448 {
449 a->q_flags |= QBADADDR;
450 usrerr("554 aliasing/forwarding loop for %s broken",
451 pw->pw_name);
452 goto done;
453 }
454
455 /* see if it aliases */
456 (void) strcpy(buf, pw->pw_name);
457 goto trylocaluser;
458 }
459 if (strcmp(pw->pw_dir, "/") == 0)
460 a->q_home = "";
461 else
462 a->q_home = newstr(pw->pw_dir);
463 a->q_uid = pw->pw_uid;
464 a->q_gid = pw->pw_gid;
465 a->q_ruser = newstr(pw->pw_name);
466 a->q_flags |= QGOODUID;
467 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
468 if (nbuf[0] != '\0')
469 a->q_fullname = newstr(nbuf);
470 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
471 !usershellok(pw->pw_shell))
472 {
473 a->q_flags |= QBOGUSSHELL;
474 }
475 if (!quoted)
476 forward(a, sendq, aliaslevel, e);
477 }
478 }
479 if (!bitset(QDONTSEND, a->q_flags))
480 e->e_nrcpts++;
481
482 testselfdestruct:
483 a->q_flags |= QTHISPASS;
484 if (tTd(26, 8))
485 {
486 printf("testselfdestruct: ");
487 printaddr(a, FALSE);
488 if (tTd(26, 10))
489 {
490 printf("SENDQ:\n");
491 printaddr(*sendq, TRUE);
492 printf("----\n");
493 }
494 }
495 if (a->q_alias == NULL && a != &e->e_from &&
496 bitset(QDONTSEND, a->q_flags))
497 {
498 for (q = *sendq; q != NULL; q = q->q_next)
499 {
500 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) &&
501 bitset(QTHISPASS, q->q_flags))
502 break;
503 }
504 if (q == NULL)
505 {
506 a->q_flags |= QBADADDR;
507 usrerr("554 aliasing/forwarding loop broken");
508 }
509 }
510
511 done:
512 a->q_flags |= QTHISPASS;
513 if (buf != buf0)
514 free(buf);
515
516 /*
517 ** If we are at the top level, check to see if this has
518 ** expanded to exactly one address. If so, it can inherit
519 ** the primaryness of the address.
520 **
521 ** While we're at it, clear the QTHISPASS bits.
522 */
523
524 if (aliaslevel == 0)
525 {
526 int nrcpts = 0;
527 ADDRESS *only;
528
529 for (q = *sendq; q != NULL; q = q->q_next)
530 {
531 if (bitset(QTHISPASS, q->q_flags) &&
532 !bitset(QDONTSEND|QBADADDR, q->q_flags))
533 {
534 nrcpts++;
535 only = q;
536 }
537 q->q_flags &= ~QTHISPASS;
538 }
539 if (nrcpts == 1)
540 only->q_flags |= QPRIMARY;
541 else if (!initialdontsend)
542 {
543 /* arrange for return receipt */
544 e->e_flags |= EF_SENDRECEIPT;
545 a->q_flags |= QEXPLODED;
546 if (e->e_xfp != NULL)
547 fprintf(e->e_xfp,
548 "%s... expanded to multiple addresses\n",
549 a->q_paddr);
550 }
551 }
552
553 return (a);
554 }
555 �/*
556 ** FINDUSER -- find the password entry for a user.
557 **
558 ** This looks a lot like getpwnam, except that it may want to
559 ** do some fancier pattern matching in /etc/passwd.
560 **
561 ** This routine contains most of the time of many sendmail runs.
562 ** It deserves to be optimized.
563 **
564 ** Parameters:
565 ** name -- the name to match against.
566 ** fuzzyp -- an outarg that is set to TRUE if this entry
567 ** was found using the fuzzy matching algorithm;
568 ** set to FALSE otherwise.
569 **
570 ** Returns:
571 ** A pointer to a pw struct.
572 ** NULL if name is unknown or ambiguous.
573 **
574 ** Side Effects:
575 ** may modify name.
576 */
577
578 struct passwd *
579 finduser(name, fuzzyp)
580 char *name;
581 bool *fuzzyp;
582 {
583 register struct passwd *pw;
584 register char *p;
585 extern struct passwd *getpwent();
586 extern struct passwd *getpwnam();
587
588 if (tTd(29, 4))
589 printf("finduser(%s): ", name);
590
591 *fuzzyp = FALSE;
592
593 #ifdef HESIOD
594 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
595 for (p = name; *p != '\0'; p++)
596 if (!isascii(*p) || !isdigit(*p))
597 break;
598 if (*p == '\0')
599 {
600 if (tTd(29, 4))
601 printf("failed (numeric input)\n");
602 return NULL;
603 }
604 #endif
605
606 /* look up this login name using fast path */
607 if ((pw = getpwnam(name)) != NULL)
608 {
609 if (tTd(29, 4))
610 printf("found (non-fuzzy)\n");
611 return (pw);
612 }
613
614 #ifdef MATCHGECOS
615 /* see if fuzzy matching allowed */
616 if (!MatchGecos)
617 {
618 if (tTd(29, 4))
619 printf("not found (fuzzy disabled)\n");
620 return NULL;
621 }
622
623 /* search for a matching full name instead */
624 for (p = name; *p != '\0'; p++)
625 {
626 if (*p == (SpaceSub & 0177) || *p == '_')
627 *p = ' ';
628 }
629 (void) setpwent();
630 while ((pw = getpwent()) != NULL)
631 {
632 char buf[MAXNAME + 1];
633
634 buildfname(pw->pw_gecos, pw->pw_name, buf);
635 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
636 {
637 if (tTd(29, 4))
638 printf("fuzzy matches %s\n", pw->pw_name);
639 message("sending to login name %s", pw->pw_name);
640 *fuzzyp = TRUE;
641 return (pw);
642 }
643 }
644 if (tTd(29, 4))
645 printf("no fuzzy match found\n");
646 #else
647 if (tTd(29, 4))
648 printf("not found (fuzzy disabled)\n");
649 #endif
650 return (NULL);
651 }
652 �/*
653 ** WRITABLE -- predicate returning if the file is writable.
654 **
655 ** This routine must duplicate the algorithm in sys/fio.c.
656 ** Unfortunately, we cannot use the access call since we
657 ** won't necessarily be the real uid when we try to
658 ** actually open the file.
659 **
660 ** Notice that ANY file with ANY execute bit is automatically
661 ** not writable. This is also enforced by mailfile.
662 **
663 ** Parameters:
664 ** filename -- the file name to check.
665 ** ctladdr -- the controlling address for this file.
666 ** flags -- SFF_* flags to control the function.
667 **
668 ** Returns:
669 ** TRUE -- if we will be able to write this file.
670 ** FALSE -- if we cannot write this file.
671 **
672 ** Side Effects:
673 ** none.
674 */
675
676 bool
677 writable(filename, ctladdr, flags)
678 char *filename;
679 ADDRESS *ctladdr;
680 int flags;
681 {
682 uid_t euid;
683 gid_t egid;
684 int bits;
685 register char *p;
686 char *uname;
687
688 if (tTd(29, 5))
689 printf("writable(%s, %x)\n", filename, flags);
690
691 #ifdef SUID_ROOT_FILES_OK
692 /* really ought to be passed down -- and not a good idea */
693 flags |= SFF_ROOTOK;
694 #endif
695
696 /*
697 ** File does exist -- check that it is writable.
698 */
699
700 if (ctladdr != NULL && geteuid() == 0)
701 {
702 euid = ctladdr->q_uid;
703 egid = ctladdr->q_gid;
704 uname = ctladdr->q_user;
705 }
706 #ifdef RUN_AS_REAL_UID
707 else
708 {
709 extern char RealUserName[];
710
711 euid = RealUid;
712 egid = RealGid;
713 uname = RealUserName;
714 }
715 #else
716 else if (FileMailer != NULL)
717 {
718 euid = FileMailer->m_uid;
719 egid = FileMailer->m_gid;
720 }
721 else
722 {
723 euid = egid = 0;
724 }
725 #endif
726 if (euid == 0)
727 {
728 euid = DefUid;
729 uname = DefUser;
730 }
731 if (egid == 0)
732 egid = DefGid;
733 if (geteuid() == 0)
734 flags |= SFF_SETUIDOK;
735
736 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL);
737 return errno == 0;
738 }
739 �/*
740 ** INCLUDE -- handle :include: specification.
741 **
742 ** Parameters:
743 ** fname -- filename to include.
744 ** forwarding -- if TRUE, we are reading a .forward file.
745 ** if FALSE, it's a :include: file.
746 ** ctladdr -- address template to use to fill in these
747 ** addresses -- effective user/group id are
748 ** the important things.
749 ** sendq -- a pointer to the head of the send queue
750 ** to put these addresses in.
751 ** aliaslevel -- the alias nesting depth.
752 ** e -- the current envelope.
753 **
754 ** Returns:
755 ** open error status
756 **
757 ** Side Effects:
758 ** reads the :include: file and sends to everyone
759 ** listed in that file.
760 **
761 ** Security Note:
762 ** If you have restricted chown (that is, you can't
763 ** give a file away), it is reasonable to allow programs
764 ** and files called from this :include: file to be to be
765 ** run as the owner of the :include: file. This is bogus
766 ** if there is any chance of someone giving away a file.
767 ** We assume that pre-POSIX systems can give away files.
768 **
769 ** There is an additional restriction that if you
770 ** forward to a :include: file, it will not take on
771 ** the ownership of the :include: file. This may not
772 ** be necessary, but shouldn't hurt.
773 */
774
775 static jmp_buf CtxIncludeTimeout;
776 static void includetimeout();
777
778 int
779 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
780 char *fname;
781 bool forwarding;
782 ADDRESS *ctladdr;
783 ADDRESS **sendq;
784 int aliaslevel;
785 ENVELOPE *e;
786 {
787 FILE *fp = NULL;
788 char *oldto = e->e_to;
789 char *oldfilename = FileName;
790 int oldlinenumber = LineNumber;
791 register EVENT *ev = NULL;
792 int nincludes;
793 register ADDRESS *ca;
794 uid_t saveduid, uid;
795 gid_t savedgid, gid;
796 char *uname;
797 int rval = 0;
798 int sfflags = SFF_REGONLY;
799 struct stat st;
800 char buf[MAXLINE];
801 #ifdef _POSIX_CHOWN_RESTRICTED
802 # if _POSIX_CHOWN_RESTRICTED == -1
803 # define safechown FALSE
804 # else
805 # define safechown TRUE
806 # endif
807 #else
808 # ifdef _PC_CHOWN_RESTRICTED
809 bool safechown;
810 # else
811 # ifdef BSD
812 # define safechown TRUE
813 # else
814 # define safechown FALSE
815 # endif
816 # endif
817 #endif
818 extern bool chownsafe();
819
820 if (tTd(27, 2))
821 printf("include(%s)\n", fname);
822 if (tTd(27, 4))
823 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
824 if (tTd(27, 14))
825 {
826 printf("ctladdr ");
827 printaddr(ctladdr, FALSE);
828 }
829
830 if (tTd(27, 9))
831 printf("include: old uid = %d/%d\n", getuid(), geteuid());
832
833 if (forwarding)
834 sfflags |= SFF_MUSTOWN;
835
836 ca = getctladdr(ctladdr);
837 if (ca == NULL)
838 {
839 uid = DefUid;
840 gid = DefGid;
841 uname = DefUser;
842 }
843 else
844 {
845 uid = ca->q_uid;
846 gid = ca->q_gid;
847 uname = ca->q_user;
848 }
849 #ifdef HASSETREUID
850 saveduid = geteuid();
851 savedgid = getegid();
852 if (saveduid == 0)
853 {
854 initgroups(uname, gid);
855 if (uid != 0)
856 {
857 if (setreuid(0, uid) < 0)
858 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
859 uid, getuid(), geteuid());
860 else
861 sfflags |= SFF_NOPATHCHECK;
862 }
863 }
864 #endif
865
866 if (tTd(27, 9))
867 printf("include: new uid = %d/%d\n", getuid(), geteuid());
868
869 /*
870 ** If home directory is remote mounted but server is down,
871 ** this can hang or give errors; use a timeout to avoid this
872 */
873
874 if (setjmp(CtxIncludeTimeout) != 0)
875 {
876 ctladdr->q_flags |= QQUEUEUP;
877 errno = 0;
878
879 /* return pseudo-error code */
880 rval = EOPENTIMEOUT;
881 goto resetuid;
882 }
883 if (TimeOuts.to_fileopen > 0)
884 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
885 else
886 ev = NULL;
887
888 /* the input file must be marked safe */
889 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL);
890 if (rval != 0)
891 {
892 /* don't use this :include: file */
893 if (tTd(27, 4))
894 printf("include: not safe (uid=%d): %s\n",
895 uid, errstring(rval));
896 }
897 else
898 {
899 fp = fopen(fname, "r");
900 if (fp == NULL)
901 {
902 rval = errno;
903 if (tTd(27, 4))
904 printf("include: open: %s\n", errstring(rval));
905 }
906 }
907 if (ev != NULL)
908 clrevent(ev);
909
910 resetuid:
911
912 #ifdef HASSETREUID
913 if (saveduid == 0)
914 {
915 if (uid != 0)
916 {
917 if (setreuid(-1, 0) < 0)
918 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
919 getuid(), geteuid());
920 if (setreuid(RealUid, 0) < 0)
921 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
922 RealUid, getuid(), geteuid());
923 }
924 setgid(savedgid);
925 }
926 #endif
927
928 if (tTd(27, 9))
929 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
930
931 if (rval == EOPENTIMEOUT)
932 usrerr("451 open timeout on %s", fname);
933
934 if (fp == NULL)
935 return rval;
936
937 if (fstat(fileno(fp), &st) < 0)
938 {
939 rval = errno;
940 syserr("Cannot fstat %s!", fname);
941 return rval;
942 }
943
944 #ifndef safechown
945 safechown = chownsafe(fileno(fp));
946 #endif
947 if (ca == NULL && safechown)
948 {
949 ctladdr->q_uid = st.st_uid;
950 ctladdr->q_gid = st.st_gid;
951 ctladdr->q_flags |= QGOODUID;
952 }
953 if (ca != NULL && ca->q_uid == st.st_uid)
954 {
955 /* optimization -- avoid getpwuid if we already have info */
956 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
957 ctladdr->q_ruser = ca->q_ruser;
958 }
959 else
960 {
961 register struct passwd *pw;
962
963 pw = getpwuid(st.st_uid);
964 if (pw == NULL)
965 ctladdr->q_flags |= QBOGUSSHELL;
966 else
967 {
968 char *sh;
969
970 ctladdr->q_ruser = newstr(pw->pw_name);
971 if (safechown)
972 sh = pw->pw_shell;
973 else
974 sh = "/SENDMAIL/ANY/SHELL/";
975 if (!usershellok(sh))
976 {
977 if (safechown)
978 ctladdr->q_flags |= QBOGUSSHELL;
979 else
980 ctladdr->q_flags |= QUNSAFEADDR;
981 }
982 }
983 }
984
985 if (bitset(EF_VRFYONLY, e->e_flags))
986 {
987 /* don't do any more now */
988 ctladdr->q_flags |= QVERIFIED;
989 e->e_nrcpts++;
990 xfclose(fp, "include", fname);
991 return rval;
992 }
993
994 /*
995 ** Check to see if some bad guy can write this file
996 **
997 ** This should really do something clever with group
998 ** permissions; currently we just view world writable
999 ** as unsafe. Also, we don't check for writable
1000 ** directories in the path. We've got to leave
1001 ** something for the local sysad to do.
1002 */
1003
1004 if (bitset(S_IWOTH, st.st_mode))
1005 ctladdr->q_flags |= QUNSAFEADDR;
1006
1007 /* read the file -- each line is a comma-separated list. */
1008 FileName = fname;
1009 LineNumber = 0;
1010 ctladdr->q_flags &= ~QSELFREF;
1011 nincludes = 0;
1012 while (fgets(buf, sizeof buf, fp) != NULL)
1013 {
1014 register char *p = strchr(buf, '\n');
1015
1016 LineNumber++;
1017 if (p != NULL)
1018 *p = '\0';
1019 if (buf[0] == '#' || buf[0] == '\0')
1020 continue;
1021 e->e_to = NULL;
1022 message("%s to %s",
1023 forwarding ? "forwarding" : "sending", buf);
1024 #ifdef LOG
1025 if (forwarding && LogLevel > 9)
1026 syslog(LOG_INFO, "%s: forward %s => %s",
1027 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1028 oldto, buf);
1029 #endif
1030
1031 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1032 }
1033
1034 if (ferror(fp) && tTd(27, 3))
1035 printf("include: read error: %s\n", errstring(errno));
1036 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1037 {
1038 if (tTd(27, 5))
1039 {
1040 printf("include: QDONTSEND ");
1041 printaddr(ctladdr, FALSE);
1042 }
1043 ctladdr->q_flags |= QDONTSEND;
1044 }
1045
1046 (void) xfclose(fp, "include", fname);
1047 FileName = oldfilename;
1048 LineNumber = oldlinenumber;
1049 e->e_to = oldto;
1050 return rval;
1051 }
1052
1053 static void
1054 includetimeout()
1055 {
1056 longjmp(CtxIncludeTimeout, 1);
1057 }
1058 �/*
1059 ** SENDTOARGV -- send to an argument vector.
1060 **
1061 ** Parameters:
1062 ** argv -- argument vector to send to.
1063 ** e -- the current envelope.
1064 **
1065 ** Returns:
1066 ** none.
1067 **
1068 ** Side Effects:
1069 ** puts all addresses on the argument vector onto the
1070 ** send queue.
1071 */
1072
1073 sendtoargv(argv, e)
1074 register char **argv;
1075 register ENVELOPE *e;
1076 {
1077 register char *p;
1078
1079 while ((p = *argv++) != NULL)
1080 {
1081 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1082 }
1083 }
1084 �/*
1085 ** GETCTLADDR -- get controlling address from an address header.
1086 **
1087 ** If none, get one corresponding to the effective userid.
1088 **
1089 ** Parameters:
1090 ** a -- the address to find the controller of.
1091 **
1092 ** Returns:
1093 ** the controlling address.
1094 **
1095 ** Side Effects:
1096 ** none.
1097 */
1098
1099 ADDRESS *
1100 getctladdr(a)
1101 register ADDRESS *a;
1102 {
1103 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1104 a = a->q_alias;
1105 return (a);
1106 }
1107