1 /* 2 * Copyright (c) 1983 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.77 (Berkeley) 04/12/95"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 15 /* 16 ** SENDTOLIST -- Designate a send list. 17 ** 18 ** The parameter is a comma-separated list of people to send to. 19 ** This routine arranges to send to all of them. 20 ** 21 ** Parameters: 22 ** list -- the send list. 23 ** ctladdr -- the address template for the person to 24 ** send to -- effective uid/gid are important. 25 ** This is typically the alias that caused this 26 ** expansion. 27 ** sendq -- a pointer to the head of a queue to put 28 ** these people into. 29 ** aliaslevel -- the current alias nesting depth -- to 30 ** diagnose loops. 31 ** e -- the envelope in which to add these recipients. 32 ** 33 ** Returns: 34 ** The number of addresses actually on the list. 35 ** 36 ** Side Effects: 37 ** none. 38 */ 39 40 #define MAXRCRSN 10 /* maximum levels of alias recursion */ 41 42 /* q_flags bits inherited from ctladdr */ 43 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 44 45 int 46 sendtolist(list, ctladdr, sendq, aliaslevel, e) 47 char *list; 48 ADDRESS *ctladdr; 49 ADDRESS **sendq; 50 int aliaslevel; 51 register ENVELOPE *e; 52 { 53 register char *p; 54 register ADDRESS *al; /* list of addresses to send to */ 55 bool firstone; /* set on first address sent */ 56 char delimiter; /* the address delimiter */ 57 int naddrs; 58 int i; 59 char *oldto = e->e_to; 60 char *bufp; 61 char buf[MAXNAME + 1]; 62 63 if (list == NULL) 64 { 65 syserr("sendtolist: null list"); 66 return 0; 67 } 68 69 if (tTd(25, 1)) 70 { 71 printf("sendto: %s\n ctladdr=", list); 72 printaddr(ctladdr, FALSE); 73 } 74 75 /* heuristic to determine old versus new style addresses */ 76 if (ctladdr == NULL && 77 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 78 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 79 e->e_flags &= ~EF_OLDSTYLE; 80 delimiter = ' '; 81 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 82 delimiter = ','; 83 84 firstone = TRUE; 85 al = NULL; 86 naddrs = 0; 87 88 /* make sure we have enough space to copy the string */ 89 i = strlen(list) + 1; 90 if (i <= sizeof buf) 91 bufp = buf; 92 else 93 bufp = xalloc(i); 94 strcpy(bufp, denlstring(list, FALSE, TRUE)); 95 96 for (p = bufp; *p != '\0'; ) 97 { 98 auto char *delimptr; 99 register ADDRESS *a; 100 101 /* parse the address */ 102 while ((isascii(*p) && isspace(*p)) || *p == ',') 103 p++; 104 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 105 p = delimptr; 106 if (a == NULL) 107 continue; 108 a->q_next = al; 109 a->q_alias = ctladdr; 110 111 /* arrange to inherit attributes from parent */ 112 if (ctladdr != NULL) 113 { 114 /* self reference test */ 115 if (sameaddr(ctladdr, a)) 116 ctladdr->q_flags |= QSELFREF; 117 118 /* full name */ 119 if (a->q_fullname == NULL) 120 a->q_fullname = ctladdr->q_fullname; 121 122 /* various flag bits */ 123 a->q_flags &= ~QINHERITEDBITS; 124 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 125 126 /* original recipient information */ 127 a->q_orcpt = ctladdr->q_orcpt; 128 } 129 130 al = a; 131 firstone = FALSE; 132 } 133 134 /* arrange to send to everyone on the local send list */ 135 while (al != NULL) 136 { 137 register ADDRESS *a = al; 138 139 al = a->q_next; 140 a = recipient(a, sendq, aliaslevel, e); 141 naddrs++; 142 } 143 144 e->e_to = oldto; 145 if (bufp != buf) 146 free(bufp); 147 return (naddrs); 148 } 149 /* 150 ** RECIPIENT -- Designate a message recipient 151 ** 152 ** Saves the named person for future mailing. 153 ** 154 ** Parameters: 155 ** a -- the (preparsed) address header for the recipient. 156 ** sendq -- a pointer to the head of a queue to put the 157 ** recipient in. Duplicate supression is done 158 ** in this queue. 159 ** aliaslevel -- the current alias nesting depth. 160 ** e -- the current envelope. 161 ** 162 ** Returns: 163 ** The actual address in the queue. This will be "a" if 164 ** the address is not a duplicate, else the original address. 165 ** 166 ** Side Effects: 167 ** none. 168 */ 169 170 ADDRESS * 171 recipient(a, sendq, aliaslevel, e) 172 register ADDRESS *a; 173 register ADDRESS **sendq; 174 int aliaslevel; 175 register ENVELOPE *e; 176 { 177 register ADDRESS *q; 178 ADDRESS **pq; 179 register struct mailer *m; 180 register char *p; 181 bool quoted = FALSE; /* set if the addr has a quote bit */ 182 int findusercount = 0; 183 bool initialdontsend = bitset(QDONTSEND, a->q_flags); 184 int i; 185 char *buf; 186 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 187 extern int safefile(); 188 189 e->e_to = a->q_paddr; 190 m = a->q_mailer; 191 errno = 0; 192 if (aliaslevel == 0) 193 a->q_flags |= QPRIMARY; 194 if (tTd(26, 1)) 195 { 196 printf("\nrecipient (%d): ", aliaslevel); 197 printaddr(a, FALSE); 198 } 199 200 /* if this is primary, add it to the original recipient list */ 201 if (a->q_alias == NULL) 202 { 203 if (e->e_origrcpt == NULL) 204 e->e_origrcpt = a->q_paddr; 205 else if (e->e_origrcpt != a->q_paddr) 206 e->e_origrcpt = ""; 207 } 208 209 /* break aliasing loops */ 210 if (aliaslevel > MAXRCRSN) 211 { 212 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max", 213 aliaslevel, MAXRCRSN); 214 return (a); 215 } 216 217 /* 218 ** Finish setting up address structure. 219 */ 220 221 /* get unquoted user for file, program or user.name check */ 222 i = strlen(a->q_user); 223 if (i >= sizeof buf0) 224 buf = xalloc(i + 1); 225 else 226 buf = buf0; 227 (void) strcpy(buf, a->q_user); 228 for (p = buf; *p != '\0' && !quoted; p++) 229 { 230 if (*p == '\\') 231 quoted = TRUE; 232 } 233 stripquotes(buf); 234 235 /* check for direct mailing to restricted mailers */ 236 if (m == ProgMailer) 237 { 238 if (a->q_alias == NULL) 239 { 240 a->q_flags |= QBADADDR; 241 usrerr("550 Cannot mail directly to programs"); 242 } 243 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 244 { 245 a->q_flags |= QBADADDR; 246 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 247 a->q_alias->q_ruser, MyHostName); 248 } 249 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 250 { 251 a->q_flags |= QBADADDR; 252 usrerr("550 Address %s is unsafe for mailing to programs", 253 a->q_alias->q_paddr); 254 } 255 } 256 257 /* 258 ** Look up this person in the recipient list. 259 ** If they are there already, return, otherwise continue. 260 ** If the list is empty, just add it. Notice the cute 261 ** hack to make from addresses suppress things correctly: 262 ** the QDONTSEND bit will be set in the send list. 263 ** [Please note: the emphasis is on "hack."] 264 */ 265 266 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 267 { 268 if (sameaddr(q, a)) 269 { 270 if (tTd(26, 1)) 271 { 272 printf("%s in sendq: ", a->q_paddr); 273 printaddr(q, FALSE); 274 } 275 if (!bitset(QPRIMARY, q->q_flags)) 276 { 277 if (!bitset(QDONTSEND, a->q_flags)) 278 message("duplicate suppressed"); 279 q->q_flags |= a->q_flags; 280 } 281 else if (bitset(QSELFREF, q->q_flags)) 282 q->q_flags |= a->q_flags & ~QDONTSEND; 283 a = q; 284 goto done; 285 } 286 } 287 288 /* add address on list */ 289 *pq = a; 290 a->q_next = NULL; 291 292 /* 293 ** Alias the name and handle special mailer types. 294 */ 295 296 trylocaluser: 297 if (tTd(29, 7)) 298 printf("at trylocaluser %s\n", a->q_user); 299 300 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 301 goto testselfdestruct; 302 303 if (m == InclMailer) 304 { 305 a->q_flags |= QDONTSEND; 306 if (a->q_alias == NULL) 307 { 308 a->q_flags |= QBADADDR; 309 usrerr("550 Cannot mail directly to :include:s"); 310 } 311 else 312 { 313 int ret; 314 315 message("including file %s", a->q_user); 316 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e); 317 if (transienterror(ret)) 318 { 319 #ifdef LOG 320 if (LogLevel > 2) 321 syslog(LOG_ERR, "%s: include %s: transient error: %s", 322 e->e_id == NULL ? "NOQUEUE" : e->e_id, 323 a->q_user, errstring(ret)); 324 #endif 325 a->q_flags |= QQUEUEUP; 326 a->q_flags &= ~QDONTSEND; 327 usrerr("451 Cannot open %s: %s", 328 a->q_user, errstring(ret)); 329 } 330 else if (ret != 0) 331 { 332 a->q_flags |= QBADADDR; 333 usrerr("550 Cannot open %s: %s", 334 a->q_user, errstring(ret)); 335 } 336 } 337 } 338 else if (m == FileMailer) 339 { 340 extern bool writable(); 341 342 /* check if writable or creatable */ 343 if (a->q_alias == NULL) 344 { 345 a->q_flags |= QBADADDR; 346 usrerr("550 Cannot mail directly to files"); 347 } 348 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 349 { 350 a->q_flags |= QBADADDR; 351 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 352 a->q_alias->q_ruser, MyHostName); 353 } 354 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 355 { 356 a->q_flags |= QBADADDR; 357 usrerr("550 Address %s is unsafe for mailing to files", 358 a->q_alias->q_paddr); 359 } 360 else if (!writable(buf, getctladdr(a), SFF_CREAT)) 361 { 362 a->q_flags |= QBADADDR; 363 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, 364 (time_t) 0, e); 365 } 366 } 367 368 /* try aliasing */ 369 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags)) 370 alias(a, sendq, aliaslevel, e); 371 372 # ifdef USERDB 373 /* if not aliased, look it up in the user database */ 374 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) && 375 bitnset(M_CHECKUDB, m->m_flags)) 376 { 377 extern int udbexpand(); 378 379 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL) 380 { 381 a->q_flags |= QQUEUEUP; 382 if (e->e_message == NULL) 383 e->e_message = newstr("Deferred: user database error"); 384 # ifdef LOG 385 if (LogLevel > 8) 386 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 387 e->e_id == NULL ? "NOQUEUE" : e->e_id, 388 errstring(errno)); 389 # endif 390 message("queued (user database error): %s", 391 errstring(errno)); 392 e->e_nrcpts++; 393 goto testselfdestruct; 394 } 395 } 396 # endif 397 398 /* 399 ** If we have a level two config file, then pass the name through 400 ** Ruleset 5 before sending it off. Ruleset 5 has the right 401 ** to send rewrite it to another mailer. This gives us a hook 402 ** after local aliasing has been done. 403 */ 404 405 if (tTd(29, 5)) 406 { 407 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 408 ConfigLevel, RewriteRules[5]); 409 printaddr(a, FALSE); 410 } 411 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 412 ConfigLevel >= 2 && RewriteRules[5] != NULL && 413 bitnset(M_TRYRULESET5, m->m_flags)) 414 { 415 maplocaluser(a, sendq, aliaslevel + 1, e); 416 } 417 418 /* 419 ** If it didn't get rewritten to another mailer, go ahead 420 ** and deliver it. 421 */ 422 423 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 424 bitnset(M_HASPWENT, m->m_flags)) 425 { 426 auto bool fuzzy; 427 register struct passwd *pw; 428 extern struct passwd *finduser(); 429 430 /* warning -- finduser may trash buf */ 431 pw = finduser(buf, &fuzzy); 432 if (pw == NULL) 433 { 434 a->q_flags |= QBADADDR; 435 giveresponse(EX_NOUSER, m, NULL, a->q_alias, 436 (time_t) 0, e); 437 } 438 else 439 { 440 char nbuf[MAXNAME + 1]; 441 442 if (fuzzy) 443 { 444 /* name was a fuzzy match */ 445 a->q_user = newstr(pw->pw_name); 446 if (findusercount++ > 3) 447 { 448 a->q_flags |= QBADADDR; 449 usrerr("554 aliasing/forwarding loop for %s broken", 450 pw->pw_name); 451 goto done; 452 } 453 454 /* see if it aliases */ 455 (void) strcpy(buf, pw->pw_name); 456 goto trylocaluser; 457 } 458 if (strcmp(pw->pw_dir, "/") == 0) 459 a->q_home = ""; 460 else 461 a->q_home = newstr(pw->pw_dir); 462 a->q_uid = pw->pw_uid; 463 a->q_gid = pw->pw_gid; 464 a->q_ruser = newstr(pw->pw_name); 465 a->q_flags |= QGOODUID; 466 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 467 if (nbuf[0] != '\0') 468 a->q_fullname = newstr(nbuf); 469 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 470 !usershellok(pw->pw_shell)) 471 { 472 a->q_flags |= QBOGUSSHELL; 473 } 474 if (!quoted) 475 forward(a, sendq, aliaslevel, e); 476 } 477 } 478 if (!bitset(QDONTSEND, a->q_flags)) 479 e->e_nrcpts++; 480 481 testselfdestruct: 482 a->q_flags |= QTHISPASS; 483 if (tTd(26, 8)) 484 { 485 printf("testselfdestruct: "); 486 printaddr(a, FALSE); 487 if (tTd(26, 10)) 488 { 489 printf("SENDQ:\n"); 490 printaddr(*sendq, TRUE); 491 printf("----\n"); 492 } 493 } 494 if (a->q_alias == NULL && a != &e->e_from && 495 bitset(QDONTSEND, a->q_flags)) 496 { 497 for (q = *sendq; q != NULL; q = q->q_next) 498 { 499 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) && 500 bitset(QTHISPASS, q->q_flags)) 501 break; 502 } 503 if (q == NULL) 504 { 505 a->q_flags |= QBADADDR; 506 usrerr("554 aliasing/forwarding loop broken"); 507 } 508 } 509 510 done: 511 a->q_flags |= QTHISPASS; 512 if (buf != buf0) 513 free(buf); 514 515 /* 516 ** If we are at the top level, check to see if this has 517 ** expanded to exactly one address. If so, it can inherit 518 ** the primaryness of the address. 519 ** 520 ** While we're at it, clear the QTHISPASS bits. 521 */ 522 523 if (aliaslevel == 0) 524 { 525 int nrcpts = 0; 526 ADDRESS *only; 527 528 for (q = *sendq; q != NULL; q = q->q_next) 529 { 530 if (bitset(QTHISPASS, q->q_flags) && 531 !bitset(QDONTSEND|QBADADDR, q->q_flags)) 532 { 533 nrcpts++; 534 only = q; 535 } 536 q->q_flags &= ~QTHISPASS; 537 } 538 if (nrcpts == 1) 539 only->q_flags |= QPRIMARY; 540 else if (!initialdontsend) 541 { 542 /* arrange for return receipt */ 543 e->e_flags |= EF_SENDRECEIPT; 544 a->q_flags |= QEXPLODED; 545 if (e->e_xfp != NULL) 546 fprintf(e->e_xfp, 547 "%s... expanded to multiple addresses\n", 548 a->q_paddr); 549 } 550 } 551 552 return (a); 553 } 554 /* 555 ** FINDUSER -- find the password entry for a user. 556 ** 557 ** This looks a lot like getpwnam, except that it may want to 558 ** do some fancier pattern matching in /etc/passwd. 559 ** 560 ** This routine contains most of the time of many sendmail runs. 561 ** It deserves to be optimized. 562 ** 563 ** Parameters: 564 ** name -- the name to match against. 565 ** fuzzyp -- an outarg that is set to TRUE if this entry 566 ** was found using the fuzzy matching algorithm; 567 ** set to FALSE otherwise. 568 ** 569 ** Returns: 570 ** A pointer to a pw struct. 571 ** NULL if name is unknown or ambiguous. 572 ** 573 ** Side Effects: 574 ** may modify name. 575 */ 576 577 struct passwd * 578 finduser(name, fuzzyp) 579 char *name; 580 bool *fuzzyp; 581 { 582 register struct passwd *pw; 583 register char *p; 584 585 if (tTd(29, 4)) 586 printf("finduser(%s): ", name); 587 588 *fuzzyp = FALSE; 589 590 #ifdef HESIOD 591 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 592 for (p = name; *p != '\0'; p++) 593 if (!isascii(*p) || !isdigit(*p)) 594 break; 595 if (*p == '\0') 596 { 597 if (tTd(29, 4)) 598 printf("failed (numeric input)\n"); 599 return NULL; 600 } 601 #endif 602 603 /* look up this login name using fast path */ 604 if ((pw = sm_getpwnam(name)) != NULL) 605 { 606 if (tTd(29, 4)) 607 printf("found (non-fuzzy)\n"); 608 return (pw); 609 } 610 611 #ifdef MATCHGECOS 612 /* see if fuzzy matching allowed */ 613 if (!MatchGecos) 614 { 615 if (tTd(29, 4)) 616 printf("not found (fuzzy disabled)\n"); 617 return NULL; 618 } 619 620 /* search for a matching full name instead */ 621 for (p = name; *p != '\0'; p++) 622 { 623 if (*p == (SpaceSub & 0177) || *p == '_') 624 *p = ' '; 625 } 626 (void) setpwent(); 627 while ((pw = getpwent()) != NULL) 628 { 629 char buf[MAXNAME + 1]; 630 631 buildfname(pw->pw_gecos, pw->pw_name, buf); 632 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 633 { 634 if (tTd(29, 4)) 635 printf("fuzzy matches %s\n", pw->pw_name); 636 message("sending to login name %s", pw->pw_name); 637 *fuzzyp = TRUE; 638 return (pw); 639 } 640 } 641 if (tTd(29, 4)) 642 printf("no fuzzy match found\n"); 643 #else 644 if (tTd(29, 4)) 645 printf("not found (fuzzy disabled)\n"); 646 #endif 647 return (NULL); 648 } 649 /* 650 ** WRITABLE -- predicate returning if the file is writable. 651 ** 652 ** This routine must duplicate the algorithm in sys/fio.c. 653 ** Unfortunately, we cannot use the access call since we 654 ** won't necessarily be the real uid when we try to 655 ** actually open the file. 656 ** 657 ** Notice that ANY file with ANY execute bit is automatically 658 ** not writable. This is also enforced by mailfile. 659 ** 660 ** Parameters: 661 ** filename -- the file name to check. 662 ** ctladdr -- the controlling address for this file. 663 ** flags -- SFF_* flags to control the function. 664 ** 665 ** Returns: 666 ** TRUE -- if we will be able to write this file. 667 ** FALSE -- if we cannot write this file. 668 ** 669 ** Side Effects: 670 ** none. 671 */ 672 673 bool 674 writable(filename, ctladdr, flags) 675 char *filename; 676 ADDRESS *ctladdr; 677 int flags; 678 { 679 uid_t euid; 680 gid_t egid; 681 int bits; 682 register char *p; 683 char *uname; 684 685 if (tTd(29, 5)) 686 printf("writable(%s, %x)\n", filename, flags); 687 688 #ifdef SUID_ROOT_FILES_OK 689 /* really ought to be passed down -- and not a good idea */ 690 flags |= SFF_ROOTOK; 691 #endif 692 693 /* 694 ** File does exist -- check that it is writable. 695 */ 696 697 if (ctladdr != NULL && geteuid() == 0) 698 { 699 euid = ctladdr->q_uid; 700 egid = ctladdr->q_gid; 701 uname = ctladdr->q_user; 702 } 703 #ifdef RUN_AS_REAL_UID 704 else 705 { 706 extern char RealUserName[]; 707 708 euid = RealUid; 709 egid = RealGid; 710 uname = RealUserName; 711 } 712 #else 713 else if (FileMailer != NULL) 714 { 715 euid = FileMailer->m_uid; 716 egid = FileMailer->m_gid; 717 } 718 else 719 { 720 euid = egid = 0; 721 } 722 #endif 723 if (euid == 0) 724 { 725 euid = DefUid; 726 uname = DefUser; 727 } 728 if (egid == 0) 729 egid = DefGid; 730 if (geteuid() == 0) 731 flags |= SFF_SETUIDOK; 732 733 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL); 734 return errno == 0; 735 } 736 /* 737 ** INCLUDE -- handle :include: specification. 738 ** 739 ** Parameters: 740 ** fname -- filename to include. 741 ** forwarding -- if TRUE, we are reading a .forward file. 742 ** if FALSE, it's a :include: file. 743 ** ctladdr -- address template to use to fill in these 744 ** addresses -- effective user/group id are 745 ** the important things. 746 ** sendq -- a pointer to the head of the send queue 747 ** to put these addresses in. 748 ** aliaslevel -- the alias nesting depth. 749 ** e -- the current envelope. 750 ** 751 ** Returns: 752 ** open error status 753 ** 754 ** Side Effects: 755 ** reads the :include: file and sends to everyone 756 ** listed in that file. 757 ** 758 ** Security Note: 759 ** If you have restricted chown (that is, you can't 760 ** give a file away), it is reasonable to allow programs 761 ** and files called from this :include: file to be to be 762 ** run as the owner of the :include: file. This is bogus 763 ** if there is any chance of someone giving away a file. 764 ** We assume that pre-POSIX systems can give away files. 765 ** 766 ** There is an additional restriction that if you 767 ** forward to a :include: file, it will not take on 768 ** the ownership of the :include: file. This may not 769 ** be necessary, but shouldn't hurt. 770 */ 771 772 static jmp_buf CtxIncludeTimeout; 773 static void includetimeout(); 774 775 int 776 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 777 char *fname; 778 bool forwarding; 779 ADDRESS *ctladdr; 780 ADDRESS **sendq; 781 int aliaslevel; 782 ENVELOPE *e; 783 { 784 FILE *fp = NULL; 785 char *oldto = e->e_to; 786 char *oldfilename = FileName; 787 int oldlinenumber = LineNumber; 788 register EVENT *ev = NULL; 789 int nincludes; 790 register ADDRESS *ca; 791 uid_t saveduid, uid; 792 gid_t savedgid, gid; 793 char *uname; 794 int rval = 0; 795 int sfflags = SFF_REGONLY; 796 struct stat st; 797 char buf[MAXLINE]; 798 #ifdef _POSIX_CHOWN_RESTRICTED 799 # if _POSIX_CHOWN_RESTRICTED == -1 800 # define safechown FALSE 801 # else 802 # define safechown TRUE 803 # endif 804 #else 805 # ifdef _PC_CHOWN_RESTRICTED 806 bool safechown; 807 # else 808 # ifdef BSD 809 # define safechown TRUE 810 # else 811 # define safechown FALSE 812 # endif 813 # endif 814 #endif 815 extern bool chownsafe(); 816 817 if (tTd(27, 2)) 818 printf("include(%s)\n", fname); 819 if (tTd(27, 4)) 820 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 821 if (tTd(27, 14)) 822 { 823 printf("ctladdr "); 824 printaddr(ctladdr, FALSE); 825 } 826 827 if (tTd(27, 9)) 828 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 829 830 if (forwarding) 831 sfflags |= SFF_MUSTOWN; 832 833 ca = getctladdr(ctladdr); 834 if (ca == NULL) 835 { 836 uid = DefUid; 837 gid = DefGid; 838 uname = DefUser; 839 } 840 else 841 { 842 uid = ca->q_uid; 843 gid = ca->q_gid; 844 uname = ca->q_user; 845 } 846 #ifdef HASSETREUID 847 saveduid = geteuid(); 848 savedgid = getegid(); 849 if (saveduid == 0) 850 { 851 initgroups(uname, gid); 852 if (uid != 0) 853 { 854 if (setreuid(0, uid) < 0) 855 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 856 uid, getuid(), geteuid()); 857 else 858 sfflags |= SFF_NOPATHCHECK; 859 } 860 } 861 #endif 862 863 if (tTd(27, 9)) 864 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 865 866 /* 867 ** If home directory is remote mounted but server is down, 868 ** this can hang or give errors; use a timeout to avoid this 869 */ 870 871 if (setjmp(CtxIncludeTimeout) != 0) 872 { 873 ctladdr->q_flags |= QQUEUEUP; 874 errno = 0; 875 876 /* return pseudo-error code */ 877 rval = EOPENTIMEOUT; 878 goto resetuid; 879 } 880 if (TimeOuts.to_fileopen > 0) 881 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0); 882 else 883 ev = NULL; 884 885 /* the input file must be marked safe */ 886 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL); 887 if (rval != 0) 888 { 889 /* don't use this :include: file */ 890 if (tTd(27, 4)) 891 printf("include: not safe (uid=%d): %s\n", 892 uid, errstring(rval)); 893 } 894 else 895 { 896 fp = fopen(fname, "r"); 897 if (fp == NULL) 898 { 899 rval = errno; 900 if (tTd(27, 4)) 901 printf("include: open: %s\n", errstring(rval)); 902 } 903 } 904 if (ev != NULL) 905 clrevent(ev); 906 907 resetuid: 908 909 #ifdef HASSETREUID 910 if (saveduid == 0) 911 { 912 if (uid != 0) 913 { 914 if (setreuid(-1, 0) < 0) 915 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", 916 getuid(), geteuid()); 917 if (setreuid(RealUid, 0) < 0) 918 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 919 RealUid, getuid(), geteuid()); 920 } 921 setgid(savedgid); 922 } 923 #endif 924 925 if (tTd(27, 9)) 926 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 927 928 if (rval == EOPENTIMEOUT) 929 usrerr("451 open timeout on %s", fname); 930 931 if (fp == NULL) 932 return rval; 933 934 if (fstat(fileno(fp), &st) < 0) 935 { 936 rval = errno; 937 syserr("Cannot fstat %s!", fname); 938 return rval; 939 } 940 941 #ifndef safechown 942 safechown = chownsafe(fileno(fp)); 943 #endif 944 if (ca == NULL && safechown) 945 { 946 ctladdr->q_uid = st.st_uid; 947 ctladdr->q_gid = st.st_gid; 948 ctladdr->q_flags |= QGOODUID; 949 } 950 if (ca != NULL && ca->q_uid == st.st_uid) 951 { 952 /* optimization -- avoid getpwuid if we already have info */ 953 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 954 ctladdr->q_ruser = ca->q_ruser; 955 } 956 else 957 { 958 register struct passwd *pw; 959 960 pw = sm_getpwuid(st.st_uid); 961 if (pw == NULL) 962 ctladdr->q_flags |= QBOGUSSHELL; 963 else 964 { 965 char *sh; 966 967 ctladdr->q_ruser = newstr(pw->pw_name); 968 if (safechown) 969 sh = pw->pw_shell; 970 else 971 sh = "/SENDMAIL/ANY/SHELL/"; 972 if (!usershellok(sh)) 973 { 974 if (safechown) 975 ctladdr->q_flags |= QBOGUSSHELL; 976 else 977 ctladdr->q_flags |= QUNSAFEADDR; 978 } 979 } 980 } 981 982 if (bitset(EF_VRFYONLY, e->e_flags)) 983 { 984 /* don't do any more now */ 985 ctladdr->q_flags |= QVERIFIED; 986 e->e_nrcpts++; 987 xfclose(fp, "include", fname); 988 return rval; 989 } 990 991 /* 992 ** Check to see if some bad guy can write this file 993 ** 994 ** This should really do something clever with group 995 ** permissions; currently we just view world writable 996 ** as unsafe. Also, we don't check for writable 997 ** directories in the path. We've got to leave 998 ** something for the local sysad to do. 999 */ 1000 1001 if (bitset(S_IWOTH, st.st_mode)) 1002 ctladdr->q_flags |= QUNSAFEADDR; 1003 1004 /* read the file -- each line is a comma-separated list. */ 1005 FileName = fname; 1006 LineNumber = 0; 1007 ctladdr->q_flags &= ~QSELFREF; 1008 nincludes = 0; 1009 while (fgets(buf, sizeof buf, fp) != NULL) 1010 { 1011 register char *p = strchr(buf, '\n'); 1012 1013 LineNumber++; 1014 if (p != NULL) 1015 *p = '\0'; 1016 if (buf[0] == '#' || buf[0] == '\0') 1017 continue; 1018 1019 /* <sp>#@# introduces a comment anywhere */ 1020 /* for Japanese character sets */ 1021 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1022 { 1023 if (p[1] == '@' && p[2] == '#' && 1024 isascii(p[-1]) && isspace(p[-1]) && 1025 isascii(p[3]) && isspace(p[3])) 1026 { 1027 p[-1] = '\0'; 1028 break; 1029 } 1030 } 1031 if (buf[0] == '\0') 1032 continue; 1033 1034 e->e_to = NULL; 1035 message("%s to %s", 1036 forwarding ? "forwarding" : "sending", buf); 1037 #ifdef LOG 1038 if (forwarding && LogLevel > 9) 1039 syslog(LOG_INFO, "%s: forward %s => %s", 1040 e->e_id == NULL ? "NOQUEUE" : e->e_id, 1041 oldto, buf); 1042 #endif 1043 1044 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1045 } 1046 1047 if (ferror(fp) && tTd(27, 3)) 1048 printf("include: read error: %s\n", errstring(errno)); 1049 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1050 { 1051 if (tTd(27, 5)) 1052 { 1053 printf("include: QDONTSEND "); 1054 printaddr(ctladdr, FALSE); 1055 } 1056 ctladdr->q_flags |= QDONTSEND; 1057 } 1058 1059 (void) xfclose(fp, "include", fname); 1060 FileName = oldfilename; 1061 LineNumber = oldlinenumber; 1062 e->e_to = oldto; 1063 return rval; 1064 } 1065 1066 static void 1067 includetimeout() 1068 { 1069 longjmp(CtxIncludeTimeout, 1); 1070 } 1071 /* 1072 ** SENDTOARGV -- send to an argument vector. 1073 ** 1074 ** Parameters: 1075 ** argv -- argument vector to send to. 1076 ** e -- the current envelope. 1077 ** 1078 ** Returns: 1079 ** none. 1080 ** 1081 ** Side Effects: 1082 ** puts all addresses on the argument vector onto the 1083 ** send queue. 1084 */ 1085 1086 sendtoargv(argv, e) 1087 register char **argv; 1088 register ENVELOPE *e; 1089 { 1090 register char *p; 1091 1092 while ((p = *argv++) != NULL) 1093 { 1094 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1095 } 1096 } 1097 /* 1098 ** GETCTLADDR -- get controlling address from an address header. 1099 ** 1100 ** If none, get one corresponding to the effective userid. 1101 ** 1102 ** Parameters: 1103 ** a -- the address to find the controller of. 1104 ** 1105 ** Returns: 1106 ** the controlling address. 1107 ** 1108 ** Side Effects: 1109 ** none. 1110 */ 1111 1112 ADDRESS * 1113 getctladdr(a) 1114 register ADDRESS *a; 1115 { 1116 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1117 a = a->q_alias; 1118 return (a); 1119 } 1120