1 /* 2 * Copyright (c) 1983, 1995 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.83 (Berkeley) 05/09/95"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 15 /* 16 ** SENDTOLIST -- Designate a send list. 17 ** 18 ** The parameter is a comma-separated list of people to send to. 19 ** This routine arranges to send to all of them. 20 ** 21 ** Parameters: 22 ** list -- the send list. 23 ** ctladdr -- the address template for the person to 24 ** send to -- effective uid/gid are important. 25 ** This is typically the alias that caused this 26 ** expansion. 27 ** sendq -- a pointer to the head of a queue to put 28 ** these people into. 29 ** aliaslevel -- the current alias nesting depth -- to 30 ** diagnose loops. 31 ** e -- the envelope in which to add these recipients. 32 ** 33 ** Returns: 34 ** The number of addresses actually on the list. 35 ** 36 ** Side Effects: 37 ** none. 38 */ 39 40 #define MAXRCRSN 10 /* maximum levels of alias recursion */ 41 42 /* q_flags bits inherited from ctladdr */ 43 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 44 45 int 46 sendtolist(list, ctladdr, sendq, aliaslevel, e) 47 char *list; 48 ADDRESS *ctladdr; 49 ADDRESS **sendq; 50 int aliaslevel; 51 register ENVELOPE *e; 52 { 53 register char *p; 54 register ADDRESS *al; /* list of addresses to send to */ 55 bool firstone; /* set on first address sent */ 56 char delimiter; /* the address delimiter */ 57 int naddrs; 58 int i; 59 char *oldto = e->e_to; 60 char *bufp; 61 char buf[MAXNAME + 1]; 62 63 if (list == NULL) 64 { 65 syserr("sendtolist: null list"); 66 return 0; 67 } 68 69 if (tTd(25, 1)) 70 { 71 printf("sendto: %s\n ctladdr=", list); 72 printaddr(ctladdr, FALSE); 73 } 74 75 /* heuristic to determine old versus new style addresses */ 76 if (ctladdr == NULL && 77 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 78 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 79 e->e_flags &= ~EF_OLDSTYLE; 80 delimiter = ' '; 81 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 82 delimiter = ','; 83 84 firstone = TRUE; 85 al = NULL; 86 naddrs = 0; 87 88 /* make sure we have enough space to copy the string */ 89 i = strlen(list) + 1; 90 if (i <= sizeof buf) 91 bufp = buf; 92 else 93 bufp = xalloc(i); 94 strcpy(bufp, denlstring(list, FALSE, TRUE)); 95 96 for (p = bufp; *p != '\0'; ) 97 { 98 auto char *delimptr; 99 register ADDRESS *a; 100 101 /* parse the address */ 102 while ((isascii(*p) && isspace(*p)) || *p == ',') 103 p++; 104 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 105 p = delimptr; 106 if (a == NULL) 107 continue; 108 a->q_next = al; 109 a->q_alias = ctladdr; 110 111 /* arrange to inherit attributes from parent */ 112 if (ctladdr != NULL) 113 { 114 /* self reference test */ 115 if (sameaddr(ctladdr, a)) 116 ctladdr->q_flags |= QSELFREF; 117 118 /* full name */ 119 if (a->q_fullname == NULL) 120 a->q_fullname = ctladdr->q_fullname; 121 122 /* various flag bits */ 123 a->q_flags &= ~QINHERITEDBITS; 124 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 125 126 /* original recipient information */ 127 a->q_orcpt = ctladdr->q_orcpt; 128 } 129 130 al = a; 131 firstone = FALSE; 132 } 133 134 /* arrange to send to everyone on the local send list */ 135 while (al != NULL) 136 { 137 register ADDRESS *a = al; 138 139 al = a->q_next; 140 a = recipient(a, sendq, aliaslevel, e); 141 naddrs++; 142 } 143 144 e->e_to = oldto; 145 if (bufp != buf) 146 free(bufp); 147 return (naddrs); 148 } 149 /* 150 ** RECIPIENT -- Designate a message recipient 151 ** 152 ** Saves the named person for future mailing. 153 ** 154 ** Parameters: 155 ** a -- the (preparsed) address header for the recipient. 156 ** sendq -- a pointer to the head of a queue to put the 157 ** recipient in. Duplicate supression is done 158 ** in this queue. 159 ** aliaslevel -- the current alias nesting depth. 160 ** e -- the current envelope. 161 ** 162 ** Returns: 163 ** The actual address in the queue. This will be "a" if 164 ** the address is not a duplicate, else the original address. 165 ** 166 ** Side Effects: 167 ** none. 168 */ 169 170 ADDRESS * 171 recipient(a, sendq, aliaslevel, e) 172 register ADDRESS *a; 173 register ADDRESS **sendq; 174 int aliaslevel; 175 register ENVELOPE *e; 176 { 177 register ADDRESS *q; 178 ADDRESS **pq; 179 register struct mailer *m; 180 register char *p; 181 bool quoted = FALSE; /* set if the addr has a quote bit */ 182 int findusercount = 0; 183 bool initialdontsend = bitset(QDONTSEND, a->q_flags); 184 int i; 185 char *buf; 186 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 187 extern int safefile(); 188 189 e->e_to = a->q_paddr; 190 m = a->q_mailer; 191 errno = 0; 192 if (aliaslevel == 0) 193 a->q_flags |= QPRIMARY; 194 if (tTd(26, 1)) 195 { 196 printf("\nrecipient (%d): ", aliaslevel); 197 printaddr(a, FALSE); 198 } 199 200 /* if this is primary, add it to the original recipient list */ 201 if (a->q_alias == NULL) 202 { 203 if (e->e_origrcpt == NULL) 204 e->e_origrcpt = a->q_paddr; 205 else if (e->e_origrcpt != a->q_paddr) 206 e->e_origrcpt = ""; 207 } 208 209 /* break aliasing loops */ 210 if (aliaslevel > MAXRCRSN) 211 { 212 a->q_status = "5.4.6"; 213 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max", 214 aliaslevel, MAXRCRSN); 215 return (a); 216 } 217 218 /* 219 ** Finish setting up address structure. 220 */ 221 222 /* get unquoted user for file, program or user.name check */ 223 i = strlen(a->q_user); 224 if (i >= sizeof buf0) 225 buf = xalloc(i + 1); 226 else 227 buf = buf0; 228 (void) strcpy(buf, a->q_user); 229 for (p = buf; *p != '\0' && !quoted; p++) 230 { 231 if (*p == '\\') 232 quoted = TRUE; 233 } 234 stripquotes(buf); 235 236 /* check for direct mailing to restricted mailers */ 237 if (m == ProgMailer) 238 { 239 if (a->q_alias == NULL) 240 { 241 a->q_flags |= QBADADDR; 242 a->q_status = "5.7.1"; 243 usrerr("550 Cannot mail directly to programs"); 244 } 245 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 246 { 247 a->q_flags |= QBADADDR; 248 a->q_status = "5.7.1"; 249 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 250 a->q_alias->q_ruser, MyHostName); 251 } 252 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 253 { 254 a->q_flags |= QBADADDR; 255 a->q_status = "5.7.1"; 256 usrerr("550 Address %s is unsafe for mailing to programs", 257 a->q_alias->q_paddr); 258 } 259 } 260 261 /* 262 ** Look up this person in the recipient list. 263 ** If they are there already, return, otherwise continue. 264 ** If the list is empty, just add it. Notice the cute 265 ** hack to make from addresses suppress things correctly: 266 ** the QDONTSEND bit will be set in the send list. 267 ** [Please note: the emphasis is on "hack."] 268 */ 269 270 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 271 { 272 if (sameaddr(q, a)) 273 { 274 if (tTd(26, 1)) 275 { 276 printf("%s in sendq: ", a->q_paddr); 277 printaddr(q, FALSE); 278 } 279 if (!bitset(QPRIMARY, q->q_flags)) 280 { 281 if (!bitset(QDONTSEND, a->q_flags)) 282 message("duplicate suppressed"); 283 q->q_flags |= a->q_flags; 284 } 285 else if (bitset(QSELFREF, q->q_flags)) 286 q->q_flags |= a->q_flags & ~QDONTSEND; 287 a = q; 288 goto done; 289 } 290 } 291 292 /* add address on list */ 293 *pq = a; 294 a->q_next = NULL; 295 296 /* 297 ** Alias the name and handle special mailer types. 298 */ 299 300 trylocaluser: 301 if (tTd(29, 7)) 302 printf("at trylocaluser %s\n", a->q_user); 303 304 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 305 goto testselfdestruct; 306 307 if (m == InclMailer) 308 { 309 a->q_flags |= QDONTSEND; 310 if (a->q_alias == NULL) 311 { 312 a->q_flags |= QBADADDR; 313 a->q_status = "5.7.1"; 314 usrerr("550 Cannot mail directly to :include:s"); 315 } 316 else 317 { 318 int ret; 319 320 message("including file %s", a->q_user); 321 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e); 322 if (transienterror(ret)) 323 { 324 #ifdef LOG 325 if (LogLevel > 2) 326 syslog(LOG_ERR, "%s: include %s: transient error: %s", 327 e->e_id == NULL ? "NOQUEUE" : e->e_id, 328 a->q_user, errstring(ret)); 329 #endif 330 a->q_flags |= QQUEUEUP; 331 a->q_flags &= ~QDONTSEND; 332 usrerr("451 Cannot open %s: %s", 333 a->q_user, errstring(ret)); 334 } 335 else if (ret != 0) 336 { 337 a->q_flags |= QBADADDR; 338 a->q_status = "5.2.4"; 339 usrerr("550 Cannot open %s: %s", 340 a->q_user, errstring(ret)); 341 } 342 } 343 } 344 else if (m == FileMailer) 345 { 346 extern bool writable(); 347 348 /* check if writable or creatable */ 349 if (a->q_alias == NULL) 350 { 351 a->q_flags |= QBADADDR; 352 a->q_status = "5.7.1"; 353 usrerr("550 Cannot mail directly to files"); 354 } 355 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 356 { 357 a->q_flags |= QBADADDR; 358 a->q_status = "5.7.1"; 359 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 360 a->q_alias->q_ruser, MyHostName); 361 } 362 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 363 { 364 a->q_flags |= QBADADDR; 365 a->q_status = "5.7.1"; 366 usrerr("550 Address %s is unsafe for mailing to files", 367 a->q_alias->q_paddr); 368 } 369 else if (!writable(buf, getctladdr(a), SFF_CREAT)) 370 { 371 a->q_flags |= QBADADDR; 372 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, 373 (time_t) 0, e); 374 } 375 } 376 377 /* try aliasing */ 378 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags)) 379 alias(a, sendq, aliaslevel, e); 380 381 # ifdef USERDB 382 /* if not aliased, look it up in the user database */ 383 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) && 384 bitnset(M_CHECKUDB, m->m_flags)) 385 { 386 extern int udbexpand(); 387 388 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL) 389 { 390 a->q_flags |= QQUEUEUP; 391 if (e->e_message == NULL) 392 e->e_message = newstr("Deferred: user database error"); 393 # ifdef LOG 394 if (LogLevel > 8) 395 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 396 e->e_id == NULL ? "NOQUEUE" : e->e_id, 397 errstring(errno)); 398 # endif 399 message("queued (user database error): %s", 400 errstring(errno)); 401 e->e_nrcpts++; 402 goto testselfdestruct; 403 } 404 } 405 # endif 406 407 /* 408 ** If we have a level two config file, then pass the name through 409 ** Ruleset 5 before sending it off. Ruleset 5 has the right 410 ** to send rewrite it to another mailer. This gives us a hook 411 ** after local aliasing has been done. 412 */ 413 414 if (tTd(29, 5)) 415 { 416 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 417 ConfigLevel, RewriteRules[5]); 418 printaddr(a, FALSE); 419 } 420 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 421 ConfigLevel >= 2 && RewriteRules[5] != NULL && 422 bitnset(M_TRYRULESET5, m->m_flags)) 423 { 424 maplocaluser(a, sendq, aliaslevel + 1, e); 425 } 426 427 /* 428 ** If it didn't get rewritten to another mailer, go ahead 429 ** and deliver it. 430 */ 431 432 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 433 bitnset(M_HASPWENT, m->m_flags)) 434 { 435 auto bool fuzzy; 436 register struct passwd *pw; 437 extern struct passwd *finduser(); 438 439 /* warning -- finduser may trash buf */ 440 pw = finduser(buf, &fuzzy); 441 if (pw == NULL) 442 { 443 a->q_flags |= QBADADDR; 444 a->q_status = "5.1.1"; 445 giveresponse(EX_NOUSER, m, NULL, a->q_alias, 446 (time_t) 0, e); 447 } 448 else 449 { 450 char nbuf[MAXNAME + 1]; 451 452 if (fuzzy) 453 { 454 /* name was a fuzzy match */ 455 a->q_user = newstr(pw->pw_name); 456 if (findusercount++ > 3) 457 { 458 a->q_flags |= QBADADDR; 459 a->q_status = "5.4.6"; 460 usrerr("554 aliasing/forwarding loop for %s broken", 461 pw->pw_name); 462 goto done; 463 } 464 465 /* see if it aliases */ 466 (void) strcpy(buf, pw->pw_name); 467 goto trylocaluser; 468 } 469 if (strcmp(pw->pw_dir, "/") == 0) 470 a->q_home = ""; 471 else 472 a->q_home = newstr(pw->pw_dir); 473 a->q_uid = pw->pw_uid; 474 a->q_gid = pw->pw_gid; 475 a->q_ruser = newstr(pw->pw_name); 476 a->q_flags |= QGOODUID; 477 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 478 if (nbuf[0] != '\0') 479 a->q_fullname = newstr(nbuf); 480 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 481 !usershellok(pw->pw_shell)) 482 { 483 a->q_flags |= QBOGUSSHELL; 484 } 485 if (!quoted) 486 forward(a, sendq, aliaslevel, e); 487 } 488 } 489 if (!bitset(QDONTSEND, a->q_flags)) 490 e->e_nrcpts++; 491 492 testselfdestruct: 493 a->q_flags |= QTHISPASS; 494 if (tTd(26, 8)) 495 { 496 printf("testselfdestruct: "); 497 printaddr(a, FALSE); 498 if (tTd(26, 10)) 499 { 500 printf("SENDQ:\n"); 501 printaddr(*sendq, TRUE); 502 printf("----\n"); 503 } 504 } 505 if (a->q_alias == NULL && a != &e->e_from && 506 bitset(QDONTSEND, a->q_flags)) 507 { 508 for (q = *sendq; q != NULL; q = q->q_next) 509 { 510 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) && 511 bitset(QTHISPASS, q->q_flags)) 512 break; 513 } 514 if (q == NULL) 515 { 516 a->q_flags |= QBADADDR; 517 a->q_status = "5.4.6"; 518 usrerr("554 aliasing/forwarding loop broken"); 519 } 520 } 521 522 done: 523 a->q_flags |= QTHISPASS; 524 if (buf != buf0) 525 free(buf); 526 527 /* 528 ** If we are at the top level, check to see if this has 529 ** expanded to exactly one address. If so, it can inherit 530 ** the primaryness of the address. 531 ** 532 ** While we're at it, clear the QTHISPASS bits. 533 */ 534 535 if (aliaslevel == 0) 536 { 537 int nrcpts = 0; 538 ADDRESS *only; 539 540 for (q = *sendq; q != NULL; q = q->q_next) 541 { 542 if (bitset(QTHISPASS, q->q_flags) && 543 !bitset(QDONTSEND|QBADADDR, q->q_flags)) 544 { 545 nrcpts++; 546 only = q; 547 } 548 q->q_flags &= ~QTHISPASS; 549 } 550 if (nrcpts == 1) 551 { 552 /* check to see if this actually got a new owner */ 553 q = only; 554 while ((q = q->q_alias) != NULL) 555 { 556 if (q->q_owner != NULL) 557 break; 558 } 559 if (q == NULL) 560 only->q_flags |= QPRIMARY; 561 } 562 else if (!initialdontsend && nrcpts > 0) 563 { 564 /* arrange for return receipt */ 565 e->e_flags |= EF_SENDRECEIPT; 566 a->q_flags |= QEXPANDED; 567 if (e->e_xfp != NULL) 568 fprintf(e->e_xfp, 569 "%s... expanded to multiple addresses\n", 570 a->q_paddr); 571 } 572 } 573 574 return (a); 575 } 576 /* 577 ** FINDUSER -- find the password entry for a user. 578 ** 579 ** This looks a lot like getpwnam, except that it may want to 580 ** do some fancier pattern matching in /etc/passwd. 581 ** 582 ** This routine contains most of the time of many sendmail runs. 583 ** It deserves to be optimized. 584 ** 585 ** Parameters: 586 ** name -- the name to match against. 587 ** fuzzyp -- an outarg that is set to TRUE if this entry 588 ** was found using the fuzzy matching algorithm; 589 ** set to FALSE otherwise. 590 ** 591 ** Returns: 592 ** A pointer to a pw struct. 593 ** NULL if name is unknown or ambiguous. 594 ** 595 ** Side Effects: 596 ** may modify name. 597 */ 598 599 struct passwd * 600 finduser(name, fuzzyp) 601 char *name; 602 bool *fuzzyp; 603 { 604 register struct passwd *pw; 605 register char *p; 606 607 if (tTd(29, 4)) 608 printf("finduser(%s): ", name); 609 610 *fuzzyp = FALSE; 611 612 #ifdef HESIOD 613 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 614 for (p = name; *p != '\0'; p++) 615 if (!isascii(*p) || !isdigit(*p)) 616 break; 617 if (*p == '\0') 618 { 619 if (tTd(29, 4)) 620 printf("failed (numeric input)\n"); 621 return NULL; 622 } 623 #endif 624 625 /* look up this login name using fast path */ 626 if ((pw = sm_getpwnam(name)) != NULL) 627 { 628 if (tTd(29, 4)) 629 printf("found (non-fuzzy)\n"); 630 return (pw); 631 } 632 633 #ifdef MATCHGECOS 634 /* see if fuzzy matching allowed */ 635 if (!MatchGecos) 636 { 637 if (tTd(29, 4)) 638 printf("not found (fuzzy disabled)\n"); 639 return NULL; 640 } 641 642 /* search for a matching full name instead */ 643 for (p = name; *p != '\0'; p++) 644 { 645 if (*p == (SpaceSub & 0177) || *p == '_') 646 *p = ' '; 647 } 648 (void) setpwent(); 649 while ((pw = getpwent()) != NULL) 650 { 651 char buf[MAXNAME + 1]; 652 653 buildfname(pw->pw_gecos, pw->pw_name, buf); 654 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 655 { 656 if (tTd(29, 4)) 657 printf("fuzzy matches %s\n", pw->pw_name); 658 message("sending to login name %s", pw->pw_name); 659 *fuzzyp = TRUE; 660 return (pw); 661 } 662 } 663 if (tTd(29, 4)) 664 printf("no fuzzy match found\n"); 665 #else 666 if (tTd(29, 4)) 667 printf("not found (fuzzy disabled)\n"); 668 #endif 669 return (NULL); 670 } 671 /* 672 ** WRITABLE -- predicate returning if the file is writable. 673 ** 674 ** This routine must duplicate the algorithm in sys/fio.c. 675 ** Unfortunately, we cannot use the access call since we 676 ** won't necessarily be the real uid when we try to 677 ** actually open the file. 678 ** 679 ** Notice that ANY file with ANY execute bit is automatically 680 ** not writable. This is also enforced by mailfile. 681 ** 682 ** Parameters: 683 ** filename -- the file name to check. 684 ** ctladdr -- the controlling address for this file. 685 ** flags -- SFF_* flags to control the function. 686 ** 687 ** Returns: 688 ** TRUE -- if we will be able to write this file. 689 ** FALSE -- if we cannot write this file. 690 ** 691 ** Side Effects: 692 ** none. 693 */ 694 695 bool 696 writable(filename, ctladdr, flags) 697 char *filename; 698 ADDRESS *ctladdr; 699 int flags; 700 { 701 uid_t euid; 702 gid_t egid; 703 int bits; 704 register char *p; 705 char *uname; 706 707 if (tTd(29, 5)) 708 printf("writable(%s, 0x%x)\n", filename, flags); 709 710 #ifdef SUID_ROOT_FILES_OK 711 /* really ought to be passed down -- and not a good idea */ 712 flags |= SFF_ROOTOK; 713 #endif 714 715 /* 716 ** File does exist -- check that it is writable. 717 */ 718 719 if (ctladdr != NULL && geteuid() == 0) 720 { 721 euid = ctladdr->q_uid; 722 egid = ctladdr->q_gid; 723 uname = ctladdr->q_user; 724 } 725 else if (bitset(SFF_RUNASREALUID, flags)) 726 { 727 extern char RealUserName[]; 728 729 euid = RealUid; 730 egid = RealGid; 731 uname = RealUserName; 732 } 733 else if (FileMailer != NULL) 734 { 735 euid = FileMailer->m_uid; 736 egid = FileMailer->m_gid; 737 } 738 else 739 { 740 euid = egid = 0; 741 } 742 if (euid == 0) 743 { 744 euid = DefUid; 745 uname = DefUser; 746 } 747 if (egid == 0) 748 egid = DefGid; 749 if (geteuid() == 0) 750 flags |= SFF_SETUIDOK; 751 752 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL); 753 return errno == 0; 754 } 755 /* 756 ** INCLUDE -- handle :include: specification. 757 ** 758 ** Parameters: 759 ** fname -- filename to include. 760 ** forwarding -- if TRUE, we are reading a .forward file. 761 ** if FALSE, it's a :include: file. 762 ** ctladdr -- address template to use to fill in these 763 ** addresses -- effective user/group id are 764 ** the important things. 765 ** sendq -- a pointer to the head of the send queue 766 ** to put these addresses in. 767 ** aliaslevel -- the alias nesting depth. 768 ** e -- the current envelope. 769 ** 770 ** Returns: 771 ** open error status 772 ** 773 ** Side Effects: 774 ** reads the :include: file and sends to everyone 775 ** listed in that file. 776 ** 777 ** Security Note: 778 ** If you have restricted chown (that is, you can't 779 ** give a file away), it is reasonable to allow programs 780 ** and files called from this :include: file to be to be 781 ** run as the owner of the :include: file. This is bogus 782 ** if there is any chance of someone giving away a file. 783 ** We assume that pre-POSIX systems can give away files. 784 ** 785 ** There is an additional restriction that if you 786 ** forward to a :include: file, it will not take on 787 ** the ownership of the :include: file. This may not 788 ** be necessary, but shouldn't hurt. 789 */ 790 791 static jmp_buf CtxIncludeTimeout; 792 static void includetimeout(); 793 794 int 795 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 796 char *fname; 797 bool forwarding; 798 ADDRESS *ctladdr; 799 ADDRESS **sendq; 800 int aliaslevel; 801 ENVELOPE *e; 802 { 803 FILE *fp = NULL; 804 char *oldto = e->e_to; 805 char *oldfilename = FileName; 806 int oldlinenumber = LineNumber; 807 register EVENT *ev = NULL; 808 int nincludes; 809 register ADDRESS *ca; 810 uid_t saveduid, uid; 811 gid_t savedgid, gid; 812 char *uname; 813 int rval = 0; 814 int sfflags = SFF_REGONLY; 815 struct stat st; 816 char buf[MAXLINE]; 817 #ifdef _POSIX_CHOWN_RESTRICTED 818 # if _POSIX_CHOWN_RESTRICTED == -1 819 # define safechown FALSE 820 # else 821 # define safechown TRUE 822 # endif 823 #else 824 # ifdef _PC_CHOWN_RESTRICTED 825 bool safechown; 826 # else 827 # ifdef BSD 828 # define safechown TRUE 829 # else 830 # define safechown FALSE 831 # endif 832 # endif 833 #endif 834 extern bool chownsafe(); 835 836 if (tTd(27, 2)) 837 printf("include(%s)\n", fname); 838 if (tTd(27, 4)) 839 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 840 if (tTd(27, 14)) 841 { 842 printf("ctladdr "); 843 printaddr(ctladdr, FALSE); 844 } 845 846 if (tTd(27, 9)) 847 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 848 849 if (forwarding) 850 sfflags |= SFF_MUSTOWN|SFF_ROOTOK|SFF_NOSLINK; 851 852 ca = getctladdr(ctladdr); 853 if (ca == NULL) 854 { 855 uid = DefUid; 856 gid = DefGid; 857 uname = DefUser; 858 } 859 else 860 { 861 uid = ca->q_uid; 862 gid = ca->q_gid; 863 uname = ca->q_user; 864 } 865 #ifdef HASSETREUID 866 saveduid = geteuid(); 867 savedgid = getegid(); 868 if (saveduid == 0) 869 { 870 initgroups(uname, gid); 871 if (uid != 0) 872 { 873 if (setreuid(0, uid) < 0) 874 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 875 uid, getuid(), geteuid()); 876 else 877 sfflags |= SFF_NOPATHCHECK; 878 } 879 } 880 #endif 881 882 if (tTd(27, 9)) 883 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 884 885 /* 886 ** If home directory is remote mounted but server is down, 887 ** this can hang or give errors; use a timeout to avoid this 888 */ 889 890 if (setjmp(CtxIncludeTimeout) != 0) 891 { 892 ctladdr->q_flags |= QQUEUEUP; 893 errno = 0; 894 895 /* return pseudo-error code */ 896 rval = EOPENTIMEOUT; 897 goto resetuid; 898 } 899 if (TimeOuts.to_fileopen > 0) 900 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0); 901 else 902 ev = NULL; 903 904 /* the input file must be marked safe */ 905 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL); 906 if (rval != 0) 907 { 908 /* don't use this :include: file */ 909 if (tTd(27, 4)) 910 printf("include: not safe (uid=%d): %s\n", 911 uid, errstring(rval)); 912 } 913 else 914 { 915 fp = fopen(fname, "r"); 916 if (fp == NULL) 917 { 918 rval = errno; 919 if (tTd(27, 4)) 920 printf("include: open: %s\n", errstring(rval)); 921 } 922 } 923 if (ev != NULL) 924 clrevent(ev); 925 926 resetuid: 927 928 #ifdef HASSETREUID 929 if (saveduid == 0) 930 { 931 if (uid != 0) 932 { 933 if (setreuid(-1, 0) < 0) 934 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", 935 getuid(), geteuid()); 936 if (setreuid(RealUid, 0) < 0) 937 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 938 RealUid, getuid(), geteuid()); 939 } 940 setgid(savedgid); 941 } 942 #endif 943 944 if (tTd(27, 9)) 945 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 946 947 if (rval == EOPENTIMEOUT) 948 usrerr("451 open timeout on %s", fname); 949 950 if (fp == NULL) 951 return rval; 952 953 if (fstat(fileno(fp), &st) < 0) 954 { 955 rval = errno; 956 syserr("Cannot fstat %s!", fname); 957 return rval; 958 } 959 960 #ifndef safechown 961 safechown = chownsafe(fileno(fp)); 962 #endif 963 if (ca == NULL && safechown) 964 { 965 ctladdr->q_uid = st.st_uid; 966 ctladdr->q_gid = st.st_gid; 967 ctladdr->q_flags |= QGOODUID; 968 } 969 if (ca != NULL && ca->q_uid == st.st_uid) 970 { 971 /* optimization -- avoid getpwuid if we already have info */ 972 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 973 ctladdr->q_ruser = ca->q_ruser; 974 } 975 else 976 { 977 register struct passwd *pw; 978 979 pw = sm_getpwuid(st.st_uid); 980 if (pw == NULL) 981 ctladdr->q_flags |= QBOGUSSHELL; 982 else 983 { 984 char *sh; 985 986 ctladdr->q_ruser = newstr(pw->pw_name); 987 if (safechown) 988 sh = pw->pw_shell; 989 else 990 sh = "/SENDMAIL/ANY/SHELL/"; 991 if (!usershellok(sh)) 992 { 993 if (safechown) 994 ctladdr->q_flags |= QBOGUSSHELL; 995 else 996 ctladdr->q_flags |= QUNSAFEADDR; 997 } 998 } 999 } 1000 1001 if (bitset(EF_VRFYONLY, e->e_flags)) 1002 { 1003 /* don't do any more now */ 1004 ctladdr->q_flags |= QVERIFIED; 1005 e->e_nrcpts++; 1006 xfclose(fp, "include", fname); 1007 return rval; 1008 } 1009 1010 /* 1011 ** Check to see if some bad guy can write this file 1012 ** 1013 ** This should really do something clever with group 1014 ** permissions; currently we just view world writable 1015 ** as unsafe. Also, we don't check for writable 1016 ** directories in the path. We've got to leave 1017 ** something for the local sysad to do. 1018 */ 1019 1020 if (bitset(S_IWOTH, st.st_mode)) 1021 ctladdr->q_flags |= QUNSAFEADDR; 1022 1023 /* read the file -- each line is a comma-separated list. */ 1024 FileName = fname; 1025 LineNumber = 0; 1026 ctladdr->q_flags &= ~QSELFREF; 1027 nincludes = 0; 1028 while (fgets(buf, sizeof buf, fp) != NULL) 1029 { 1030 register char *p = strchr(buf, '\n'); 1031 1032 LineNumber++; 1033 if (p != NULL) 1034 *p = '\0'; 1035 if (buf[0] == '#' || buf[0] == '\0') 1036 continue; 1037 1038 /* <sp>#@# introduces a comment anywhere */ 1039 /* for Japanese character sets */ 1040 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1041 { 1042 if (p[1] == '@' && p[2] == '#' && 1043 isascii(p[-1]) && isspace(p[-1]) && 1044 isascii(p[3]) && isspace(p[3])) 1045 { 1046 p[-1] = '\0'; 1047 break; 1048 } 1049 } 1050 if (buf[0] == '\0') 1051 continue; 1052 1053 e->e_to = NULL; 1054 message("%s to %s", 1055 forwarding ? "forwarding" : "sending", buf); 1056 #ifdef LOG 1057 if (forwarding && LogLevel > 9) 1058 syslog(LOG_INFO, "%s: forward %s => %s", 1059 e->e_id == NULL ? "NOQUEUE" : e->e_id, 1060 oldto, buf); 1061 #endif 1062 1063 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1064 } 1065 1066 if (ferror(fp) && tTd(27, 3)) 1067 printf("include: read error: %s\n", errstring(errno)); 1068 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1069 { 1070 if (tTd(27, 5)) 1071 { 1072 printf("include: QDONTSEND "); 1073 printaddr(ctladdr, FALSE); 1074 } 1075 ctladdr->q_flags |= QDONTSEND; 1076 } 1077 1078 (void) xfclose(fp, "include", fname); 1079 FileName = oldfilename; 1080 LineNumber = oldlinenumber; 1081 e->e_to = oldto; 1082 return rval; 1083 } 1084 1085 static void 1086 includetimeout() 1087 { 1088 longjmp(CtxIncludeTimeout, 1); 1089 } 1090 /* 1091 ** SENDTOARGV -- send to an argument vector. 1092 ** 1093 ** Parameters: 1094 ** argv -- argument vector to send to. 1095 ** e -- the current envelope. 1096 ** 1097 ** Returns: 1098 ** none. 1099 ** 1100 ** Side Effects: 1101 ** puts all addresses on the argument vector onto the 1102 ** send queue. 1103 */ 1104 1105 sendtoargv(argv, e) 1106 register char **argv; 1107 register ENVELOPE *e; 1108 { 1109 register char *p; 1110 1111 while ((p = *argv++) != NULL) 1112 { 1113 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1114 } 1115 } 1116 /* 1117 ** GETCTLADDR -- get controlling address from an address header. 1118 ** 1119 ** If none, get one corresponding to the effective userid. 1120 ** 1121 ** Parameters: 1122 ** a -- the address to find the controller of. 1123 ** 1124 ** Returns: 1125 ** the controlling address. 1126 ** 1127 ** Side Effects: 1128 ** none. 1129 */ 1130 1131 ADDRESS * 1132 getctladdr(a) 1133 register ADDRESS *a; 1134 { 1135 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1136 a = a->q_alias; 1137 return (a); 1138 } 1139