1 /*
2 * Copyright (c) 1983, 1995 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.83 (Berkeley) 05/09/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14
15 /*
16 ** SENDTOLIST -- Designate a send list.
17 **
18 ** The parameter is a comma-separated list of people to send to.
19 ** This routine arranges to send to all of them.
20 **
21 ** Parameters:
22 ** list -- the send list.
23 ** ctladdr -- the address template for the person to
24 ** send to -- effective uid/gid are important.
25 ** This is typically the alias that caused this
26 ** expansion.
27 ** sendq -- a pointer to the head of a queue to put
28 ** these people into.
29 ** aliaslevel -- the current alias nesting depth -- to
30 ** diagnose loops.
31 ** e -- the envelope in which to add these recipients.
32 **
33 ** Returns:
34 ** The number of addresses actually on the list.
35 **
36 ** Side Effects:
37 ** none.
38 */
39
40 #define MAXRCRSN 10 /* maximum levels of alias recursion */
41
42 /* q_flags bits inherited from ctladdr */
43 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
44
45 int
46 sendtolist(list, ctladdr, sendq, aliaslevel, e)
47 char *list;
48 ADDRESS *ctladdr;
49 ADDRESS **sendq;
50 int aliaslevel;
51 register ENVELOPE *e;
52 {
53 register char *p;
54 register ADDRESS *al; /* list of addresses to send to */
55 bool firstone; /* set on first address sent */
56 char delimiter; /* the address delimiter */
57 int naddrs;
58 int i;
59 char *oldto = e->e_to;
60 char *bufp;
61 char buf[MAXNAME + 1];
62
63 if (list == NULL)
64 {
65 syserr("sendtolist: null list");
66 return 0;
67 }
68
69 if (tTd(25, 1))
70 {
71 printf("sendto: %s\n ctladdr=", list);
72 printaddr(ctladdr, FALSE);
73 }
74
75 /* heuristic to determine old versus new style addresses */
76 if (ctladdr == NULL &&
77 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
78 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
79 e->e_flags &= ~EF_OLDSTYLE;
80 delimiter = ' ';
81 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
82 delimiter = ',';
83
84 firstone = TRUE;
85 al = NULL;
86 naddrs = 0;
87
88 /* make sure we have enough space to copy the string */
89 i = strlen(list) + 1;
90 if (i <= sizeof buf)
91 bufp = buf;
92 else
93 bufp = xalloc(i);
94 strcpy(bufp, denlstring(list, FALSE, TRUE));
95
96 for (p = bufp; *p != '\0'; )
97 {
98 auto char *delimptr;
99 register ADDRESS *a;
100
101 /* parse the address */
102 while ((isascii(*p) && isspace(*p)) || *p == ',')
103 p++;
104 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
105 p = delimptr;
106 if (a == NULL)
107 continue;
108 a->q_next = al;
109 a->q_alias = ctladdr;
110
111 /* arrange to inherit attributes from parent */
112 if (ctladdr != NULL)
113 {
114 /* self reference test */
115 if (sameaddr(ctladdr, a))
116 ctladdr->q_flags |= QSELFREF;
117
118 /* full name */
119 if (a->q_fullname == NULL)
120 a->q_fullname = ctladdr->q_fullname;
121
122 /* various flag bits */
123 a->q_flags &= ~QINHERITEDBITS;
124 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
125
126 /* original recipient information */
127 a->q_orcpt = ctladdr->q_orcpt;
128 }
129
130 al = a;
131 firstone = FALSE;
132 }
133
134 /* arrange to send to everyone on the local send list */
135 while (al != NULL)
136 {
137 register ADDRESS *a = al;
138
139 al = a->q_next;
140 a = recipient(a, sendq, aliaslevel, e);
141 naddrs++;
142 }
143
144 e->e_to = oldto;
145 if (bufp != buf)
146 free(bufp);
147 return (naddrs);
148 }
149 �/*
150 ** RECIPIENT -- Designate a message recipient
151 **
152 ** Saves the named person for future mailing.
153 **
154 ** Parameters:
155 ** a -- the (preparsed) address header for the recipient.
156 ** sendq -- a pointer to the head of a queue to put the
157 ** recipient in. Duplicate supression is done
158 ** in this queue.
159 ** aliaslevel -- the current alias nesting depth.
160 ** e -- the current envelope.
161 **
162 ** Returns:
163 ** The actual address in the queue. This will be "a" if
164 ** the address is not a duplicate, else the original address.
165 **
166 ** Side Effects:
167 ** none.
168 */
169
170 ADDRESS *
171 recipient(a, sendq, aliaslevel, e)
172 register ADDRESS *a;
173 register ADDRESS **sendq;
174 int aliaslevel;
175 register ENVELOPE *e;
176 {
177 register ADDRESS *q;
178 ADDRESS **pq;
179 register struct mailer *m;
180 register char *p;
181 bool quoted = FALSE; /* set if the addr has a quote bit */
182 int findusercount = 0;
183 bool initialdontsend = bitset(QDONTSEND, a->q_flags);
184 int i;
185 char *buf;
186 char buf0[MAXNAME + 1]; /* unquoted image of the user name */
187 extern int safefile();
188
189 e->e_to = a->q_paddr;
190 m = a->q_mailer;
191 errno = 0;
192 if (aliaslevel == 0)
193 a->q_flags |= QPRIMARY;
194 if (tTd(26, 1))
195 {
196 printf("\nrecipient (%d): ", aliaslevel);
197 printaddr(a, FALSE);
198 }
199
200 /* if this is primary, add it to the original recipient list */
201 if (a->q_alias == NULL)
202 {
203 if (e->e_origrcpt == NULL)
204 e->e_origrcpt = a->q_paddr;
205 else if (e->e_origrcpt != a->q_paddr)
206 e->e_origrcpt = "";
207 }
208
209 /* break aliasing loops */
210 if (aliaslevel > MAXRCRSN)
211 {
212 a->q_status = "5.4.6";
213 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
214 aliaslevel, MAXRCRSN);
215 return (a);
216 }
217
218 /*
219 ** Finish setting up address structure.
220 */
221
222 /* get unquoted user for file, program or user.name check */
223 i = strlen(a->q_user);
224 if (i >= sizeof buf0)
225 buf = xalloc(i + 1);
226 else
227 buf = buf0;
228 (void) strcpy(buf, a->q_user);
229 for (p = buf; *p != '\0' && !quoted; p++)
230 {
231 if (*p == '\\')
232 quoted = TRUE;
233 }
234 stripquotes(buf);
235
236 /* check for direct mailing to restricted mailers */
237 if (m == ProgMailer)
238 {
239 if (a->q_alias == NULL)
240 {
241 a->q_flags |= QBADADDR;
242 a->q_status = "5.7.1";
243 usrerr("550 Cannot mail directly to programs");
244 }
245 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
246 {
247 a->q_flags |= QBADADDR;
248 a->q_status = "5.7.1";
249 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
250 a->q_alias->q_ruser, MyHostName);
251 }
252 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
253 {
254 a->q_flags |= QBADADDR;
255 a->q_status = "5.7.1";
256 usrerr("550 Address %s is unsafe for mailing to programs",
257 a->q_alias->q_paddr);
258 }
259 }
260
261 /*
262 ** Look up this person in the recipient list.
263 ** If they are there already, return, otherwise continue.
264 ** If the list is empty, just add it. Notice the cute
265 ** hack to make from addresses suppress things correctly:
266 ** the QDONTSEND bit will be set in the send list.
267 ** [Please note: the emphasis is on "hack."]
268 */
269
270 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
271 {
272 if (sameaddr(q, a))
273 {
274 if (tTd(26, 1))
275 {
276 printf("%s in sendq: ", a->q_paddr);
277 printaddr(q, FALSE);
278 }
279 if (!bitset(QPRIMARY, q->q_flags))
280 {
281 if (!bitset(QDONTSEND, a->q_flags))
282 message("duplicate suppressed");
283 q->q_flags |= a->q_flags;
284 }
285 else if (bitset(QSELFREF, q->q_flags))
286 q->q_flags |= a->q_flags & ~QDONTSEND;
287 a = q;
288 goto done;
289 }
290 }
291
292 /* add address on list */
293 *pq = a;
294 a->q_next = NULL;
295
296 /*
297 ** Alias the name and handle special mailer types.
298 */
299
300 trylocaluser:
301 if (tTd(29, 7))
302 printf("at trylocaluser %s\n", a->q_user);
303
304 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
305 goto testselfdestruct;
306
307 if (m == InclMailer)
308 {
309 a->q_flags |= QDONTSEND;
310 if (a->q_alias == NULL)
311 {
312 a->q_flags |= QBADADDR;
313 a->q_status = "5.7.1";
314 usrerr("550 Cannot mail directly to :include:s");
315 }
316 else
317 {
318 int ret;
319
320 message("including file %s", a->q_user);
321 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
322 if (transienterror(ret))
323 {
324 #ifdef LOG
325 if (LogLevel > 2)
326 syslog(LOG_ERR, "%s: include %s: transient error: %s",
327 e->e_id == NULL ? "NOQUEUE" : e->e_id,
328 a->q_user, errstring(ret));
329 #endif
330 a->q_flags |= QQUEUEUP;
331 a->q_flags &= ~QDONTSEND;
332 usrerr("451 Cannot open %s: %s",
333 a->q_user, errstring(ret));
334 }
335 else if (ret != 0)
336 {
337 a->q_flags |= QBADADDR;
338 a->q_status = "5.2.4";
339 usrerr("550 Cannot open %s: %s",
340 a->q_user, errstring(ret));
341 }
342 }
343 }
344 else if (m == FileMailer)
345 {
346 extern bool writable();
347
348 /* check if writable or creatable */
349 if (a->q_alias == NULL)
350 {
351 a->q_flags |= QBADADDR;
352 a->q_status = "5.7.1";
353 usrerr("550 Cannot mail directly to files");
354 }
355 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
356 {
357 a->q_flags |= QBADADDR;
358 a->q_status = "5.7.1";
359 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
360 a->q_alias->q_ruser, MyHostName);
361 }
362 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
363 {
364 a->q_flags |= QBADADDR;
365 a->q_status = "5.7.1";
366 usrerr("550 Address %s is unsafe for mailing to files",
367 a->q_alias->q_paddr);
368 }
369 else if (!writable(buf, getctladdr(a), SFF_CREAT))
370 {
371 a->q_flags |= QBADADDR;
372 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
373 (time_t) 0, e);
374 }
375 }
376
377 /* try aliasing */
378 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
379 alias(a, sendq, aliaslevel, e);
380
381 # ifdef USERDB
382 /* if not aliased, look it up in the user database */
383 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
384 bitnset(M_CHECKUDB, m->m_flags))
385 {
386 extern int udbexpand();
387
388 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
389 {
390 a->q_flags |= QQUEUEUP;
391 if (e->e_message == NULL)
392 e->e_message = newstr("Deferred: user database error");
393 # ifdef LOG
394 if (LogLevel > 8)
395 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
396 e->e_id == NULL ? "NOQUEUE" : e->e_id,
397 errstring(errno));
398 # endif
399 message("queued (user database error): %s",
400 errstring(errno));
401 e->e_nrcpts++;
402 goto testselfdestruct;
403 }
404 }
405 # endif
406
407 /*
408 ** If we have a level two config file, then pass the name through
409 ** Ruleset 5 before sending it off. Ruleset 5 has the right
410 ** to send rewrite it to another mailer. This gives us a hook
411 ** after local aliasing has been done.
412 */
413
414 if (tTd(29, 5))
415 {
416 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
417 ConfigLevel, RewriteRules[5]);
418 printaddr(a, FALSE);
419 }
420 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
421 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
422 bitnset(M_TRYRULESET5, m->m_flags))
423 {
424 maplocaluser(a, sendq, aliaslevel + 1, e);
425 }
426
427 /*
428 ** If it didn't get rewritten to another mailer, go ahead
429 ** and deliver it.
430 */
431
432 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
433 bitnset(M_HASPWENT, m->m_flags))
434 {
435 auto bool fuzzy;
436 register struct passwd *pw;
437 extern struct passwd *finduser();
438
439 /* warning -- finduser may trash buf */
440 pw = finduser(buf, &fuzzy);
441 if (pw == NULL)
442 {
443 a->q_flags |= QBADADDR;
444 a->q_status = "5.1.1";
445 giveresponse(EX_NOUSER, m, NULL, a->q_alias,
446 (time_t) 0, e);
447 }
448 else
449 {
450 char nbuf[MAXNAME + 1];
451
452 if (fuzzy)
453 {
454 /* name was a fuzzy match */
455 a->q_user = newstr(pw->pw_name);
456 if (findusercount++ > 3)
457 {
458 a->q_flags |= QBADADDR;
459 a->q_status = "5.4.6";
460 usrerr("554 aliasing/forwarding loop for %s broken",
461 pw->pw_name);
462 goto done;
463 }
464
465 /* see if it aliases */
466 (void) strcpy(buf, pw->pw_name);
467 goto trylocaluser;
468 }
469 if (strcmp(pw->pw_dir, "/") == 0)
470 a->q_home = "";
471 else
472 a->q_home = newstr(pw->pw_dir);
473 a->q_uid = pw->pw_uid;
474 a->q_gid = pw->pw_gid;
475 a->q_ruser = newstr(pw->pw_name);
476 a->q_flags |= QGOODUID;
477 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
478 if (nbuf[0] != '\0')
479 a->q_fullname = newstr(nbuf);
480 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
481 !usershellok(pw->pw_shell))
482 {
483 a->q_flags |= QBOGUSSHELL;
484 }
485 if (!quoted)
486 forward(a, sendq, aliaslevel, e);
487 }
488 }
489 if (!bitset(QDONTSEND, a->q_flags))
490 e->e_nrcpts++;
491
492 testselfdestruct:
493 a->q_flags |= QTHISPASS;
494 if (tTd(26, 8))
495 {
496 printf("testselfdestruct: ");
497 printaddr(a, FALSE);
498 if (tTd(26, 10))
499 {
500 printf("SENDQ:\n");
501 printaddr(*sendq, TRUE);
502 printf("----\n");
503 }
504 }
505 if (a->q_alias == NULL && a != &e->e_from &&
506 bitset(QDONTSEND, a->q_flags))
507 {
508 for (q = *sendq; q != NULL; q = q->q_next)
509 {
510 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) &&
511 bitset(QTHISPASS, q->q_flags))
512 break;
513 }
514 if (q == NULL)
515 {
516 a->q_flags |= QBADADDR;
517 a->q_status = "5.4.6";
518 usrerr("554 aliasing/forwarding loop broken");
519 }
520 }
521
522 done:
523 a->q_flags |= QTHISPASS;
524 if (buf != buf0)
525 free(buf);
526
527 /*
528 ** If we are at the top level, check to see if this has
529 ** expanded to exactly one address. If so, it can inherit
530 ** the primaryness of the address.
531 **
532 ** While we're at it, clear the QTHISPASS bits.
533 */
534
535 if (aliaslevel == 0)
536 {
537 int nrcpts = 0;
538 ADDRESS *only;
539
540 for (q = *sendq; q != NULL; q = q->q_next)
541 {
542 if (bitset(QTHISPASS, q->q_flags) &&
543 !bitset(QDONTSEND|QBADADDR, q->q_flags))
544 {
545 nrcpts++;
546 only = q;
547 }
548 q->q_flags &= ~QTHISPASS;
549 }
550 if (nrcpts == 1)
551 {
552 /* check to see if this actually got a new owner */
553 q = only;
554 while ((q = q->q_alias) != NULL)
555 {
556 if (q->q_owner != NULL)
557 break;
558 }
559 if (q == NULL)
560 only->q_flags |= QPRIMARY;
561 }
562 else if (!initialdontsend && nrcpts > 0)
563 {
564 /* arrange for return receipt */
565 e->e_flags |= EF_SENDRECEIPT;
566 a->q_flags |= QEXPANDED;
567 if (e->e_xfp != NULL)
568 fprintf(e->e_xfp,
569 "%s... expanded to multiple addresses\n",
570 a->q_paddr);
571 }
572 }
573
574 return (a);
575 }
576 �/*
577 ** FINDUSER -- find the password entry for a user.
578 **
579 ** This looks a lot like getpwnam, except that it may want to
580 ** do some fancier pattern matching in /etc/passwd.
581 **
582 ** This routine contains most of the time of many sendmail runs.
583 ** It deserves to be optimized.
584 **
585 ** Parameters:
586 ** name -- the name to match against.
587 ** fuzzyp -- an outarg that is set to TRUE if this entry
588 ** was found using the fuzzy matching algorithm;
589 ** set to FALSE otherwise.
590 **
591 ** Returns:
592 ** A pointer to a pw struct.
593 ** NULL if name is unknown or ambiguous.
594 **
595 ** Side Effects:
596 ** may modify name.
597 */
598
599 struct passwd *
600 finduser(name, fuzzyp)
601 char *name;
602 bool *fuzzyp;
603 {
604 register struct passwd *pw;
605 register char *p;
606
607 if (tTd(29, 4))
608 printf("finduser(%s): ", name);
609
610 *fuzzyp = FALSE;
611
612 #ifdef HESIOD
613 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
614 for (p = name; *p != '\0'; p++)
615 if (!isascii(*p) || !isdigit(*p))
616 break;
617 if (*p == '\0')
618 {
619 if (tTd(29, 4))
620 printf("failed (numeric input)\n");
621 return NULL;
622 }
623 #endif
624
625 /* look up this login name using fast path */
626 if ((pw = sm_getpwnam(name)) != NULL)
627 {
628 if (tTd(29, 4))
629 printf("found (non-fuzzy)\n");
630 return (pw);
631 }
632
633 #ifdef MATCHGECOS
634 /* see if fuzzy matching allowed */
635 if (!MatchGecos)
636 {
637 if (tTd(29, 4))
638 printf("not found (fuzzy disabled)\n");
639 return NULL;
640 }
641
642 /* search for a matching full name instead */
643 for (p = name; *p != '\0'; p++)
644 {
645 if (*p == (SpaceSub & 0177) || *p == '_')
646 *p = ' ';
647 }
648 (void) setpwent();
649 while ((pw = getpwent()) != NULL)
650 {
651 char buf[MAXNAME + 1];
652
653 buildfname(pw->pw_gecos, pw->pw_name, buf);
654 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
655 {
656 if (tTd(29, 4))
657 printf("fuzzy matches %s\n", pw->pw_name);
658 message("sending to login name %s", pw->pw_name);
659 *fuzzyp = TRUE;
660 return (pw);
661 }
662 }
663 if (tTd(29, 4))
664 printf("no fuzzy match found\n");
665 #else
666 if (tTd(29, 4))
667 printf("not found (fuzzy disabled)\n");
668 #endif
669 return (NULL);
670 }
671 �/*
672 ** WRITABLE -- predicate returning if the file is writable.
673 **
674 ** This routine must duplicate the algorithm in sys/fio.c.
675 ** Unfortunately, we cannot use the access call since we
676 ** won't necessarily be the real uid when we try to
677 ** actually open the file.
678 **
679 ** Notice that ANY file with ANY execute bit is automatically
680 ** not writable. This is also enforced by mailfile.
681 **
682 ** Parameters:
683 ** filename -- the file name to check.
684 ** ctladdr -- the controlling address for this file.
685 ** flags -- SFF_* flags to control the function.
686 **
687 ** Returns:
688 ** TRUE -- if we will be able to write this file.
689 ** FALSE -- if we cannot write this file.
690 **
691 ** Side Effects:
692 ** none.
693 */
694
695 bool
696 writable(filename, ctladdr, flags)
697 char *filename;
698 ADDRESS *ctladdr;
699 int flags;
700 {
701 uid_t euid;
702 gid_t egid;
703 int bits;
704 register char *p;
705 char *uname;
706
707 if (tTd(29, 5))
708 printf("writable(%s, 0x%x)\n", filename, flags);
709
710 #ifdef SUID_ROOT_FILES_OK
711 /* really ought to be passed down -- and not a good idea */
712 flags |= SFF_ROOTOK;
713 #endif
714
715 /*
716 ** File does exist -- check that it is writable.
717 */
718
719 if (ctladdr != NULL && geteuid() == 0)
720 {
721 euid = ctladdr->q_uid;
722 egid = ctladdr->q_gid;
723 uname = ctladdr->q_user;
724 }
725 else if (bitset(SFF_RUNASREALUID, flags))
726 {
727 extern char RealUserName[];
728
729 euid = RealUid;
730 egid = RealGid;
731 uname = RealUserName;
732 }
733 else if (FileMailer != NULL)
734 {
735 euid = FileMailer->m_uid;
736 egid = FileMailer->m_gid;
737 }
738 else
739 {
740 euid = egid = 0;
741 }
742 if (euid == 0)
743 {
744 euid = DefUid;
745 uname = DefUser;
746 }
747 if (egid == 0)
748 egid = DefGid;
749 if (geteuid() == 0)
750 flags |= SFF_SETUIDOK;
751
752 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL);
753 return errno == 0;
754 }
755 �/*
756 ** INCLUDE -- handle :include: specification.
757 **
758 ** Parameters:
759 ** fname -- filename to include.
760 ** forwarding -- if TRUE, we are reading a .forward file.
761 ** if FALSE, it's a :include: file.
762 ** ctladdr -- address template to use to fill in these
763 ** addresses -- effective user/group id are
764 ** the important things.
765 ** sendq -- a pointer to the head of the send queue
766 ** to put these addresses in.
767 ** aliaslevel -- the alias nesting depth.
768 ** e -- the current envelope.
769 **
770 ** Returns:
771 ** open error status
772 **
773 ** Side Effects:
774 ** reads the :include: file and sends to everyone
775 ** listed in that file.
776 **
777 ** Security Note:
778 ** If you have restricted chown (that is, you can't
779 ** give a file away), it is reasonable to allow programs
780 ** and files called from this :include: file to be to be
781 ** run as the owner of the :include: file. This is bogus
782 ** if there is any chance of someone giving away a file.
783 ** We assume that pre-POSIX systems can give away files.
784 **
785 ** There is an additional restriction that if you
786 ** forward to a :include: file, it will not take on
787 ** the ownership of the :include: file. This may not
788 ** be necessary, but shouldn't hurt.
789 */
790
791 static jmp_buf CtxIncludeTimeout;
792 static void includetimeout();
793
794 int
795 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
796 char *fname;
797 bool forwarding;
798 ADDRESS *ctladdr;
799 ADDRESS **sendq;
800 int aliaslevel;
801 ENVELOPE *e;
802 {
803 FILE *fp = NULL;
804 char *oldto = e->e_to;
805 char *oldfilename = FileName;
806 int oldlinenumber = LineNumber;
807 register EVENT *ev = NULL;
808 int nincludes;
809 register ADDRESS *ca;
810 uid_t saveduid, uid;
811 gid_t savedgid, gid;
812 char *uname;
813 int rval = 0;
814 int sfflags = SFF_REGONLY;
815 struct stat st;
816 char buf[MAXLINE];
817 #ifdef _POSIX_CHOWN_RESTRICTED
818 # if _POSIX_CHOWN_RESTRICTED == -1
819 # define safechown FALSE
820 # else
821 # define safechown TRUE
822 # endif
823 #else
824 # ifdef _PC_CHOWN_RESTRICTED
825 bool safechown;
826 # else
827 # ifdef BSD
828 # define safechown TRUE
829 # else
830 # define safechown FALSE
831 # endif
832 # endif
833 #endif
834 extern bool chownsafe();
835
836 if (tTd(27, 2))
837 printf("include(%s)\n", fname);
838 if (tTd(27, 4))
839 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
840 if (tTd(27, 14))
841 {
842 printf("ctladdr ");
843 printaddr(ctladdr, FALSE);
844 }
845
846 if (tTd(27, 9))
847 printf("include: old uid = %d/%d\n", getuid(), geteuid());
848
849 if (forwarding)
850 sfflags |= SFF_MUSTOWN|SFF_ROOTOK|SFF_NOSLINK;
851
852 ca = getctladdr(ctladdr);
853 if (ca == NULL)
854 {
855 uid = DefUid;
856 gid = DefGid;
857 uname = DefUser;
858 }
859 else
860 {
861 uid = ca->q_uid;
862 gid = ca->q_gid;
863 uname = ca->q_user;
864 }
865 #ifdef HASSETREUID
866 saveduid = geteuid();
867 savedgid = getegid();
868 if (saveduid == 0)
869 {
870 initgroups(uname, gid);
871 if (uid != 0)
872 {
873 if (setreuid(0, uid) < 0)
874 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
875 uid, getuid(), geteuid());
876 else
877 sfflags |= SFF_NOPATHCHECK;
878 }
879 }
880 #endif
881
882 if (tTd(27, 9))
883 printf("include: new uid = %d/%d\n", getuid(), geteuid());
884
885 /*
886 ** If home directory is remote mounted but server is down,
887 ** this can hang or give errors; use a timeout to avoid this
888 */
889
890 if (setjmp(CtxIncludeTimeout) != 0)
891 {
892 ctladdr->q_flags |= QQUEUEUP;
893 errno = 0;
894
895 /* return pseudo-error code */
896 rval = EOPENTIMEOUT;
897 goto resetuid;
898 }
899 if (TimeOuts.to_fileopen > 0)
900 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
901 else
902 ev = NULL;
903
904 /* the input file must be marked safe */
905 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL);
906 if (rval != 0)
907 {
908 /* don't use this :include: file */
909 if (tTd(27, 4))
910 printf("include: not safe (uid=%d): %s\n",
911 uid, errstring(rval));
912 }
913 else
914 {
915 fp = fopen(fname, "r");
916 if (fp == NULL)
917 {
918 rval = errno;
919 if (tTd(27, 4))
920 printf("include: open: %s\n", errstring(rval));
921 }
922 }
923 if (ev != NULL)
924 clrevent(ev);
925
926 resetuid:
927
928 #ifdef HASSETREUID
929 if (saveduid == 0)
930 {
931 if (uid != 0)
932 {
933 if (setreuid(-1, 0) < 0)
934 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
935 getuid(), geteuid());
936 if (setreuid(RealUid, 0) < 0)
937 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
938 RealUid, getuid(), geteuid());
939 }
940 setgid(savedgid);
941 }
942 #endif
943
944 if (tTd(27, 9))
945 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
946
947 if (rval == EOPENTIMEOUT)
948 usrerr("451 open timeout on %s", fname);
949
950 if (fp == NULL)
951 return rval;
952
953 if (fstat(fileno(fp), &st) < 0)
954 {
955 rval = errno;
956 syserr("Cannot fstat %s!", fname);
957 return rval;
958 }
959
960 #ifndef safechown
961 safechown = chownsafe(fileno(fp));
962 #endif
963 if (ca == NULL && safechown)
964 {
965 ctladdr->q_uid = st.st_uid;
966 ctladdr->q_gid = st.st_gid;
967 ctladdr->q_flags |= QGOODUID;
968 }
969 if (ca != NULL && ca->q_uid == st.st_uid)
970 {
971 /* optimization -- avoid getpwuid if we already have info */
972 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
973 ctladdr->q_ruser = ca->q_ruser;
974 }
975 else
976 {
977 register struct passwd *pw;
978
979 pw = sm_getpwuid(st.st_uid);
980 if (pw == NULL)
981 ctladdr->q_flags |= QBOGUSSHELL;
982 else
983 {
984 char *sh;
985
986 ctladdr->q_ruser = newstr(pw->pw_name);
987 if (safechown)
988 sh = pw->pw_shell;
989 else
990 sh = "/SENDMAIL/ANY/SHELL/";
991 if (!usershellok(sh))
992 {
993 if (safechown)
994 ctladdr->q_flags |= QBOGUSSHELL;
995 else
996 ctladdr->q_flags |= QUNSAFEADDR;
997 }
998 }
999 }
1000
1001 if (bitset(EF_VRFYONLY, e->e_flags))
1002 {
1003 /* don't do any more now */
1004 ctladdr->q_flags |= QVERIFIED;
1005 e->e_nrcpts++;
1006 xfclose(fp, "include", fname);
1007 return rval;
1008 }
1009
1010 /*
1011 ** Check to see if some bad guy can write this file
1012 **
1013 ** This should really do something clever with group
1014 ** permissions; currently we just view world writable
1015 ** as unsafe. Also, we don't check for writable
1016 ** directories in the path. We've got to leave
1017 ** something for the local sysad to do.
1018 */
1019
1020 if (bitset(S_IWOTH, st.st_mode))
1021 ctladdr->q_flags |= QUNSAFEADDR;
1022
1023 /* read the file -- each line is a comma-separated list. */
1024 FileName = fname;
1025 LineNumber = 0;
1026 ctladdr->q_flags &= ~QSELFREF;
1027 nincludes = 0;
1028 while (fgets(buf, sizeof buf, fp) != NULL)
1029 {
1030 register char *p = strchr(buf, '\n');
1031
1032 LineNumber++;
1033 if (p != NULL)
1034 *p = '\0';
1035 if (buf[0] == '#' || buf[0] == '\0')
1036 continue;
1037
1038 /* <sp>#@# introduces a comment anywhere */
1039 /* for Japanese character sets */
1040 for (p = buf; (p = strchr(++p, '#')) != NULL; )
1041 {
1042 if (p[1] == '@' && p[2] == '#' &&
1043 isascii(p[-1]) && isspace(p[-1]) &&
1044 isascii(p[3]) && isspace(p[3]))
1045 {
1046 p[-1] = '\0';
1047 break;
1048 }
1049 }
1050 if (buf[0] == '\0')
1051 continue;
1052
1053 e->e_to = NULL;
1054 message("%s to %s",
1055 forwarding ? "forwarding" : "sending", buf);
1056 #ifdef LOG
1057 if (forwarding && LogLevel > 9)
1058 syslog(LOG_INFO, "%s: forward %s => %s",
1059 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1060 oldto, buf);
1061 #endif
1062
1063 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1064 }
1065
1066 if (ferror(fp) && tTd(27, 3))
1067 printf("include: read error: %s\n", errstring(errno));
1068 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1069 {
1070 if (tTd(27, 5))
1071 {
1072 printf("include: QDONTSEND ");
1073 printaddr(ctladdr, FALSE);
1074 }
1075 ctladdr->q_flags |= QDONTSEND;
1076 }
1077
1078 (void) xfclose(fp, "include", fname);
1079 FileName = oldfilename;
1080 LineNumber = oldlinenumber;
1081 e->e_to = oldto;
1082 return rval;
1083 }
1084
1085 static void
1086 includetimeout()
1087 {
1088 longjmp(CtxIncludeTimeout, 1);
1089 }
1090 �/*
1091 ** SENDTOARGV -- send to an argument vector.
1092 **
1093 ** Parameters:
1094 ** argv -- argument vector to send to.
1095 ** e -- the current envelope.
1096 **
1097 ** Returns:
1098 ** none.
1099 **
1100 ** Side Effects:
1101 ** puts all addresses on the argument vector onto the
1102 ** send queue.
1103 */
1104
1105 sendtoargv(argv, e)
1106 register char **argv;
1107 register ENVELOPE *e;
1108 {
1109 register char *p;
1110
1111 while ((p = *argv++) != NULL)
1112 {
1113 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1114 }
1115 }
1116 �/*
1117 ** GETCTLADDR -- get controlling address from an address header.
1118 **
1119 ** If none, get one corresponding to the effective userid.
1120 **
1121 ** Parameters:
1122 ** a -- the address to find the controller of.
1123 **
1124 ** Returns:
1125 ** the controlling address.
1126 **
1127 ** Side Effects:
1128 ** none.
1129 */
1130
1131 ADDRESS *
1132 getctladdr(a)
1133 register ADDRESS *a;
1134 {
1135 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1136 a = a->q_alias;
1137 return (a);
1138 }
1139