1 /*
2 * Copyright (c) 1983, 1995 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.79 (Berkeley) 04/21/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14
15 /*
16 ** SENDTOLIST -- Designate a send list.
17 **
18 ** The parameter is a comma-separated list of people to send to.
19 ** This routine arranges to send to all of them.
20 **
21 ** Parameters:
22 ** list -- the send list.
23 ** ctladdr -- the address template for the person to
24 ** send to -- effective uid/gid are important.
25 ** This is typically the alias that caused this
26 ** expansion.
27 ** sendq -- a pointer to the head of a queue to put
28 ** these people into.
29 ** aliaslevel -- the current alias nesting depth -- to
30 ** diagnose loops.
31 ** e -- the envelope in which to add these recipients.
32 **
33 ** Returns:
34 ** The number of addresses actually on the list.
35 **
36 ** Side Effects:
37 ** none.
38 */
39
40 #define MAXRCRSN 10 /* maximum levels of alias recursion */
41
42 /* q_flags bits inherited from ctladdr */
43 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
44
45 int
46 sendtolist(list, ctladdr, sendq, aliaslevel, e)
47 char *list;
48 ADDRESS *ctladdr;
49 ADDRESS **sendq;
50 int aliaslevel;
51 register ENVELOPE *e;
52 {
53 register char *p;
54 register ADDRESS *al; /* list of addresses to send to */
55 bool firstone; /* set on first address sent */
56 char delimiter; /* the address delimiter */
57 int naddrs;
58 int i;
59 char *oldto = e->e_to;
60 char *bufp;
61 char buf[MAXNAME + 1];
62
63 if (list == NULL)
64 {
65 syserr("sendtolist: null list");
66 return 0;
67 }
68
69 if (tTd(25, 1))
70 {
71 printf("sendto: %s\n ctladdr=", list);
72 printaddr(ctladdr, FALSE);
73 }
74
75 /* heuristic to determine old versus new style addresses */
76 if (ctladdr == NULL &&
77 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
78 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
79 e->e_flags &= ~EF_OLDSTYLE;
80 delimiter = ' ';
81 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
82 delimiter = ',';
83
84 firstone = TRUE;
85 al = NULL;
86 naddrs = 0;
87
88 /* make sure we have enough space to copy the string */
89 i = strlen(list) + 1;
90 if (i <= sizeof buf)
91 bufp = buf;
92 else
93 bufp = xalloc(i);
94 strcpy(bufp, denlstring(list, FALSE, TRUE));
95
96 for (p = bufp; *p != '\0'; )
97 {
98 auto char *delimptr;
99 register ADDRESS *a;
100
101 /* parse the address */
102 while ((isascii(*p) && isspace(*p)) || *p == ',')
103 p++;
104 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
105 p = delimptr;
106 if (a == NULL)
107 continue;
108 a->q_next = al;
109 a->q_alias = ctladdr;
110
111 /* arrange to inherit attributes from parent */
112 if (ctladdr != NULL)
113 {
114 /* self reference test */
115 if (sameaddr(ctladdr, a))
116 ctladdr->q_flags |= QSELFREF;
117
118 /* full name */
119 if (a->q_fullname == NULL)
120 a->q_fullname = ctladdr->q_fullname;
121
122 /* various flag bits */
123 a->q_flags &= ~QINHERITEDBITS;
124 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
125
126 /* original recipient information */
127 a->q_orcpt = ctladdr->q_orcpt;
128 }
129
130 al = a;
131 firstone = FALSE;
132 }
133
134 /* arrange to send to everyone on the local send list */
135 while (al != NULL)
136 {
137 register ADDRESS *a = al;
138
139 al = a->q_next;
140 a = recipient(a, sendq, aliaslevel, e);
141 naddrs++;
142 }
143
144 e->e_to = oldto;
145 if (bufp != buf)
146 free(bufp);
147 return (naddrs);
148 }
149 �/*
150 ** RECIPIENT -- Designate a message recipient
151 **
152 ** Saves the named person for future mailing.
153 **
154 ** Parameters:
155 ** a -- the (preparsed) address header for the recipient.
156 ** sendq -- a pointer to the head of a queue to put the
157 ** recipient in. Duplicate supression is done
158 ** in this queue.
159 ** aliaslevel -- the current alias nesting depth.
160 ** e -- the current envelope.
161 **
162 ** Returns:
163 ** The actual address in the queue. This will be "a" if
164 ** the address is not a duplicate, else the original address.
165 **
166 ** Side Effects:
167 ** none.
168 */
169
170 ADDRESS *
171 recipient(a, sendq, aliaslevel, e)
172 register ADDRESS *a;
173 register ADDRESS **sendq;
174 int aliaslevel;
175 register ENVELOPE *e;
176 {
177 register ADDRESS *q;
178 ADDRESS **pq;
179 register struct mailer *m;
180 register char *p;
181 bool quoted = FALSE; /* set if the addr has a quote bit */
182 int findusercount = 0;
183 bool initialdontsend = bitset(QDONTSEND, a->q_flags);
184 int i;
185 char *buf;
186 char buf0[MAXNAME + 1]; /* unquoted image of the user name */
187 extern int safefile();
188
189 e->e_to = a->q_paddr;
190 m = a->q_mailer;
191 errno = 0;
192 if (aliaslevel == 0)
193 a->q_flags |= QPRIMARY;
194 if (tTd(26, 1))
195 {
196 printf("\nrecipient (%d): ", aliaslevel);
197 printaddr(a, FALSE);
198 }
199
200 /* if this is primary, add it to the original recipient list */
201 if (a->q_alias == NULL)
202 {
203 if (e->e_origrcpt == NULL)
204 e->e_origrcpt = a->q_paddr;
205 else if (e->e_origrcpt != a->q_paddr)
206 e->e_origrcpt = "";
207 }
208
209 /* break aliasing loops */
210 if (aliaslevel > MAXRCRSN)
211 {
212 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
213 aliaslevel, MAXRCRSN);
214 return (a);
215 }
216
217 /*
218 ** Finish setting up address structure.
219 */
220
221 /* get unquoted user for file, program or user.name check */
222 i = strlen(a->q_user);
223 if (i >= sizeof buf0)
224 buf = xalloc(i + 1);
225 else
226 buf = buf0;
227 (void) strcpy(buf, a->q_user);
228 for (p = buf; *p != '\0' && !quoted; p++)
229 {
230 if (*p == '\\')
231 quoted = TRUE;
232 }
233 stripquotes(buf);
234
235 /* check for direct mailing to restricted mailers */
236 if (m == ProgMailer)
237 {
238 if (a->q_alias == NULL)
239 {
240 a->q_flags |= QBADADDR;
241 usrerr("550 Cannot mail directly to programs");
242 }
243 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
244 {
245 a->q_flags |= QBADADDR;
246 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
247 a->q_alias->q_ruser, MyHostName);
248 }
249 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
250 {
251 a->q_flags |= QBADADDR;
252 usrerr("550 Address %s is unsafe for mailing to programs",
253 a->q_alias->q_paddr);
254 }
255 }
256
257 /*
258 ** Look up this person in the recipient list.
259 ** If they are there already, return, otherwise continue.
260 ** If the list is empty, just add it. Notice the cute
261 ** hack to make from addresses suppress things correctly:
262 ** the QDONTSEND bit will be set in the send list.
263 ** [Please note: the emphasis is on "hack."]
264 */
265
266 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
267 {
268 if (sameaddr(q, a))
269 {
270 if (tTd(26, 1))
271 {
272 printf("%s in sendq: ", a->q_paddr);
273 printaddr(q, FALSE);
274 }
275 if (!bitset(QPRIMARY, q->q_flags))
276 {
277 if (!bitset(QDONTSEND, a->q_flags))
278 message("duplicate suppressed");
279 q->q_flags |= a->q_flags;
280 }
281 else if (bitset(QSELFREF, q->q_flags))
282 q->q_flags |= a->q_flags & ~QDONTSEND;
283 a = q;
284 goto done;
285 }
286 }
287
288 /* add address on list */
289 *pq = a;
290 a->q_next = NULL;
291
292 /*
293 ** Alias the name and handle special mailer types.
294 */
295
296 trylocaluser:
297 if (tTd(29, 7))
298 printf("at trylocaluser %s\n", a->q_user);
299
300 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
301 goto testselfdestruct;
302
303 if (m == InclMailer)
304 {
305 a->q_flags |= QDONTSEND;
306 if (a->q_alias == NULL)
307 {
308 a->q_flags |= QBADADDR;
309 usrerr("550 Cannot mail directly to :include:s");
310 }
311 else
312 {
313 int ret;
314
315 message("including file %s", a->q_user);
316 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
317 if (transienterror(ret))
318 {
319 #ifdef LOG
320 if (LogLevel > 2)
321 syslog(LOG_ERR, "%s: include %s: transient error: %s",
322 e->e_id == NULL ? "NOQUEUE" : e->e_id,
323 a->q_user, errstring(ret));
324 #endif
325 a->q_flags |= QQUEUEUP;
326 a->q_flags &= ~QDONTSEND;
327 usrerr("451 Cannot open %s: %s",
328 a->q_user, errstring(ret));
329 }
330 else if (ret != 0)
331 {
332 a->q_flags |= QBADADDR;
333 usrerr("550 Cannot open %s: %s",
334 a->q_user, errstring(ret));
335 }
336 }
337 }
338 else if (m == FileMailer)
339 {
340 extern bool writable();
341
342 /* check if writable or creatable */
343 if (a->q_alias == NULL)
344 {
345 a->q_flags |= QBADADDR;
346 usrerr("550 Cannot mail directly to files");
347 }
348 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
349 {
350 a->q_flags |= QBADADDR;
351 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
352 a->q_alias->q_ruser, MyHostName);
353 }
354 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
355 {
356 a->q_flags |= QBADADDR;
357 usrerr("550 Address %s is unsafe for mailing to files",
358 a->q_alias->q_paddr);
359 }
360 else if (!writable(buf, getctladdr(a), SFF_CREAT))
361 {
362 a->q_flags |= QBADADDR;
363 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
364 (time_t) 0, e);
365 }
366 }
367
368 /* try aliasing */
369 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
370 alias(a, sendq, aliaslevel, e);
371
372 # ifdef USERDB
373 /* if not aliased, look it up in the user database */
374 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
375 bitnset(M_CHECKUDB, m->m_flags))
376 {
377 extern int udbexpand();
378
379 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
380 {
381 a->q_flags |= QQUEUEUP;
382 if (e->e_message == NULL)
383 e->e_message = newstr("Deferred: user database error");
384 # ifdef LOG
385 if (LogLevel > 8)
386 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
387 e->e_id == NULL ? "NOQUEUE" : e->e_id,
388 errstring(errno));
389 # endif
390 message("queued (user database error): %s",
391 errstring(errno));
392 e->e_nrcpts++;
393 goto testselfdestruct;
394 }
395 }
396 # endif
397
398 /*
399 ** If we have a level two config file, then pass the name through
400 ** Ruleset 5 before sending it off. Ruleset 5 has the right
401 ** to send rewrite it to another mailer. This gives us a hook
402 ** after local aliasing has been done.
403 */
404
405 if (tTd(29, 5))
406 {
407 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
408 ConfigLevel, RewriteRules[5]);
409 printaddr(a, FALSE);
410 }
411 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
412 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
413 bitnset(M_TRYRULESET5, m->m_flags))
414 {
415 maplocaluser(a, sendq, aliaslevel + 1, e);
416 }
417
418 /*
419 ** If it didn't get rewritten to another mailer, go ahead
420 ** and deliver it.
421 */
422
423 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
424 bitnset(M_HASPWENT, m->m_flags))
425 {
426 auto bool fuzzy;
427 register struct passwd *pw;
428 extern struct passwd *finduser();
429
430 /* warning -- finduser may trash buf */
431 pw = finduser(buf, &fuzzy);
432 if (pw == NULL)
433 {
434 a->q_flags |= QBADADDR;
435 giveresponse(EX_NOUSER, m, NULL, a->q_alias,
436 (time_t) 0, e);
437 }
438 else
439 {
440 char nbuf[MAXNAME + 1];
441
442 if (fuzzy)
443 {
444 /* name was a fuzzy match */
445 a->q_user = newstr(pw->pw_name);
446 if (findusercount++ > 3)
447 {
448 a->q_flags |= QBADADDR;
449 usrerr("554 aliasing/forwarding loop for %s broken",
450 pw->pw_name);
451 goto done;
452 }
453
454 /* see if it aliases */
455 (void) strcpy(buf, pw->pw_name);
456 goto trylocaluser;
457 }
458 if (strcmp(pw->pw_dir, "/") == 0)
459 a->q_home = "";
460 else
461 a->q_home = newstr(pw->pw_dir);
462 a->q_uid = pw->pw_uid;
463 a->q_gid = pw->pw_gid;
464 a->q_ruser = newstr(pw->pw_name);
465 a->q_flags |= QGOODUID;
466 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
467 if (nbuf[0] != '\0')
468 a->q_fullname = newstr(nbuf);
469 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
470 !usershellok(pw->pw_shell))
471 {
472 a->q_flags |= QBOGUSSHELL;
473 }
474 if (!quoted)
475 forward(a, sendq, aliaslevel, e);
476 }
477 }
478 if (!bitset(QDONTSEND, a->q_flags))
479 e->e_nrcpts++;
480
481 testselfdestruct:
482 a->q_flags |= QTHISPASS;
483 if (tTd(26, 8))
484 {
485 printf("testselfdestruct: ");
486 printaddr(a, FALSE);
487 if (tTd(26, 10))
488 {
489 printf("SENDQ:\n");
490 printaddr(*sendq, TRUE);
491 printf("----\n");
492 }
493 }
494 if (a->q_alias == NULL && a != &e->e_from &&
495 bitset(QDONTSEND, a->q_flags))
496 {
497 for (q = *sendq; q != NULL; q = q->q_next)
498 {
499 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) &&
500 bitset(QTHISPASS, q->q_flags))
501 break;
502 }
503 if (q == NULL)
504 {
505 a->q_flags |= QBADADDR;
506 usrerr("554 aliasing/forwarding loop broken");
507 }
508 }
509
510 done:
511 a->q_flags |= QTHISPASS;
512 if (buf != buf0)
513 free(buf);
514
515 /*
516 ** If we are at the top level, check to see if this has
517 ** expanded to exactly one address. If so, it can inherit
518 ** the primaryness of the address.
519 **
520 ** While we're at it, clear the QTHISPASS bits.
521 */
522
523 if (aliaslevel == 0)
524 {
525 int nrcpts = 0;
526 ADDRESS *only;
527
528 for (q = *sendq; q != NULL; q = q->q_next)
529 {
530 if (bitset(QTHISPASS, q->q_flags) &&
531 !bitset(QDONTSEND|QBADADDR, q->q_flags))
532 {
533 nrcpts++;
534 only = q;
535 }
536 q->q_flags &= ~QTHISPASS;
537 }
538 if (nrcpts == 1)
539 only->q_flags |= QPRIMARY;
540 else if (!initialdontsend)
541 {
542 /* arrange for return receipt */
543 e->e_flags |= EF_SENDRECEIPT;
544 a->q_flags |= QEXPLODED;
545 if (e->e_xfp != NULL)
546 fprintf(e->e_xfp,
547 "%s... expanded to multiple addresses\n",
548 a->q_paddr);
549 }
550 }
551
552 return (a);
553 }
554 �/*
555 ** FINDUSER -- find the password entry for a user.
556 **
557 ** This looks a lot like getpwnam, except that it may want to
558 ** do some fancier pattern matching in /etc/passwd.
559 **
560 ** This routine contains most of the time of many sendmail runs.
561 ** It deserves to be optimized.
562 **
563 ** Parameters:
564 ** name -- the name to match against.
565 ** fuzzyp -- an outarg that is set to TRUE if this entry
566 ** was found using the fuzzy matching algorithm;
567 ** set to FALSE otherwise.
568 **
569 ** Returns:
570 ** A pointer to a pw struct.
571 ** NULL if name is unknown or ambiguous.
572 **
573 ** Side Effects:
574 ** may modify name.
575 */
576
577 struct passwd *
578 finduser(name, fuzzyp)
579 char *name;
580 bool *fuzzyp;
581 {
582 register struct passwd *pw;
583 register char *p;
584
585 if (tTd(29, 4))
586 printf("finduser(%s): ", name);
587
588 *fuzzyp = FALSE;
589
590 #ifdef HESIOD
591 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
592 for (p = name; *p != '\0'; p++)
593 if (!isascii(*p) || !isdigit(*p))
594 break;
595 if (*p == '\0')
596 {
597 if (tTd(29, 4))
598 printf("failed (numeric input)\n");
599 return NULL;
600 }
601 #endif
602
603 /* look up this login name using fast path */
604 if ((pw = sm_getpwnam(name)) != NULL)
605 {
606 if (tTd(29, 4))
607 printf("found (non-fuzzy)\n");
608 return (pw);
609 }
610
611 #ifdef MATCHGECOS
612 /* see if fuzzy matching allowed */
613 if (!MatchGecos)
614 {
615 if (tTd(29, 4))
616 printf("not found (fuzzy disabled)\n");
617 return NULL;
618 }
619
620 /* search for a matching full name instead */
621 for (p = name; *p != '\0'; p++)
622 {
623 if (*p == (SpaceSub & 0177) || *p == '_')
624 *p = ' ';
625 }
626 (void) setpwent();
627 while ((pw = getpwent()) != NULL)
628 {
629 char buf[MAXNAME + 1];
630
631 buildfname(pw->pw_gecos, pw->pw_name, buf);
632 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
633 {
634 if (tTd(29, 4))
635 printf("fuzzy matches %s\n", pw->pw_name);
636 message("sending to login name %s", pw->pw_name);
637 *fuzzyp = TRUE;
638 return (pw);
639 }
640 }
641 if (tTd(29, 4))
642 printf("no fuzzy match found\n");
643 #else
644 if (tTd(29, 4))
645 printf("not found (fuzzy disabled)\n");
646 #endif
647 return (NULL);
648 }
649 �/*
650 ** WRITABLE -- predicate returning if the file is writable.
651 **
652 ** This routine must duplicate the algorithm in sys/fio.c.
653 ** Unfortunately, we cannot use the access call since we
654 ** won't necessarily be the real uid when we try to
655 ** actually open the file.
656 **
657 ** Notice that ANY file with ANY execute bit is automatically
658 ** not writable. This is also enforced by mailfile.
659 **
660 ** Parameters:
661 ** filename -- the file name to check.
662 ** ctladdr -- the controlling address for this file.
663 ** flags -- SFF_* flags to control the function.
664 **
665 ** Returns:
666 ** TRUE -- if we will be able to write this file.
667 ** FALSE -- if we cannot write this file.
668 **
669 ** Side Effects:
670 ** none.
671 */
672
673 bool
674 writable(filename, ctladdr, flags)
675 char *filename;
676 ADDRESS *ctladdr;
677 int flags;
678 {
679 uid_t euid;
680 gid_t egid;
681 int bits;
682 register char *p;
683 char *uname;
684
685 if (tTd(29, 5))
686 printf("writable(%s, 0x%x)\n", filename, flags);
687
688 #ifdef SUID_ROOT_FILES_OK
689 /* really ought to be passed down -- and not a good idea */
690 flags |= SFF_ROOTOK;
691 #endif
692
693 /*
694 ** File does exist -- check that it is writable.
695 */
696
697 if (ctladdr != NULL && geteuid() == 0)
698 {
699 euid = ctladdr->q_uid;
700 egid = ctladdr->q_gid;
701 uname = ctladdr->q_user;
702 }
703 else if (bitset(SFF_RUNASREALUID, flags))
704 {
705 extern char RealUserName[];
706
707 euid = RealUid;
708 egid = RealGid;
709 uname = RealUserName;
710 }
711 else if (FileMailer != NULL)
712 {
713 euid = FileMailer->m_uid;
714 egid = FileMailer->m_gid;
715 }
716 else
717 {
718 euid = egid = 0;
719 }
720 if (euid == 0)
721 {
722 euid = DefUid;
723 uname = DefUser;
724 }
725 if (egid == 0)
726 egid = DefGid;
727 if (geteuid() == 0)
728 flags |= SFF_SETUIDOK;
729
730 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL);
731 return errno == 0;
732 }
733 �/*
734 ** INCLUDE -- handle :include: specification.
735 **
736 ** Parameters:
737 ** fname -- filename to include.
738 ** forwarding -- if TRUE, we are reading a .forward file.
739 ** if FALSE, it's a :include: file.
740 ** ctladdr -- address template to use to fill in these
741 ** addresses -- effective user/group id are
742 ** the important things.
743 ** sendq -- a pointer to the head of the send queue
744 ** to put these addresses in.
745 ** aliaslevel -- the alias nesting depth.
746 ** e -- the current envelope.
747 **
748 ** Returns:
749 ** open error status
750 **
751 ** Side Effects:
752 ** reads the :include: file and sends to everyone
753 ** listed in that file.
754 **
755 ** Security Note:
756 ** If you have restricted chown (that is, you can't
757 ** give a file away), it is reasonable to allow programs
758 ** and files called from this :include: file to be to be
759 ** run as the owner of the :include: file. This is bogus
760 ** if there is any chance of someone giving away a file.
761 ** We assume that pre-POSIX systems can give away files.
762 **
763 ** There is an additional restriction that if you
764 ** forward to a :include: file, it will not take on
765 ** the ownership of the :include: file. This may not
766 ** be necessary, but shouldn't hurt.
767 */
768
769 static jmp_buf CtxIncludeTimeout;
770 static void includetimeout();
771
772 int
773 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
774 char *fname;
775 bool forwarding;
776 ADDRESS *ctladdr;
777 ADDRESS **sendq;
778 int aliaslevel;
779 ENVELOPE *e;
780 {
781 FILE *fp = NULL;
782 char *oldto = e->e_to;
783 char *oldfilename = FileName;
784 int oldlinenumber = LineNumber;
785 register EVENT *ev = NULL;
786 int nincludes;
787 register ADDRESS *ca;
788 uid_t saveduid, uid;
789 gid_t savedgid, gid;
790 char *uname;
791 int rval = 0;
792 int sfflags = SFF_REGONLY;
793 struct stat st;
794 char buf[MAXLINE];
795 #ifdef _POSIX_CHOWN_RESTRICTED
796 # if _POSIX_CHOWN_RESTRICTED == -1
797 # define safechown FALSE
798 # else
799 # define safechown TRUE
800 # endif
801 #else
802 # ifdef _PC_CHOWN_RESTRICTED
803 bool safechown;
804 # else
805 # ifdef BSD
806 # define safechown TRUE
807 # else
808 # define safechown FALSE
809 # endif
810 # endif
811 #endif
812 extern bool chownsafe();
813
814 if (tTd(27, 2))
815 printf("include(%s)\n", fname);
816 if (tTd(27, 4))
817 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
818 if (tTd(27, 14))
819 {
820 printf("ctladdr ");
821 printaddr(ctladdr, FALSE);
822 }
823
824 if (tTd(27, 9))
825 printf("include: old uid = %d/%d\n", getuid(), geteuid());
826
827 if (forwarding)
828 sfflags |= SFF_MUSTOWN;
829
830 ca = getctladdr(ctladdr);
831 if (ca == NULL)
832 {
833 uid = DefUid;
834 gid = DefGid;
835 uname = DefUser;
836 }
837 else
838 {
839 uid = ca->q_uid;
840 gid = ca->q_gid;
841 uname = ca->q_user;
842 }
843 #ifdef HASSETREUID
844 saveduid = geteuid();
845 savedgid = getegid();
846 if (saveduid == 0)
847 {
848 initgroups(uname, gid);
849 if (uid != 0)
850 {
851 if (setreuid(0, uid) < 0)
852 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
853 uid, getuid(), geteuid());
854 else
855 sfflags |= SFF_NOPATHCHECK;
856 }
857 }
858 #endif
859
860 if (tTd(27, 9))
861 printf("include: new uid = %d/%d\n", getuid(), geteuid());
862
863 /*
864 ** If home directory is remote mounted but server is down,
865 ** this can hang or give errors; use a timeout to avoid this
866 */
867
868 if (setjmp(CtxIncludeTimeout) != 0)
869 {
870 ctladdr->q_flags |= QQUEUEUP;
871 errno = 0;
872
873 /* return pseudo-error code */
874 rval = EOPENTIMEOUT;
875 goto resetuid;
876 }
877 if (TimeOuts.to_fileopen > 0)
878 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
879 else
880 ev = NULL;
881
882 /* the input file must be marked safe */
883 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL);
884 if (rval != 0)
885 {
886 /* don't use this :include: file */
887 if (tTd(27, 4))
888 printf("include: not safe (uid=%d): %s\n",
889 uid, errstring(rval));
890 }
891 else
892 {
893 fp = fopen(fname, "r");
894 if (fp == NULL)
895 {
896 rval = errno;
897 if (tTd(27, 4))
898 printf("include: open: %s\n", errstring(rval));
899 }
900 }
901 if (ev != NULL)
902 clrevent(ev);
903
904 resetuid:
905
906 #ifdef HASSETREUID
907 if (saveduid == 0)
908 {
909 if (uid != 0)
910 {
911 if (setreuid(-1, 0) < 0)
912 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
913 getuid(), geteuid());
914 if (setreuid(RealUid, 0) < 0)
915 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
916 RealUid, getuid(), geteuid());
917 }
918 setgid(savedgid);
919 }
920 #endif
921
922 if (tTd(27, 9))
923 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
924
925 if (rval == EOPENTIMEOUT)
926 usrerr("451 open timeout on %s", fname);
927
928 if (fp == NULL)
929 return rval;
930
931 if (fstat(fileno(fp), &st) < 0)
932 {
933 rval = errno;
934 syserr("Cannot fstat %s!", fname);
935 return rval;
936 }
937
938 #ifndef safechown
939 safechown = chownsafe(fileno(fp));
940 #endif
941 if (ca == NULL && safechown)
942 {
943 ctladdr->q_uid = st.st_uid;
944 ctladdr->q_gid = st.st_gid;
945 ctladdr->q_flags |= QGOODUID;
946 }
947 if (ca != NULL && ca->q_uid == st.st_uid)
948 {
949 /* optimization -- avoid getpwuid if we already have info */
950 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
951 ctladdr->q_ruser = ca->q_ruser;
952 }
953 else
954 {
955 register struct passwd *pw;
956
957 pw = sm_getpwuid(st.st_uid);
958 if (pw == NULL)
959 ctladdr->q_flags |= QBOGUSSHELL;
960 else
961 {
962 char *sh;
963
964 ctladdr->q_ruser = newstr(pw->pw_name);
965 if (safechown)
966 sh = pw->pw_shell;
967 else
968 sh = "/SENDMAIL/ANY/SHELL/";
969 if (!usershellok(sh))
970 {
971 if (safechown)
972 ctladdr->q_flags |= QBOGUSSHELL;
973 else
974 ctladdr->q_flags |= QUNSAFEADDR;
975 }
976 }
977 }
978
979 if (bitset(EF_VRFYONLY, e->e_flags))
980 {
981 /* don't do any more now */
982 ctladdr->q_flags |= QVERIFIED;
983 e->e_nrcpts++;
984 xfclose(fp, "include", fname);
985 return rval;
986 }
987
988 /*
989 ** Check to see if some bad guy can write this file
990 **
991 ** This should really do something clever with group
992 ** permissions; currently we just view world writable
993 ** as unsafe. Also, we don't check for writable
994 ** directories in the path. We've got to leave
995 ** something for the local sysad to do.
996 */
997
998 if (bitset(S_IWOTH, st.st_mode))
999 ctladdr->q_flags |= QUNSAFEADDR;
1000
1001 /* read the file -- each line is a comma-separated list. */
1002 FileName = fname;
1003 LineNumber = 0;
1004 ctladdr->q_flags &= ~QSELFREF;
1005 nincludes = 0;
1006 while (fgets(buf, sizeof buf, fp) != NULL)
1007 {
1008 register char *p = strchr(buf, '\n');
1009
1010 LineNumber++;
1011 if (p != NULL)
1012 *p = '\0';
1013 if (buf[0] == '#' || buf[0] == '\0')
1014 continue;
1015
1016 /* <sp>#@# introduces a comment anywhere */
1017 /* for Japanese character sets */
1018 for (p = buf; (p = strchr(++p, '#')) != NULL; )
1019 {
1020 if (p[1] == '@' && p[2] == '#' &&
1021 isascii(p[-1]) && isspace(p[-1]) &&
1022 isascii(p[3]) && isspace(p[3]))
1023 {
1024 p[-1] = '\0';
1025 break;
1026 }
1027 }
1028 if (buf[0] == '\0')
1029 continue;
1030
1031 e->e_to = NULL;
1032 message("%s to %s",
1033 forwarding ? "forwarding" : "sending", buf);
1034 #ifdef LOG
1035 if (forwarding && LogLevel > 9)
1036 syslog(LOG_INFO, "%s: forward %s => %s",
1037 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1038 oldto, buf);
1039 #endif
1040
1041 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1042 }
1043
1044 if (ferror(fp) && tTd(27, 3))
1045 printf("include: read error: %s\n", errstring(errno));
1046 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1047 {
1048 if (tTd(27, 5))
1049 {
1050 printf("include: QDONTSEND ");
1051 printaddr(ctladdr, FALSE);
1052 }
1053 ctladdr->q_flags |= QDONTSEND;
1054 }
1055
1056 (void) xfclose(fp, "include", fname);
1057 FileName = oldfilename;
1058 LineNumber = oldlinenumber;
1059 e->e_to = oldto;
1060 return rval;
1061 }
1062
1063 static void
1064 includetimeout()
1065 {
1066 longjmp(CtxIncludeTimeout, 1);
1067 }
1068 �/*
1069 ** SENDTOARGV -- send to an argument vector.
1070 **
1071 ** Parameters:
1072 ** argv -- argument vector to send to.
1073 ** e -- the current envelope.
1074 **
1075 ** Returns:
1076 ** none.
1077 **
1078 ** Side Effects:
1079 ** puts all addresses on the argument vector onto the
1080 ** send queue.
1081 */
1082
1083 sendtoargv(argv, e)
1084 register char **argv;
1085 register ENVELOPE *e;
1086 {
1087 register char *p;
1088
1089 while ((p = *argv++) != NULL)
1090 {
1091 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1092 }
1093 }
1094 �/*
1095 ** GETCTLADDR -- get controlling address from an address header.
1096 **
1097 ** If none, get one corresponding to the effective userid.
1098 **
1099 ** Parameters:
1100 ** a -- the address to find the controller of.
1101 **
1102 ** Returns:
1103 ** the controlling address.
1104 **
1105 ** Side Effects:
1106 ** none.
1107 */
1108
1109 ADDRESS *
1110 getctladdr(a)
1111 register ADDRESS *a;
1112 {
1113 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1114 a = a->q_alias;
1115 return (a);
1116 }
1117