1 /* 2 * Copyright (c) 1983 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.50 (Berkeley) 10/20/94"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 # include <pwd.h> 15 16 /* 17 ** SENDTOLIST -- Designate a send list. 18 ** 19 ** The parameter is a comma-separated list of people to send to. 20 ** This routine arranges to send to all of them. 21 ** 22 ** Parameters: 23 ** list -- the send list. 24 ** ctladdr -- the address template for the person to 25 ** send to -- effective uid/gid are important. 26 ** This is typically the alias that caused this 27 ** expansion. 28 ** sendq -- a pointer to the head of a queue to put 29 ** these people into. 30 ** e -- the envelope in which to add these recipients. 31 ** 32 ** Returns: 33 ** The number of addresses actually on the list. 34 ** 35 ** Side Effects: 36 ** none. 37 */ 38 39 # define MAXRCRSN 10 40 41 sendtolist(list, ctladdr, sendq, e) 42 char *list; 43 ADDRESS *ctladdr; 44 ADDRESS **sendq; 45 register ENVELOPE *e; 46 { 47 register char *p; 48 register ADDRESS *al; /* list of addresses to send to */ 49 bool firstone; /* set on first address sent */ 50 char delimiter; /* the address delimiter */ 51 int naddrs; 52 char *oldto = e->e_to; 53 54 if (list == NULL) 55 { 56 syserr("sendtolist: null list"); 57 return 0; 58 } 59 60 if (tTd(25, 1)) 61 { 62 printf("sendto: %s\n ctladdr=", list); 63 printaddr(ctladdr, FALSE); 64 } 65 66 /* heuristic to determine old versus new style addresses */ 67 if (ctladdr == NULL && 68 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 69 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 70 e->e_flags &= ~EF_OLDSTYLE; 71 delimiter = ' '; 72 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 73 delimiter = ','; 74 75 firstone = TRUE; 76 al = NULL; 77 naddrs = 0; 78 79 for (p = list; *p != '\0'; ) 80 { 81 auto char *delimptr; 82 register ADDRESS *a; 83 84 /* parse the address */ 85 while ((isascii(*p) && isspace(*p)) || *p == ',') 86 p++; 87 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 88 p = delimptr; 89 if (a == NULL) 90 continue; 91 a->q_next = al; 92 a->q_alias = ctladdr; 93 94 /* see if this should be marked as a primary address */ 95 if (ctladdr == NULL || 96 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags))) 97 a->q_flags |= QPRIMARY; 98 99 if (ctladdr != NULL && sameaddr(ctladdr, a)) 100 ctladdr->q_flags |= QSELFREF; 101 al = a; 102 firstone = FALSE; 103 } 104 105 /* arrange to send to everyone on the local send list */ 106 while (al != NULL) 107 { 108 register ADDRESS *a = al; 109 110 al = a->q_next; 111 a = recipient(a, sendq, e); 112 113 /* arrange to inherit full name */ 114 if (a->q_fullname == NULL && ctladdr != NULL) 115 a->q_fullname = ctladdr->q_fullname; 116 naddrs++; 117 } 118 119 e->e_to = oldto; 120 return (naddrs); 121 } 122 /* 123 ** RECIPIENT -- Designate a message recipient 124 ** 125 ** Saves the named person for future mailing. 126 ** 127 ** Parameters: 128 ** a -- the (preparsed) address header for the recipient. 129 ** sendq -- a pointer to the head of a queue to put the 130 ** recipient in. Duplicate supression is done 131 ** in this queue. 132 ** e -- the current envelope. 133 ** 134 ** Returns: 135 ** The actual address in the queue. This will be "a" if 136 ** the address is not a duplicate, else the original address. 137 ** 138 ** Side Effects: 139 ** none. 140 */ 141 142 ADDRESS * 143 recipient(a, sendq, e) 144 register ADDRESS *a; 145 register ADDRESS **sendq; 146 register ENVELOPE *e; 147 { 148 register ADDRESS *q; 149 ADDRESS **pq; 150 register struct mailer *m; 151 register char *p; 152 bool quoted = FALSE; /* set if the addr has a quote bit */ 153 int findusercount = 0; 154 int i; 155 char *buf; 156 char buf0[MAXNAME]; /* unquoted image of the user name */ 157 extern int safefile(); 158 159 e->e_to = a->q_paddr; 160 m = a->q_mailer; 161 errno = 0; 162 if (tTd(26, 1)) 163 { 164 printf("\nrecipient: "); 165 printaddr(a, FALSE); 166 } 167 168 /* if this is primary, add it to the original recipient list */ 169 if (a->q_alias == NULL) 170 { 171 if (e->e_origrcpt == NULL) 172 e->e_origrcpt = a->q_paddr; 173 else if (e->e_origrcpt != a->q_paddr) 174 e->e_origrcpt = ""; 175 } 176 177 /* break aliasing loops */ 178 if (AliasLevel > MAXRCRSN) 179 { 180 usrerr("554 aliasing/forwarding loop broken"); 181 return (a); 182 } 183 184 /* 185 ** Finish setting up address structure. 186 */ 187 188 /* get unquoted user for file, program or user.name check */ 189 i = strlen(a->q_user); 190 if (i >= sizeof buf) 191 buf = xalloc(i + 1); 192 else 193 buf = buf0; 194 (void) strcpy(buf, a->q_user); 195 for (p = buf; *p != '\0' && !quoted; p++) 196 { 197 if (*p == '\\') 198 quoted = TRUE; 199 } 200 stripquotes(buf); 201 202 /* check for direct mailing to restricted mailers */ 203 if (m == ProgMailer) 204 { 205 if (a->q_alias == NULL) 206 { 207 a->q_flags |= QBADADDR; 208 usrerr("550 Cannot mail directly to programs"); 209 } 210 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 211 { 212 a->q_flags |= QBADADDR; 213 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 214 a->q_alias->q_ruser, MyHostName); 215 } 216 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 217 { 218 a->q_flags |= QBADADDR; 219 usrerr("550 Address %s is unsafe for mailing to programs", 220 a->q_alias->q_paddr); 221 } 222 } 223 224 /* 225 ** Look up this person in the recipient list. 226 ** If they are there already, return, otherwise continue. 227 ** If the list is empty, just add it. Notice the cute 228 ** hack to make from addresses suppress things correctly: 229 ** the QDONTSEND bit will be set in the send list. 230 ** [Please note: the emphasis is on "hack."] 231 */ 232 233 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 234 { 235 if (sameaddr(q, a)) 236 { 237 if (tTd(26, 1)) 238 { 239 printf("%s in sendq: ", a->q_paddr); 240 printaddr(q, FALSE); 241 } 242 if (!bitset(QPRIMARY, q->q_flags)) 243 { 244 if (!bitset(QDONTSEND, a->q_flags)) 245 message("duplicate suppressed"); 246 q->q_flags |= a->q_flags; 247 } 248 else if (bitset(QSELFREF, q->q_flags)) 249 q->q_flags |= a->q_flags & ~QDONTSEND; 250 a = q; 251 goto testselfdestruct; 252 } 253 } 254 255 /* add address on list */ 256 *pq = a; 257 a->q_next = NULL; 258 259 /* 260 ** Alias the name and handle special mailer types. 261 */ 262 263 trylocaluser: 264 if (tTd(29, 7)) 265 printf("at trylocaluser %s\n", a->q_user); 266 267 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 268 goto testselfdestruct; 269 270 if (m == InclMailer) 271 { 272 a->q_flags |= QDONTSEND; 273 if (a->q_alias == NULL) 274 { 275 a->q_flags |= QBADADDR; 276 usrerr("550 Cannot mail directly to :include:s"); 277 } 278 else 279 { 280 int ret; 281 282 message("including file %s", a->q_user); 283 ret = include(a->q_user, FALSE, a, sendq, e); 284 if (transienterror(ret)) 285 { 286 #ifdef LOG 287 if (LogLevel > 2) 288 syslog(LOG_ERR, "%s: include %s: transient error: %s", 289 e->e_id == NULL ? "NOQUEUE" : e->e_id, 290 a->q_user, errstring(ret)); 291 #endif 292 a->q_flags |= QQUEUEUP; 293 a->q_flags &= ~QDONTSEND; 294 usrerr("451 Cannot open %s: %s", 295 a->q_user, errstring(ret)); 296 } 297 else if (ret != 0) 298 { 299 a->q_flags |= QBADADDR; 300 usrerr("550 Cannot open %s: %s", 301 a->q_user, errstring(ret)); 302 } 303 } 304 } 305 else if (m == FileMailer) 306 { 307 extern bool writable(); 308 309 /* check if writable or creatable */ 310 if (a->q_alias == NULL) 311 { 312 a->q_flags |= QBADADDR; 313 usrerr("550 Cannot mail directly to files"); 314 } 315 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 316 { 317 a->q_flags |= QBADADDR; 318 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 319 a->q_alias->q_ruser, MyHostName); 320 } 321 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 322 { 323 a->q_flags |= QBADADDR; 324 usrerr("550 Address %s is unsafe for mailing to files", 325 a->q_alias->q_paddr); 326 } 327 else if (!writable(buf, getctladdr(a), SFF_ANYFILE)) 328 { 329 a->q_flags |= QBADADDR; 330 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e); 331 } 332 } 333 334 /* try aliasing */ 335 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags)) 336 alias(a, sendq, e); 337 338 # ifdef USERDB 339 /* if not aliased, look it up in the user database */ 340 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) && 341 bitnset(M_CHECKUDB, m->m_flags)) 342 { 343 extern int udbexpand(); 344 345 if (udbexpand(a, sendq, e) == EX_TEMPFAIL) 346 { 347 a->q_flags |= QQUEUEUP; 348 if (e->e_message == NULL) 349 e->e_message = newstr("Deferred: user database error"); 350 # ifdef LOG 351 if (LogLevel > 8) 352 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 353 e->e_id == NULL ? "NOQUEUE" : e->e_id, 354 errstring(errno)); 355 # endif 356 message("queued (user database error): %s", 357 errstring(errno)); 358 e->e_nrcpts++; 359 goto testselfdestruct; 360 } 361 } 362 # endif 363 364 /* 365 ** If we have a level two config file, then pass the name through 366 ** Ruleset 5 before sending it off. Ruleset 5 has the right 367 ** to send rewrite it to another mailer. This gives us a hook 368 ** after local aliasing has been done. 369 */ 370 371 if (tTd(29, 5)) 372 { 373 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 374 ConfigLevel, RewriteRules[5]); 375 printaddr(a, FALSE); 376 } 377 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 378 ConfigLevel >= 2 && RewriteRules[5] != NULL && 379 bitnset(M_TRYRULESET5, m->m_flags)) 380 { 381 maplocaluser(a, sendq, e); 382 } 383 384 /* 385 ** If it didn't get rewritten to another mailer, go ahead 386 ** and deliver it. 387 */ 388 389 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 390 bitnset(M_HASPWENT, m->m_flags)) 391 { 392 auto bool fuzzy; 393 register struct passwd *pw; 394 extern struct passwd *finduser(); 395 396 /* warning -- finduser may trash buf */ 397 pw = finduser(buf, &fuzzy); 398 if (pw == NULL) 399 { 400 a->q_flags |= QBADADDR; 401 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e); 402 } 403 else 404 { 405 char nbuf[MAXNAME]; 406 407 if (fuzzy) 408 { 409 /* name was a fuzzy match */ 410 a->q_user = newstr(pw->pw_name); 411 if (findusercount++ > 3) 412 { 413 a->q_flags |= QBADADDR; 414 usrerr("554 aliasing/forwarding loop for %s broken", 415 pw->pw_name); 416 goto done; 417 } 418 419 /* see if it aliases */ 420 (void) strcpy(buf, pw->pw_name); 421 goto trylocaluser; 422 } 423 if (strcmp(pw->pw_dir, "/") == 0) 424 a->q_home = ""; 425 else 426 a->q_home = newstr(pw->pw_dir); 427 a->q_uid = pw->pw_uid; 428 a->q_gid = pw->pw_gid; 429 a->q_ruser = newstr(pw->pw_name); 430 a->q_flags |= QGOODUID; 431 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 432 if (nbuf[0] != '\0') 433 a->q_fullname = newstr(nbuf); 434 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 435 !usershellok(pw->pw_shell)) 436 { 437 a->q_flags |= QBOGUSSHELL; 438 } 439 if (!quoted) 440 forward(a, sendq, e); 441 } 442 } 443 if (!bitset(QDONTSEND, a->q_flags)) 444 e->e_nrcpts++; 445 446 testselfdestruct: 447 if (tTd(26, 8)) 448 { 449 printf("testselfdestruct: "); 450 printaddr(a, TRUE); 451 } 452 if (a->q_alias == NULL && a != &e->e_from && 453 bitset(QDONTSEND, a->q_flags)) 454 { 455 q = *sendq; 456 while (q != NULL && bitset(QDONTSEND, q->q_flags)) 457 q = q->q_next; 458 if (q == NULL) 459 { 460 a->q_flags |= QBADADDR; 461 usrerr("554 aliasing/forwarding loop broken"); 462 } 463 } 464 465 done: 466 if (buf != buf0) 467 free(buf); 468 return (a); 469 } 470 /* 471 ** FINDUSER -- find the password entry for a user. 472 ** 473 ** This looks a lot like getpwnam, except that it may want to 474 ** do some fancier pattern matching in /etc/passwd. 475 ** 476 ** This routine contains most of the time of many sendmail runs. 477 ** It deserves to be optimized. 478 ** 479 ** Parameters: 480 ** name -- the name to match against. 481 ** fuzzyp -- an outarg that is set to TRUE if this entry 482 ** was found using the fuzzy matching algorithm; 483 ** set to FALSE otherwise. 484 ** 485 ** Returns: 486 ** A pointer to a pw struct. 487 ** NULL if name is unknown or ambiguous. 488 ** 489 ** Side Effects: 490 ** may modify name. 491 */ 492 493 struct passwd * 494 finduser(name, fuzzyp) 495 char *name; 496 bool *fuzzyp; 497 { 498 register struct passwd *pw; 499 register char *p; 500 extern struct passwd *getpwent(); 501 extern struct passwd *getpwnam(); 502 503 if (tTd(29, 4)) 504 printf("finduser(%s): ", name); 505 506 *fuzzyp = FALSE; 507 508 #ifdef HESIOD 509 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 510 for (p = name; *p != '\0'; p++) 511 if (!isascii(*p) || !isdigit(*p)) 512 break; 513 if (*p == '\0') 514 { 515 if (tTd(29, 4)) 516 printf("failed (numeric input)\n"); 517 return NULL; 518 } 519 #endif 520 521 /* look up this login name using fast path */ 522 if ((pw = getpwnam(name)) != NULL) 523 { 524 if (tTd(29, 4)) 525 printf("found (non-fuzzy)\n"); 526 return (pw); 527 } 528 529 #ifdef MATCHGECOS 530 /* see if fuzzy matching allowed */ 531 if (!MatchGecos) 532 { 533 if (tTd(29, 4)) 534 printf("not found (fuzzy disabled)\n"); 535 return NULL; 536 } 537 538 /* search for a matching full name instead */ 539 for (p = name; *p != '\0'; p++) 540 { 541 if (*p == (SpaceSub & 0177) || *p == '_') 542 *p = ' '; 543 } 544 (void) setpwent(); 545 while ((pw = getpwent()) != NULL) 546 { 547 char buf[MAXNAME]; 548 549 buildfname(pw->pw_gecos, pw->pw_name, buf); 550 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 551 { 552 if (tTd(29, 4)) 553 printf("fuzzy matches %s\n", pw->pw_name); 554 message("sending to login name %s", pw->pw_name); 555 *fuzzyp = TRUE; 556 return (pw); 557 } 558 } 559 if (tTd(29, 4)) 560 printf("no fuzzy match found\n"); 561 #else 562 if (tTd(29, 4)) 563 printf("not found (fuzzy disabled)\n"); 564 #endif 565 return (NULL); 566 } 567 /* 568 ** WRITABLE -- predicate returning if the file is writable. 569 ** 570 ** This routine must duplicate the algorithm in sys/fio.c. 571 ** Unfortunately, we cannot use the access call since we 572 ** won't necessarily be the real uid when we try to 573 ** actually open the file. 574 ** 575 ** Notice that ANY file with ANY execute bit is automatically 576 ** not writable. This is also enforced by mailfile. 577 ** 578 ** Parameters: 579 ** filename -- the file name to check. 580 ** ctladdr -- the controlling address for this file. 581 ** flags -- SFF_* flags to control the function. 582 ** 583 ** Returns: 584 ** TRUE -- if we will be able to write this file. 585 ** FALSE -- if we cannot write this file. 586 ** 587 ** Side Effects: 588 ** none. 589 */ 590 591 bool 592 writable(filename, ctladdr, flags) 593 char *filename; 594 ADDRESS *ctladdr; 595 int flags; 596 { 597 uid_t euid; 598 gid_t egid; 599 int bits; 600 register char *p; 601 char *uname; 602 struct stat stb; 603 extern char RealUserName[]; 604 605 if (tTd(29, 5)) 606 printf("writable(%s, %x)\n", filename, flags); 607 608 #ifdef HASLSTAT 609 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb) 610 : stat(filename, &stb)) < 0) 611 #else 612 if (stat(filename, &stb) < 0) 613 #endif 614 { 615 /* file does not exist -- see if directory is safe */ 616 p = strrchr(filename, '/'); 617 if (p == NULL) 618 { 619 errno = ENOTDIR; 620 return FALSE; 621 } 622 *p = '\0'; 623 errno = safefile(filename, RealUid, RealGid, RealUserName, 624 SFF_MUSTOWN, S_IWRITE|S_IEXEC); 625 *p = '/'; 626 return errno == 0; 627 } 628 629 #ifdef SUID_ROOT_FILES_OK 630 /* really ought to be passed down -- and not a good idea */ 631 flags |= SFF_ROOTOK; 632 #endif 633 634 /* 635 ** File does exist -- check that it is writable. 636 */ 637 638 if (bitset(0111, stb.st_mode)) 639 { 640 if (tTd(29, 5)) 641 printf("failed (mode %o: x bits)\n", stb.st_mode); 642 errno = EPERM; 643 return (FALSE); 644 } 645 646 if (ctladdr != NULL && geteuid() == 0) 647 { 648 euid = ctladdr->q_uid; 649 egid = ctladdr->q_gid; 650 uname = ctladdr->q_user; 651 } 652 else 653 { 654 euid = RealUid; 655 egid = RealGid; 656 uname = RealUserName; 657 } 658 if (euid == 0) 659 { 660 euid = DefUid; 661 uname = DefUser; 662 } 663 if (egid == 0) 664 egid = DefGid; 665 if (geteuid() == 0) 666 { 667 if (bitset(S_ISUID, stb.st_mode) && 668 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags))) 669 { 670 euid = stb.st_uid; 671 uname = NULL; 672 } 673 if (bitset(S_ISGID, stb.st_mode) && 674 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags))) 675 egid = stb.st_gid; 676 } 677 678 if (tTd(29, 5)) 679 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n", 680 euid, egid, stb.st_uid, stb.st_gid); 681 682 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE); 683 return errno == 0; 684 } 685 /* 686 ** INCLUDE -- handle :include: specification. 687 ** 688 ** Parameters: 689 ** fname -- filename to include. 690 ** forwarding -- if TRUE, we are reading a .forward file. 691 ** if FALSE, it's a :include: file. 692 ** ctladdr -- address template to use to fill in these 693 ** addresses -- effective user/group id are 694 ** the important things. 695 ** sendq -- a pointer to the head of the send queue 696 ** to put these addresses in. 697 ** 698 ** Returns: 699 ** open error status 700 ** 701 ** Side Effects: 702 ** reads the :include: file and sends to everyone 703 ** listed in that file. 704 ** 705 ** Security Note: 706 ** If you have restricted chown (that is, you can't 707 ** give a file away), it is reasonable to allow programs 708 ** and files called from this :include: file to be to be 709 ** run as the owner of the :include: file. This is bogus 710 ** if there is any chance of someone giving away a file. 711 ** We assume that pre-POSIX systems can give away files. 712 ** 713 ** There is an additional restriction that if you 714 ** forward to a :include: file, it will not take on 715 ** the ownership of the :include: file. This may not 716 ** be necessary, but shouldn't hurt. 717 */ 718 719 static jmp_buf CtxIncludeTimeout; 720 static int includetimeout(); 721 722 #ifndef S_IWOTH 723 # define S_IWOTH (S_IWRITE >> 6) 724 #endif 725 726 int 727 include(fname, forwarding, ctladdr, sendq, e) 728 char *fname; 729 bool forwarding; 730 ADDRESS *ctladdr; 731 ADDRESS **sendq; 732 ENVELOPE *e; 733 { 734 register FILE *fp = NULL; 735 char *oldto = e->e_to; 736 char *oldfilename = FileName; 737 int oldlinenumber = LineNumber; 738 register EVENT *ev = NULL; 739 int nincludes; 740 register ADDRESS *ca; 741 uid_t saveduid, uid; 742 gid_t savedgid, gid; 743 char *uname; 744 int rval = 0; 745 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE; 746 struct stat st; 747 char buf[MAXLINE]; 748 #ifdef _POSIX_CHOWN_RESTRICTED 749 # if _POSIX_CHOWN_RESTRICTED == -1 750 # define safechown FALSE 751 # else 752 # define safechown TRUE 753 # endif 754 #else 755 # ifdef _PC_CHOWN_RESTRICTED 756 bool safechown; 757 # else 758 # ifdef BSD 759 # define safechown TRUE 760 # else 761 # define safechown FALSE 762 # endif 763 # endif 764 #endif 765 extern bool chownsafe(); 766 767 if (tTd(27, 2)) 768 printf("include(%s)\n", fname); 769 if (tTd(27, 4)) 770 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 771 if (tTd(27, 14)) 772 { 773 printf("ctladdr "); 774 printaddr(ctladdr, FALSE); 775 } 776 777 if (tTd(27, 9)) 778 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 779 780 ca = getctladdr(ctladdr); 781 if (ca == NULL) 782 { 783 uid = DefUid; 784 gid = DefGid; 785 uname = DefUser; 786 saveduid = -1; 787 } 788 else 789 { 790 uid = ca->q_uid; 791 gid = ca->q_gid; 792 uname = ca->q_user; 793 #ifdef HASSETREUID 794 saveduid = geteuid(); 795 savedgid = getegid(); 796 if (saveduid == 0) 797 { 798 initgroups(uname, gid); 799 if (uid != 0) 800 { 801 if (setreuid(0, uid) < 0) 802 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 803 uid, getuid(), geteuid()); 804 } 805 } 806 #endif 807 } 808 809 if (tTd(27, 9)) 810 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 811 812 /* 813 ** If home directory is remote mounted but server is down, 814 ** this can hang or give errors; use a timeout to avoid this 815 */ 816 817 if (setjmp(CtxIncludeTimeout) != 0) 818 { 819 ctladdr->q_flags |= QQUEUEUP; 820 errno = 0; 821 822 /* return pseudo-error code */ 823 rval = EOPENTIMEOUT; 824 goto resetuid; 825 } 826 if (TimeOuts.to_fileopen > 0) 827 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0); 828 else 829 ev = NULL; 830 831 /* the input file must be marked safe */ 832 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD); 833 if (rval != 0) 834 { 835 /* don't use this :include: file */ 836 if (tTd(27, 4)) 837 printf("include: not safe (uid=%d): %s\n", 838 uid, errstring(rval)); 839 } 840 else 841 { 842 fp = fopen(fname, "r"); 843 if (fp == NULL) 844 { 845 rval = errno; 846 if (tTd(27, 4)) 847 printf("include: open: %s\n", errstring(rval)); 848 } 849 } 850 if (ev != NULL) 851 clrevent(ev); 852 853 resetuid: 854 855 #ifdef HASSETREUID 856 if (saveduid == 0) 857 { 858 if (uid != 0) 859 { 860 if (setreuid(-1, 0) < 0) 861 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", 862 getuid(), geteuid()); 863 if (setreuid(RealUid, 0) < 0) 864 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 865 RealUid, getuid(), geteuid()); 866 } 867 setgid(savedgid); 868 } 869 #endif 870 871 if (tTd(27, 9)) 872 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 873 874 if (rval == EOPENTIMEOUT) 875 usrerr("451 open timeout on %s", fname); 876 877 if (fp == NULL) 878 return rval; 879 880 if (fstat(fileno(fp), &st) < 0) 881 { 882 rval = errno; 883 syserr("Cannot fstat %s!", fname); 884 return rval; 885 } 886 887 #ifndef safechown 888 safechown = chownsafe(fileno(fp)); 889 #endif 890 if (ca == NULL && safechown) 891 { 892 ctladdr->q_uid = st.st_uid; 893 ctladdr->q_gid = st.st_gid; 894 ctladdr->q_flags |= QGOODUID; 895 } 896 if (ca != NULL && ca->q_uid == st.st_uid) 897 { 898 /* optimization -- avoid getpwuid if we already have info */ 899 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 900 ctladdr->q_ruser = ca->q_ruser; 901 } 902 else 903 { 904 char *sh; 905 register struct passwd *pw; 906 907 sh = "/SENDMAIL/ANY/SHELL/"; 908 pw = getpwuid(st.st_uid); 909 if (pw != NULL) 910 { 911 ctladdr->q_ruser = newstr(pw->pw_name); 912 if (safechown) 913 sh = pw->pw_shell; 914 } 915 if (pw == NULL) 916 ctladdr->q_flags |= QBOGUSSHELL; 917 else if(!usershellok(sh)) 918 { 919 if (safechown) 920 ctladdr->q_flags |= QBOGUSSHELL; 921 else 922 ctladdr->q_flags |= QUNSAFEADDR; 923 } 924 } 925 926 if (bitset(EF_VRFYONLY, e->e_flags)) 927 { 928 /* don't do any more now */ 929 ctladdr->q_flags |= QVERIFIED; 930 e->e_nrcpts++; 931 xfclose(fp, "include", fname); 932 return rval; 933 } 934 935 /* 936 ** Check to see if some bad guy can write this file 937 ** 938 ** This should really do something clever with group 939 ** permissions; currently we just view world writable 940 ** as unsafe. Also, we don't check for writable 941 ** directories in the path. We've got to leave 942 ** something for the local sysad to do. 943 */ 944 945 if (bitset(S_IWOTH, st.st_mode)) 946 ctladdr->q_flags |= QUNSAFEADDR; 947 948 /* read the file -- each line is a comma-separated list. */ 949 FileName = fname; 950 LineNumber = 0; 951 ctladdr->q_flags &= ~QSELFREF; 952 nincludes = 0; 953 while (fgets(buf, sizeof buf, fp) != NULL) 954 { 955 register char *p = strchr(buf, '\n'); 956 957 LineNumber++; 958 if (p != NULL) 959 *p = '\0'; 960 if (buf[0] == '#' || buf[0] == '\0') 961 continue; 962 e->e_to = NULL; 963 message("%s to %s", 964 forwarding ? "forwarding" : "sending", buf); 965 #ifdef LOG 966 if (forwarding && LogLevel > 9) 967 syslog(LOG_INFO, "%s: forward %s => %s", 968 e->e_id == NULL ? "NOQUEUE" : e->e_id, 969 oldto, buf); 970 #endif 971 972 AliasLevel++; 973 nincludes += sendtolist(buf, ctladdr, sendq, e); 974 AliasLevel--; 975 } 976 977 if (ferror(fp) && tTd(27, 3)) 978 printf("include: read error: %s\n", errstring(errno)); 979 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 980 { 981 if (tTd(27, 5)) 982 { 983 printf("include: QDONTSEND "); 984 printaddr(ctladdr, FALSE); 985 } 986 ctladdr->q_flags |= QDONTSEND; 987 } 988 989 (void) xfclose(fp, "include", fname); 990 FileName = oldfilename; 991 LineNumber = oldlinenumber; 992 e->e_to = oldto; 993 return rval; 994 } 995 996 static 997 includetimeout() 998 { 999 longjmp(CtxIncludeTimeout, 1); 1000 } 1001 /* 1002 ** SENDTOARGV -- send to an argument vector. 1003 ** 1004 ** Parameters: 1005 ** argv -- argument vector to send to. 1006 ** e -- the current envelope. 1007 ** 1008 ** Returns: 1009 ** none. 1010 ** 1011 ** Side Effects: 1012 ** puts all addresses on the argument vector onto the 1013 ** send queue. 1014 */ 1015 1016 sendtoargv(argv, e) 1017 register char **argv; 1018 register ENVELOPE *e; 1019 { 1020 register char *p; 1021 1022 while ((p = *argv++) != NULL) 1023 { 1024 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e); 1025 } 1026 } 1027 /* 1028 ** GETCTLADDR -- get controlling address from an address header. 1029 ** 1030 ** If none, get one corresponding to the effective userid. 1031 ** 1032 ** Parameters: 1033 ** a -- the address to find the controller of. 1034 ** 1035 ** Returns: 1036 ** the controlling address. 1037 ** 1038 ** Side Effects: 1039 ** none. 1040 */ 1041 1042 ADDRESS * 1043 getctladdr(a) 1044 register ADDRESS *a; 1045 { 1046 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1047 a = a->q_alias; 1048 return (a); 1049 } 1050