1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.50 (Berkeley) 10/20/94";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** e -- the envelope in which to add these recipients.
31 **
32 ** Returns:
33 ** The number of addresses actually on the list.
34 **
35 ** Side Effects:
36 ** none.
37 */
38
39 # define MAXRCRSN 10
40
41 sendtolist(list, ctladdr, sendq, e)
42 char *list;
43 ADDRESS *ctladdr;
44 ADDRESS **sendq;
45 register ENVELOPE *e;
46 {
47 register char *p;
48 register ADDRESS *al; /* list of addresses to send to */
49 bool firstone; /* set on first address sent */
50 char delimiter; /* the address delimiter */
51 int naddrs;
52 char *oldto = e->e_to;
53
54 if (list == NULL)
55 {
56 syserr("sendtolist: null list");
57 return 0;
58 }
59
60 if (tTd(25, 1))
61 {
62 printf("sendto: %s\n ctladdr=", list);
63 printaddr(ctladdr, FALSE);
64 }
65
66 /* heuristic to determine old versus new style addresses */
67 if (ctladdr == NULL &&
68 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
69 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
70 e->e_flags &= ~EF_OLDSTYLE;
71 delimiter = ' ';
72 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
73 delimiter = ',';
74
75 firstone = TRUE;
76 al = NULL;
77 naddrs = 0;
78
79 for (p = list; *p != '\0'; )
80 {
81 auto char *delimptr;
82 register ADDRESS *a;
83
84 /* parse the address */
85 while ((isascii(*p) && isspace(*p)) || *p == ',')
86 p++;
87 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
88 p = delimptr;
89 if (a == NULL)
90 continue;
91 a->q_next = al;
92 a->q_alias = ctladdr;
93
94 /* see if this should be marked as a primary address */
95 if (ctladdr == NULL ||
96 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
97 a->q_flags |= QPRIMARY;
98
99 if (ctladdr != NULL && sameaddr(ctladdr, a))
100 ctladdr->q_flags |= QSELFREF;
101 al = a;
102 firstone = FALSE;
103 }
104
105 /* arrange to send to everyone on the local send list */
106 while (al != NULL)
107 {
108 register ADDRESS *a = al;
109
110 al = a->q_next;
111 a = recipient(a, sendq, e);
112
113 /* arrange to inherit full name */
114 if (a->q_fullname == NULL && ctladdr != NULL)
115 a->q_fullname = ctladdr->q_fullname;
116 naddrs++;
117 }
118
119 e->e_to = oldto;
120 return (naddrs);
121 }
122 �/*
123 ** RECIPIENT -- Designate a message recipient
124 **
125 ** Saves the named person for future mailing.
126 **
127 ** Parameters:
128 ** a -- the (preparsed) address header for the recipient.
129 ** sendq -- a pointer to the head of a queue to put the
130 ** recipient in. Duplicate supression is done
131 ** in this queue.
132 ** e -- the current envelope.
133 **
134 ** Returns:
135 ** The actual address in the queue. This will be "a" if
136 ** the address is not a duplicate, else the original address.
137 **
138 ** Side Effects:
139 ** none.
140 */
141
142 ADDRESS *
143 recipient(a, sendq, e)
144 register ADDRESS *a;
145 register ADDRESS **sendq;
146 register ENVELOPE *e;
147 {
148 register ADDRESS *q;
149 ADDRESS **pq;
150 register struct mailer *m;
151 register char *p;
152 bool quoted = FALSE; /* set if the addr has a quote bit */
153 int findusercount = 0;
154 int i;
155 char *buf;
156 char buf0[MAXNAME]; /* unquoted image of the user name */
157 extern int safefile();
158
159 e->e_to = a->q_paddr;
160 m = a->q_mailer;
161 errno = 0;
162 if (tTd(26, 1))
163 {
164 printf("\nrecipient: ");
165 printaddr(a, FALSE);
166 }
167
168 /* if this is primary, add it to the original recipient list */
169 if (a->q_alias == NULL)
170 {
171 if (e->e_origrcpt == NULL)
172 e->e_origrcpt = a->q_paddr;
173 else if (e->e_origrcpt != a->q_paddr)
174 e->e_origrcpt = "";
175 }
176
177 /* break aliasing loops */
178 if (AliasLevel > MAXRCRSN)
179 {
180 usrerr("554 aliasing/forwarding loop broken");
181 return (a);
182 }
183
184 /*
185 ** Finish setting up address structure.
186 */
187
188 /* get unquoted user for file, program or user.name check */
189 i = strlen(a->q_user);
190 if (i >= sizeof buf)
191 buf = xalloc(i + 1);
192 else
193 buf = buf0;
194 (void) strcpy(buf, a->q_user);
195 for (p = buf; *p != '\0' && !quoted; p++)
196 {
197 if (*p == '\\')
198 quoted = TRUE;
199 }
200 stripquotes(buf);
201
202 /* check for direct mailing to restricted mailers */
203 if (m == ProgMailer)
204 {
205 if (a->q_alias == NULL)
206 {
207 a->q_flags |= QBADADDR;
208 usrerr("550 Cannot mail directly to programs");
209 }
210 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
211 {
212 a->q_flags |= QBADADDR;
213 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
214 a->q_alias->q_ruser, MyHostName);
215 }
216 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
217 {
218 a->q_flags |= QBADADDR;
219 usrerr("550 Address %s is unsafe for mailing to programs",
220 a->q_alias->q_paddr);
221 }
222 }
223
224 /*
225 ** Look up this person in the recipient list.
226 ** If they are there already, return, otherwise continue.
227 ** If the list is empty, just add it. Notice the cute
228 ** hack to make from addresses suppress things correctly:
229 ** the QDONTSEND bit will be set in the send list.
230 ** [Please note: the emphasis is on "hack."]
231 */
232
233 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
234 {
235 if (sameaddr(q, a))
236 {
237 if (tTd(26, 1))
238 {
239 printf("%s in sendq: ", a->q_paddr);
240 printaddr(q, FALSE);
241 }
242 if (!bitset(QPRIMARY, q->q_flags))
243 {
244 if (!bitset(QDONTSEND, a->q_flags))
245 message("duplicate suppressed");
246 q->q_flags |= a->q_flags;
247 }
248 else if (bitset(QSELFREF, q->q_flags))
249 q->q_flags |= a->q_flags & ~QDONTSEND;
250 a = q;
251 goto testselfdestruct;
252 }
253 }
254
255 /* add address on list */
256 *pq = a;
257 a->q_next = NULL;
258
259 /*
260 ** Alias the name and handle special mailer types.
261 */
262
263 trylocaluser:
264 if (tTd(29, 7))
265 printf("at trylocaluser %s\n", a->q_user);
266
267 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
268 goto testselfdestruct;
269
270 if (m == InclMailer)
271 {
272 a->q_flags |= QDONTSEND;
273 if (a->q_alias == NULL)
274 {
275 a->q_flags |= QBADADDR;
276 usrerr("550 Cannot mail directly to :include:s");
277 }
278 else
279 {
280 int ret;
281
282 message("including file %s", a->q_user);
283 ret = include(a->q_user, FALSE, a, sendq, e);
284 if (transienterror(ret))
285 {
286 #ifdef LOG
287 if (LogLevel > 2)
288 syslog(LOG_ERR, "%s: include %s: transient error: %s",
289 e->e_id == NULL ? "NOQUEUE" : e->e_id,
290 a->q_user, errstring(ret));
291 #endif
292 a->q_flags |= QQUEUEUP;
293 a->q_flags &= ~QDONTSEND;
294 usrerr("451 Cannot open %s: %s",
295 a->q_user, errstring(ret));
296 }
297 else if (ret != 0)
298 {
299 a->q_flags |= QBADADDR;
300 usrerr("550 Cannot open %s: %s",
301 a->q_user, errstring(ret));
302 }
303 }
304 }
305 else if (m == FileMailer)
306 {
307 extern bool writable();
308
309 /* check if writable or creatable */
310 if (a->q_alias == NULL)
311 {
312 a->q_flags |= QBADADDR;
313 usrerr("550 Cannot mail directly to files");
314 }
315 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
316 {
317 a->q_flags |= QBADADDR;
318 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
319 a->q_alias->q_ruser, MyHostName);
320 }
321 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
322 {
323 a->q_flags |= QBADADDR;
324 usrerr("550 Address %s is unsafe for mailing to files",
325 a->q_alias->q_paddr);
326 }
327 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
328 {
329 a->q_flags |= QBADADDR;
330 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
331 }
332 }
333
334 /* try aliasing */
335 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
336 alias(a, sendq, e);
337
338 # ifdef USERDB
339 /* if not aliased, look it up in the user database */
340 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
341 bitnset(M_CHECKUDB, m->m_flags))
342 {
343 extern int udbexpand();
344
345 if (udbexpand(a, sendq, e) == EX_TEMPFAIL)
346 {
347 a->q_flags |= QQUEUEUP;
348 if (e->e_message == NULL)
349 e->e_message = newstr("Deferred: user database error");
350 # ifdef LOG
351 if (LogLevel > 8)
352 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
353 e->e_id == NULL ? "NOQUEUE" : e->e_id,
354 errstring(errno));
355 # endif
356 message("queued (user database error): %s",
357 errstring(errno));
358 e->e_nrcpts++;
359 goto testselfdestruct;
360 }
361 }
362 # endif
363
364 /*
365 ** If we have a level two config file, then pass the name through
366 ** Ruleset 5 before sending it off. Ruleset 5 has the right
367 ** to send rewrite it to another mailer. This gives us a hook
368 ** after local aliasing has been done.
369 */
370
371 if (tTd(29, 5))
372 {
373 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
374 ConfigLevel, RewriteRules[5]);
375 printaddr(a, FALSE);
376 }
377 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
378 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
379 bitnset(M_TRYRULESET5, m->m_flags))
380 {
381 maplocaluser(a, sendq, e);
382 }
383
384 /*
385 ** If it didn't get rewritten to another mailer, go ahead
386 ** and deliver it.
387 */
388
389 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
390 bitnset(M_HASPWENT, m->m_flags))
391 {
392 auto bool fuzzy;
393 register struct passwd *pw;
394 extern struct passwd *finduser();
395
396 /* warning -- finduser may trash buf */
397 pw = finduser(buf, &fuzzy);
398 if (pw == NULL)
399 {
400 a->q_flags |= QBADADDR;
401 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
402 }
403 else
404 {
405 char nbuf[MAXNAME];
406
407 if (fuzzy)
408 {
409 /* name was a fuzzy match */
410 a->q_user = newstr(pw->pw_name);
411 if (findusercount++ > 3)
412 {
413 a->q_flags |= QBADADDR;
414 usrerr("554 aliasing/forwarding loop for %s broken",
415 pw->pw_name);
416 goto done;
417 }
418
419 /* see if it aliases */
420 (void) strcpy(buf, pw->pw_name);
421 goto trylocaluser;
422 }
423 if (strcmp(pw->pw_dir, "/") == 0)
424 a->q_home = "";
425 else
426 a->q_home = newstr(pw->pw_dir);
427 a->q_uid = pw->pw_uid;
428 a->q_gid = pw->pw_gid;
429 a->q_ruser = newstr(pw->pw_name);
430 a->q_flags |= QGOODUID;
431 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
432 if (nbuf[0] != '\0')
433 a->q_fullname = newstr(nbuf);
434 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
435 !usershellok(pw->pw_shell))
436 {
437 a->q_flags |= QBOGUSSHELL;
438 }
439 if (!quoted)
440 forward(a, sendq, e);
441 }
442 }
443 if (!bitset(QDONTSEND, a->q_flags))
444 e->e_nrcpts++;
445
446 testselfdestruct:
447 if (tTd(26, 8))
448 {
449 printf("testselfdestruct: ");
450 printaddr(a, TRUE);
451 }
452 if (a->q_alias == NULL && a != &e->e_from &&
453 bitset(QDONTSEND, a->q_flags))
454 {
455 q = *sendq;
456 while (q != NULL && bitset(QDONTSEND, q->q_flags))
457 q = q->q_next;
458 if (q == NULL)
459 {
460 a->q_flags |= QBADADDR;
461 usrerr("554 aliasing/forwarding loop broken");
462 }
463 }
464
465 done:
466 if (buf != buf0)
467 free(buf);
468 return (a);
469 }
470 �/*
471 ** FINDUSER -- find the password entry for a user.
472 **
473 ** This looks a lot like getpwnam, except that it may want to
474 ** do some fancier pattern matching in /etc/passwd.
475 **
476 ** This routine contains most of the time of many sendmail runs.
477 ** It deserves to be optimized.
478 **
479 ** Parameters:
480 ** name -- the name to match against.
481 ** fuzzyp -- an outarg that is set to TRUE if this entry
482 ** was found using the fuzzy matching algorithm;
483 ** set to FALSE otherwise.
484 **
485 ** Returns:
486 ** A pointer to a pw struct.
487 ** NULL if name is unknown or ambiguous.
488 **
489 ** Side Effects:
490 ** may modify name.
491 */
492
493 struct passwd *
494 finduser(name, fuzzyp)
495 char *name;
496 bool *fuzzyp;
497 {
498 register struct passwd *pw;
499 register char *p;
500 extern struct passwd *getpwent();
501 extern struct passwd *getpwnam();
502
503 if (tTd(29, 4))
504 printf("finduser(%s): ", name);
505
506 *fuzzyp = FALSE;
507
508 #ifdef HESIOD
509 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
510 for (p = name; *p != '\0'; p++)
511 if (!isascii(*p) || !isdigit(*p))
512 break;
513 if (*p == '\0')
514 {
515 if (tTd(29, 4))
516 printf("failed (numeric input)\n");
517 return NULL;
518 }
519 #endif
520
521 /* look up this login name using fast path */
522 if ((pw = getpwnam(name)) != NULL)
523 {
524 if (tTd(29, 4))
525 printf("found (non-fuzzy)\n");
526 return (pw);
527 }
528
529 #ifdef MATCHGECOS
530 /* see if fuzzy matching allowed */
531 if (!MatchGecos)
532 {
533 if (tTd(29, 4))
534 printf("not found (fuzzy disabled)\n");
535 return NULL;
536 }
537
538 /* search for a matching full name instead */
539 for (p = name; *p != '\0'; p++)
540 {
541 if (*p == (SpaceSub & 0177) || *p == '_')
542 *p = ' ';
543 }
544 (void) setpwent();
545 while ((pw = getpwent()) != NULL)
546 {
547 char buf[MAXNAME];
548
549 buildfname(pw->pw_gecos, pw->pw_name, buf);
550 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
551 {
552 if (tTd(29, 4))
553 printf("fuzzy matches %s\n", pw->pw_name);
554 message("sending to login name %s", pw->pw_name);
555 *fuzzyp = TRUE;
556 return (pw);
557 }
558 }
559 if (tTd(29, 4))
560 printf("no fuzzy match found\n");
561 #else
562 if (tTd(29, 4))
563 printf("not found (fuzzy disabled)\n");
564 #endif
565 return (NULL);
566 }
567 �/*
568 ** WRITABLE -- predicate returning if the file is writable.
569 **
570 ** This routine must duplicate the algorithm in sys/fio.c.
571 ** Unfortunately, we cannot use the access call since we
572 ** won't necessarily be the real uid when we try to
573 ** actually open the file.
574 **
575 ** Notice that ANY file with ANY execute bit is automatically
576 ** not writable. This is also enforced by mailfile.
577 **
578 ** Parameters:
579 ** filename -- the file name to check.
580 ** ctladdr -- the controlling address for this file.
581 ** flags -- SFF_* flags to control the function.
582 **
583 ** Returns:
584 ** TRUE -- if we will be able to write this file.
585 ** FALSE -- if we cannot write this file.
586 **
587 ** Side Effects:
588 ** none.
589 */
590
591 bool
592 writable(filename, ctladdr, flags)
593 char *filename;
594 ADDRESS *ctladdr;
595 int flags;
596 {
597 uid_t euid;
598 gid_t egid;
599 int bits;
600 register char *p;
601 char *uname;
602 struct stat stb;
603 extern char RealUserName[];
604
605 if (tTd(29, 5))
606 printf("writable(%s, %x)\n", filename, flags);
607
608 #ifdef HASLSTAT
609 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
610 : stat(filename, &stb)) < 0)
611 #else
612 if (stat(filename, &stb) < 0)
613 #endif
614 {
615 /* file does not exist -- see if directory is safe */
616 p = strrchr(filename, '/');
617 if (p == NULL)
618 {
619 errno = ENOTDIR;
620 return FALSE;
621 }
622 *p = '\0';
623 errno = safefile(filename, RealUid, RealGid, RealUserName,
624 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
625 *p = '/';
626 return errno == 0;
627 }
628
629 #ifdef SUID_ROOT_FILES_OK
630 /* really ought to be passed down -- and not a good idea */
631 flags |= SFF_ROOTOK;
632 #endif
633
634 /*
635 ** File does exist -- check that it is writable.
636 */
637
638 if (bitset(0111, stb.st_mode))
639 {
640 if (tTd(29, 5))
641 printf("failed (mode %o: x bits)\n", stb.st_mode);
642 errno = EPERM;
643 return (FALSE);
644 }
645
646 if (ctladdr != NULL && geteuid() == 0)
647 {
648 euid = ctladdr->q_uid;
649 egid = ctladdr->q_gid;
650 uname = ctladdr->q_user;
651 }
652 else
653 {
654 euid = RealUid;
655 egid = RealGid;
656 uname = RealUserName;
657 }
658 if (euid == 0)
659 {
660 euid = DefUid;
661 uname = DefUser;
662 }
663 if (egid == 0)
664 egid = DefGid;
665 if (geteuid() == 0)
666 {
667 if (bitset(S_ISUID, stb.st_mode) &&
668 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
669 {
670 euid = stb.st_uid;
671 uname = NULL;
672 }
673 if (bitset(S_ISGID, stb.st_mode) &&
674 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
675 egid = stb.st_gid;
676 }
677
678 if (tTd(29, 5))
679 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
680 euid, egid, stb.st_uid, stb.st_gid);
681
682 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
683 return errno == 0;
684 }
685 �/*
686 ** INCLUDE -- handle :include: specification.
687 **
688 ** Parameters:
689 ** fname -- filename to include.
690 ** forwarding -- if TRUE, we are reading a .forward file.
691 ** if FALSE, it's a :include: file.
692 ** ctladdr -- address template to use to fill in these
693 ** addresses -- effective user/group id are
694 ** the important things.
695 ** sendq -- a pointer to the head of the send queue
696 ** to put these addresses in.
697 **
698 ** Returns:
699 ** open error status
700 **
701 ** Side Effects:
702 ** reads the :include: file and sends to everyone
703 ** listed in that file.
704 **
705 ** Security Note:
706 ** If you have restricted chown (that is, you can't
707 ** give a file away), it is reasonable to allow programs
708 ** and files called from this :include: file to be to be
709 ** run as the owner of the :include: file. This is bogus
710 ** if there is any chance of someone giving away a file.
711 ** We assume that pre-POSIX systems can give away files.
712 **
713 ** There is an additional restriction that if you
714 ** forward to a :include: file, it will not take on
715 ** the ownership of the :include: file. This may not
716 ** be necessary, but shouldn't hurt.
717 */
718
719 static jmp_buf CtxIncludeTimeout;
720 static int includetimeout();
721
722 #ifndef S_IWOTH
723 # define S_IWOTH (S_IWRITE >> 6)
724 #endif
725
726 int
727 include(fname, forwarding, ctladdr, sendq, e)
728 char *fname;
729 bool forwarding;
730 ADDRESS *ctladdr;
731 ADDRESS **sendq;
732 ENVELOPE *e;
733 {
734 register FILE *fp = NULL;
735 char *oldto = e->e_to;
736 char *oldfilename = FileName;
737 int oldlinenumber = LineNumber;
738 register EVENT *ev = NULL;
739 int nincludes;
740 register ADDRESS *ca;
741 uid_t saveduid, uid;
742 gid_t savedgid, gid;
743 char *uname;
744 int rval = 0;
745 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
746 struct stat st;
747 char buf[MAXLINE];
748 #ifdef _POSIX_CHOWN_RESTRICTED
749 # if _POSIX_CHOWN_RESTRICTED == -1
750 # define safechown FALSE
751 # else
752 # define safechown TRUE
753 # endif
754 #else
755 # ifdef _PC_CHOWN_RESTRICTED
756 bool safechown;
757 # else
758 # ifdef BSD
759 # define safechown TRUE
760 # else
761 # define safechown FALSE
762 # endif
763 # endif
764 #endif
765 extern bool chownsafe();
766
767 if (tTd(27, 2))
768 printf("include(%s)\n", fname);
769 if (tTd(27, 4))
770 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
771 if (tTd(27, 14))
772 {
773 printf("ctladdr ");
774 printaddr(ctladdr, FALSE);
775 }
776
777 if (tTd(27, 9))
778 printf("include: old uid = %d/%d\n", getuid(), geteuid());
779
780 ca = getctladdr(ctladdr);
781 if (ca == NULL)
782 {
783 uid = DefUid;
784 gid = DefGid;
785 uname = DefUser;
786 saveduid = -1;
787 }
788 else
789 {
790 uid = ca->q_uid;
791 gid = ca->q_gid;
792 uname = ca->q_user;
793 #ifdef HASSETREUID
794 saveduid = geteuid();
795 savedgid = getegid();
796 if (saveduid == 0)
797 {
798 initgroups(uname, gid);
799 if (uid != 0)
800 {
801 if (setreuid(0, uid) < 0)
802 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
803 uid, getuid(), geteuid());
804 }
805 }
806 #endif
807 }
808
809 if (tTd(27, 9))
810 printf("include: new uid = %d/%d\n", getuid(), geteuid());
811
812 /*
813 ** If home directory is remote mounted but server is down,
814 ** this can hang or give errors; use a timeout to avoid this
815 */
816
817 if (setjmp(CtxIncludeTimeout) != 0)
818 {
819 ctladdr->q_flags |= QQUEUEUP;
820 errno = 0;
821
822 /* return pseudo-error code */
823 rval = EOPENTIMEOUT;
824 goto resetuid;
825 }
826 if (TimeOuts.to_fileopen > 0)
827 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
828 else
829 ev = NULL;
830
831 /* the input file must be marked safe */
832 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
833 if (rval != 0)
834 {
835 /* don't use this :include: file */
836 if (tTd(27, 4))
837 printf("include: not safe (uid=%d): %s\n",
838 uid, errstring(rval));
839 }
840 else
841 {
842 fp = fopen(fname, "r");
843 if (fp == NULL)
844 {
845 rval = errno;
846 if (tTd(27, 4))
847 printf("include: open: %s\n", errstring(rval));
848 }
849 }
850 if (ev != NULL)
851 clrevent(ev);
852
853 resetuid:
854
855 #ifdef HASSETREUID
856 if (saveduid == 0)
857 {
858 if (uid != 0)
859 {
860 if (setreuid(-1, 0) < 0)
861 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
862 getuid(), geteuid());
863 if (setreuid(RealUid, 0) < 0)
864 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
865 RealUid, getuid(), geteuid());
866 }
867 setgid(savedgid);
868 }
869 #endif
870
871 if (tTd(27, 9))
872 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
873
874 if (rval == EOPENTIMEOUT)
875 usrerr("451 open timeout on %s", fname);
876
877 if (fp == NULL)
878 return rval;
879
880 if (fstat(fileno(fp), &st) < 0)
881 {
882 rval = errno;
883 syserr("Cannot fstat %s!", fname);
884 return rval;
885 }
886
887 #ifndef safechown
888 safechown = chownsafe(fileno(fp));
889 #endif
890 if (ca == NULL && safechown)
891 {
892 ctladdr->q_uid = st.st_uid;
893 ctladdr->q_gid = st.st_gid;
894 ctladdr->q_flags |= QGOODUID;
895 }
896 if (ca != NULL && ca->q_uid == st.st_uid)
897 {
898 /* optimization -- avoid getpwuid if we already have info */
899 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
900 ctladdr->q_ruser = ca->q_ruser;
901 }
902 else
903 {
904 char *sh;
905 register struct passwd *pw;
906
907 sh = "/SENDMAIL/ANY/SHELL/";
908 pw = getpwuid(st.st_uid);
909 if (pw != NULL)
910 {
911 ctladdr->q_ruser = newstr(pw->pw_name);
912 if (safechown)
913 sh = pw->pw_shell;
914 }
915 if (pw == NULL)
916 ctladdr->q_flags |= QBOGUSSHELL;
917 else if(!usershellok(sh))
918 {
919 if (safechown)
920 ctladdr->q_flags |= QBOGUSSHELL;
921 else
922 ctladdr->q_flags |= QUNSAFEADDR;
923 }
924 }
925
926 if (bitset(EF_VRFYONLY, e->e_flags))
927 {
928 /* don't do any more now */
929 ctladdr->q_flags |= QVERIFIED;
930 e->e_nrcpts++;
931 xfclose(fp, "include", fname);
932 return rval;
933 }
934
935 /*
936 ** Check to see if some bad guy can write this file
937 **
938 ** This should really do something clever with group
939 ** permissions; currently we just view world writable
940 ** as unsafe. Also, we don't check for writable
941 ** directories in the path. We've got to leave
942 ** something for the local sysad to do.
943 */
944
945 if (bitset(S_IWOTH, st.st_mode))
946 ctladdr->q_flags |= QUNSAFEADDR;
947
948 /* read the file -- each line is a comma-separated list. */
949 FileName = fname;
950 LineNumber = 0;
951 ctladdr->q_flags &= ~QSELFREF;
952 nincludes = 0;
953 while (fgets(buf, sizeof buf, fp) != NULL)
954 {
955 register char *p = strchr(buf, '\n');
956
957 LineNumber++;
958 if (p != NULL)
959 *p = '\0';
960 if (buf[0] == '#' || buf[0] == '\0')
961 continue;
962 e->e_to = NULL;
963 message("%s to %s",
964 forwarding ? "forwarding" : "sending", buf);
965 #ifdef LOG
966 if (forwarding && LogLevel > 9)
967 syslog(LOG_INFO, "%s: forward %s => %s",
968 e->e_id == NULL ? "NOQUEUE" : e->e_id,
969 oldto, buf);
970 #endif
971
972 AliasLevel++;
973 nincludes += sendtolist(buf, ctladdr, sendq, e);
974 AliasLevel--;
975 }
976
977 if (ferror(fp) && tTd(27, 3))
978 printf("include: read error: %s\n", errstring(errno));
979 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
980 {
981 if (tTd(27, 5))
982 {
983 printf("include: QDONTSEND ");
984 printaddr(ctladdr, FALSE);
985 }
986 ctladdr->q_flags |= QDONTSEND;
987 }
988
989 (void) xfclose(fp, "include", fname);
990 FileName = oldfilename;
991 LineNumber = oldlinenumber;
992 e->e_to = oldto;
993 return rval;
994 }
995
996 static
997 includetimeout()
998 {
999 longjmp(CtxIncludeTimeout, 1);
1000 }
1001 �/*
1002 ** SENDTOARGV -- send to an argument vector.
1003 **
1004 ** Parameters:
1005 ** argv -- argument vector to send to.
1006 ** e -- the current envelope.
1007 **
1008 ** Returns:
1009 ** none.
1010 **
1011 ** Side Effects:
1012 ** puts all addresses on the argument vector onto the
1013 ** send queue.
1014 */
1015
1016 sendtoargv(argv, e)
1017 register char **argv;
1018 register ENVELOPE *e;
1019 {
1020 register char *p;
1021
1022 while ((p = *argv++) != NULL)
1023 {
1024 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
1025 }
1026 }
1027 �/*
1028 ** GETCTLADDR -- get controlling address from an address header.
1029 **
1030 ** If none, get one corresponding to the effective userid.
1031 **
1032 ** Parameters:
1033 ** a -- the address to find the controller of.
1034 **
1035 ** Returns:
1036 ** the controlling address.
1037 **
1038 ** Side Effects:
1039 ** none.
1040 */
1041
1042 ADDRESS *
1043 getctladdr(a)
1044 register ADDRESS *a;
1045 {
1046 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1047 a = a->q_alias;
1048 return (a);
1049 }
1050