1 /*
2 * Copyright (c) 1983, 1995 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.84 (Berkeley) 05/18/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14
15 /*
16 ** SENDTOLIST -- Designate a send list.
17 **
18 ** The parameter is a comma-separated list of people to send to.
19 ** This routine arranges to send to all of them.
20 **
21 ** Parameters:
22 ** list -- the send list.
23 ** ctladdr -- the address template for the person to
24 ** send to -- effective uid/gid are important.
25 ** This is typically the alias that caused this
26 ** expansion.
27 ** sendq -- a pointer to the head of a queue to put
28 ** these people into.
29 ** aliaslevel -- the current alias nesting depth -- to
30 ** diagnose loops.
31 ** e -- the envelope in which to add these recipients.
32 **
33 ** Returns:
34 ** The number of addresses actually on the list.
35 **
36 ** Side Effects:
37 ** none.
38 */
39
40 #define MAXRCRSN 10 /* maximum levels of alias recursion */
41
42 /* q_flags bits inherited from ctladdr */
43 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
44
45 int
46 sendtolist(list, ctladdr, sendq, aliaslevel, e)
47 char *list;
48 ADDRESS *ctladdr;
49 ADDRESS **sendq;
50 int aliaslevel;
51 register ENVELOPE *e;
52 {
53 register char *p;
54 register ADDRESS *al; /* list of addresses to send to */
55 bool firstone; /* set on first address sent */
56 char delimiter; /* the address delimiter */
57 int naddrs;
58 int i;
59 char *oldto = e->e_to;
60 char *bufp;
61 char buf[MAXNAME + 1];
62
63 if (list == NULL)
64 {
65 syserr("sendtolist: null list");
66 return 0;
67 }
68
69 if (tTd(25, 1))
70 {
71 printf("sendto: %s\n ctladdr=", list);
72 printaddr(ctladdr, FALSE);
73 }
74
75 /* heuristic to determine old versus new style addresses */
76 if (ctladdr == NULL &&
77 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
78 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
79 e->e_flags &= ~EF_OLDSTYLE;
80 delimiter = ' ';
81 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
82 delimiter = ',';
83
84 firstone = TRUE;
85 al = NULL;
86 naddrs = 0;
87
88 /* make sure we have enough space to copy the string */
89 i = strlen(list) + 1;
90 if (i <= sizeof buf)
91 bufp = buf;
92 else
93 bufp = xalloc(i);
94 strcpy(bufp, denlstring(list, FALSE, TRUE));
95
96 for (p = bufp; *p != '\0'; )
97 {
98 auto char *delimptr;
99 register ADDRESS *a;
100
101 /* parse the address */
102 while ((isascii(*p) && isspace(*p)) || *p == ',')
103 p++;
104 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
105 p = delimptr;
106 if (a == NULL)
107 continue;
108 a->q_next = al;
109 a->q_alias = ctladdr;
110
111 /* arrange to inherit attributes from parent */
112 if (ctladdr != NULL)
113 {
114 ADDRESS *b;
115 extern ADDRESS *self_reference();
116
117 #if 0
118 /* self reference test */
119 if (sameaddr(ctladdr, a))
120 ctladdr->q_flags |= QSELFREF;
121 #endif
122
123 /* check for address loops */
124 b = self_reference(a, e);
125 if (b != NULL)
126 {
127 b->q_flags |= QSELFREF;
128 if (a != b)
129 {
130 a->q_flags |= QDONTSEND;
131 continue;
132 }
133 }
134
135 /* full name */
136 if (a->q_fullname == NULL)
137 a->q_fullname = ctladdr->q_fullname;
138
139 /* various flag bits */
140 a->q_flags &= ~QINHERITEDBITS;
141 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
142
143 /* original recipient information */
144 a->q_orcpt = ctladdr->q_orcpt;
145 }
146
147 al = a;
148 firstone = FALSE;
149 }
150
151 /* arrange to send to everyone on the local send list */
152 while (al != NULL)
153 {
154 register ADDRESS *a = al;
155
156 al = a->q_next;
157 a = recipient(a, sendq, aliaslevel, e);
158 naddrs++;
159 }
160
161 e->e_to = oldto;
162 if (bufp != buf)
163 free(bufp);
164 return (naddrs);
165 }
166 �/*
167 ** RECIPIENT -- Designate a message recipient
168 **
169 ** Saves the named person for future mailing.
170 **
171 ** Parameters:
172 ** a -- the (preparsed) address header for the recipient.
173 ** sendq -- a pointer to the head of a queue to put the
174 ** recipient in. Duplicate supression is done
175 ** in this queue.
176 ** aliaslevel -- the current alias nesting depth.
177 ** e -- the current envelope.
178 **
179 ** Returns:
180 ** The actual address in the queue. This will be "a" if
181 ** the address is not a duplicate, else the original address.
182 **
183 ** Side Effects:
184 ** none.
185 */
186
187 ADDRESS *
188 recipient(a, sendq, aliaslevel, e)
189 register ADDRESS *a;
190 register ADDRESS **sendq;
191 int aliaslevel;
192 register ENVELOPE *e;
193 {
194 register ADDRESS *q;
195 ADDRESS **pq;
196 register struct mailer *m;
197 register char *p;
198 bool quoted = FALSE; /* set if the addr has a quote bit */
199 int findusercount = 0;
200 bool initialdontsend = bitset(QDONTSEND, a->q_flags);
201 int i;
202 char *buf;
203 char buf0[MAXNAME + 1]; /* unquoted image of the user name */
204 extern int safefile();
205
206 e->e_to = a->q_paddr;
207 m = a->q_mailer;
208 errno = 0;
209 if (aliaslevel == 0)
210 a->q_flags |= QPRIMARY;
211 if (tTd(26, 1))
212 {
213 printf("\nrecipient (%d): ", aliaslevel);
214 printaddr(a, FALSE);
215 }
216
217 /* if this is primary, add it to the original recipient list */
218 if (a->q_alias == NULL)
219 {
220 if (e->e_origrcpt == NULL)
221 e->e_origrcpt = a->q_paddr;
222 else if (e->e_origrcpt != a->q_paddr)
223 e->e_origrcpt = "";
224 }
225
226 /* break aliasing loops */
227 if (aliaslevel > MAXRCRSN)
228 {
229 a->q_status = "5.4.6";
230 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
231 aliaslevel, MAXRCRSN);
232 return (a);
233 }
234
235 /*
236 ** Finish setting up address structure.
237 */
238
239 /* get unquoted user for file, program or user.name check */
240 i = strlen(a->q_user);
241 if (i >= sizeof buf0)
242 buf = xalloc(i + 1);
243 else
244 buf = buf0;
245 (void) strcpy(buf, a->q_user);
246 for (p = buf; *p != '\0' && !quoted; p++)
247 {
248 if (*p == '\\')
249 quoted = TRUE;
250 }
251 stripquotes(buf);
252
253 /* check for direct mailing to restricted mailers */
254 if (m == ProgMailer)
255 {
256 if (a->q_alias == NULL)
257 {
258 a->q_flags |= QBADADDR;
259 a->q_status = "5.7.1";
260 usrerr("550 Cannot mail directly to programs");
261 }
262 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
263 {
264 a->q_flags |= QBADADDR;
265 a->q_status = "5.7.1";
266 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
267 a->q_alias->q_ruser, MyHostName);
268 }
269 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
270 {
271 a->q_flags |= QBADADDR;
272 a->q_status = "5.7.1";
273 usrerr("550 Address %s is unsafe for mailing to programs",
274 a->q_alias->q_paddr);
275 }
276 }
277
278 /*
279 ** Look up this person in the recipient list.
280 ** If they are there already, return, otherwise continue.
281 ** If the list is empty, just add it. Notice the cute
282 ** hack to make from addresses suppress things correctly:
283 ** the QDONTSEND bit will be set in the send list.
284 ** [Please note: the emphasis is on "hack."]
285 */
286
287 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
288 {
289 if (sameaddr(q, a))
290 {
291 if (tTd(26, 1))
292 {
293 printf("%s in sendq: ", a->q_paddr);
294 printaddr(q, FALSE);
295 }
296 if (!bitset(QPRIMARY, q->q_flags))
297 {
298 if (!bitset(QDONTSEND, a->q_flags))
299 message("duplicate suppressed");
300 q->q_flags |= a->q_flags;
301 }
302 else if (bitset(QSELFREF, q->q_flags))
303 q->q_flags |= a->q_flags & ~QDONTSEND;
304 a = q;
305 goto done;
306 }
307 }
308
309 /* add address on list */
310 *pq = a;
311 a->q_next = NULL;
312
313 /*
314 ** Alias the name and handle special mailer types.
315 */
316
317 trylocaluser:
318 if (tTd(29, 7))
319 printf("at trylocaluser %s\n", a->q_user);
320
321 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
322 goto testselfdestruct;
323
324 if (m == InclMailer)
325 {
326 a->q_flags |= QDONTSEND;
327 if (a->q_alias == NULL)
328 {
329 a->q_flags |= QBADADDR;
330 a->q_status = "5.7.1";
331 usrerr("550 Cannot mail directly to :include:s");
332 }
333 else
334 {
335 int ret;
336
337 message("including file %s", a->q_user);
338 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
339 if (transienterror(ret))
340 {
341 #ifdef LOG
342 if (LogLevel > 2)
343 syslog(LOG_ERR, "%s: include %s: transient error: %s",
344 e->e_id == NULL ? "NOQUEUE" : e->e_id,
345 a->q_user, errstring(ret));
346 #endif
347 a->q_flags |= QQUEUEUP;
348 a->q_flags &= ~QDONTSEND;
349 usrerr("451 Cannot open %s: %s",
350 a->q_user, errstring(ret));
351 }
352 else if (ret != 0)
353 {
354 a->q_flags |= QBADADDR;
355 a->q_status = "5.2.4";
356 usrerr("550 Cannot open %s: %s",
357 a->q_user, errstring(ret));
358 }
359 }
360 }
361 else if (m == FileMailer)
362 {
363 extern bool writable();
364
365 /* check if writable or creatable */
366 if (a->q_alias == NULL)
367 {
368 a->q_flags |= QBADADDR;
369 a->q_status = "5.7.1";
370 usrerr("550 Cannot mail directly to files");
371 }
372 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
373 {
374 a->q_flags |= QBADADDR;
375 a->q_status = "5.7.1";
376 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
377 a->q_alias->q_ruser, MyHostName);
378 }
379 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
380 {
381 a->q_flags |= QBADADDR;
382 a->q_status = "5.7.1";
383 usrerr("550 Address %s is unsafe for mailing to files",
384 a->q_alias->q_paddr);
385 }
386 else if (!writable(buf, getctladdr(a), SFF_CREAT))
387 {
388 a->q_flags |= QBADADDR;
389 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
390 (time_t) 0, e);
391 }
392 }
393
394 /* try aliasing */
395 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
396 alias(a, sendq, aliaslevel, e);
397
398 # ifdef USERDB
399 /* if not aliased, look it up in the user database */
400 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
401 bitnset(M_CHECKUDB, m->m_flags))
402 {
403 extern int udbexpand();
404
405 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
406 {
407 a->q_flags |= QQUEUEUP;
408 if (e->e_message == NULL)
409 e->e_message = newstr("Deferred: user database error");
410 # ifdef LOG
411 if (LogLevel > 8)
412 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
413 e->e_id == NULL ? "NOQUEUE" : e->e_id,
414 errstring(errno));
415 # endif
416 message("queued (user database error): %s",
417 errstring(errno));
418 e->e_nrcpts++;
419 goto testselfdestruct;
420 }
421 }
422 # endif
423
424 /*
425 ** If we have a level two config file, then pass the name through
426 ** Ruleset 5 before sending it off. Ruleset 5 has the right
427 ** to send rewrite it to another mailer. This gives us a hook
428 ** after local aliasing has been done.
429 */
430
431 if (tTd(29, 5))
432 {
433 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
434 ConfigLevel, RewriteRules[5]);
435 printaddr(a, FALSE);
436 }
437 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
438 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
439 bitnset(M_TRYRULESET5, m->m_flags))
440 {
441 maplocaluser(a, sendq, aliaslevel + 1, e);
442 }
443
444 /*
445 ** If it didn't get rewritten to another mailer, go ahead
446 ** and deliver it.
447 */
448
449 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
450 bitnset(M_HASPWENT, m->m_flags))
451 {
452 auto bool fuzzy;
453 register struct passwd *pw;
454 extern struct passwd *finduser();
455
456 /* warning -- finduser may trash buf */
457 pw = finduser(buf, &fuzzy);
458 if (pw == NULL)
459 {
460 a->q_flags |= QBADADDR;
461 a->q_status = "5.1.1";
462 giveresponse(EX_NOUSER, m, NULL, a->q_alias,
463 (time_t) 0, e);
464 }
465 else
466 {
467 char nbuf[MAXNAME + 1];
468
469 if (fuzzy)
470 {
471 /* name was a fuzzy match */
472 a->q_user = newstr(pw->pw_name);
473 if (findusercount++ > 3)
474 {
475 a->q_flags |= QBADADDR;
476 a->q_status = "5.4.6";
477 usrerr("554 aliasing/forwarding loop for %s broken",
478 pw->pw_name);
479 goto done;
480 }
481
482 /* see if it aliases */
483 (void) strcpy(buf, pw->pw_name);
484 goto trylocaluser;
485 }
486 if (strcmp(pw->pw_dir, "/") == 0)
487 a->q_home = "";
488 else
489 a->q_home = newstr(pw->pw_dir);
490 a->q_uid = pw->pw_uid;
491 a->q_gid = pw->pw_gid;
492 a->q_ruser = newstr(pw->pw_name);
493 a->q_flags |= QGOODUID;
494 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
495 if (nbuf[0] != '\0')
496 a->q_fullname = newstr(nbuf);
497 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
498 !usershellok(pw->pw_shell))
499 {
500 a->q_flags |= QBOGUSSHELL;
501 }
502 if (!quoted)
503 forward(a, sendq, aliaslevel, e);
504 }
505 }
506 if (!bitset(QDONTSEND, a->q_flags))
507 e->e_nrcpts++;
508
509 testselfdestruct:
510 a->q_flags |= QTHISPASS;
511 if (tTd(26, 8))
512 {
513 printf("testselfdestruct: ");
514 printaddr(a, FALSE);
515 if (tTd(26, 10))
516 {
517 printf("SENDQ:\n");
518 printaddr(*sendq, TRUE);
519 printf("----\n");
520 }
521 }
522 if (a->q_alias == NULL && a != &e->e_from &&
523 bitset(QDONTSEND, a->q_flags))
524 {
525 for (q = *sendq; q != NULL; q = q->q_next)
526 {
527 if (!bitset(QDONTSEND|QBADADDR, q->q_flags) &&
528 bitset(QTHISPASS, q->q_flags))
529 break;
530 }
531 if (q == NULL)
532 {
533 a->q_flags |= QBADADDR;
534 a->q_status = "5.4.6";
535 usrerr("554 aliasing/forwarding loop broken");
536 }
537 }
538
539 done:
540 a->q_flags |= QTHISPASS;
541 if (buf != buf0)
542 free(buf);
543
544 /*
545 ** If we are at the top level, check to see if this has
546 ** expanded to exactly one address. If so, it can inherit
547 ** the primaryness of the address.
548 **
549 ** While we're at it, clear the QTHISPASS bits.
550 */
551
552 if (aliaslevel == 0)
553 {
554 int nrcpts = 0;
555 ADDRESS *only;
556
557 for (q = *sendq; q != NULL; q = q->q_next)
558 {
559 if (bitset(QTHISPASS, q->q_flags) &&
560 !bitset(QDONTSEND|QBADADDR, q->q_flags))
561 {
562 nrcpts++;
563 only = q;
564 }
565 q->q_flags &= ~QTHISPASS;
566 }
567 if (nrcpts == 1)
568 {
569 /* check to see if this actually got a new owner */
570 q = only;
571 while ((q = q->q_alias) != NULL)
572 {
573 if (q->q_owner != NULL)
574 break;
575 }
576 if (q == NULL)
577 only->q_flags |= QPRIMARY;
578 }
579 else if (!initialdontsend && nrcpts > 0)
580 {
581 /* arrange for return receipt */
582 e->e_flags |= EF_SENDRECEIPT;
583 a->q_flags |= QEXPANDED;
584 if (e->e_xfp != NULL)
585 fprintf(e->e_xfp,
586 "%s... expanded to multiple addresses\n",
587 a->q_paddr);
588 }
589 }
590
591 return (a);
592 }
593 �/*
594 ** FINDUSER -- find the password entry for a user.
595 **
596 ** This looks a lot like getpwnam, except that it may want to
597 ** do some fancier pattern matching in /etc/passwd.
598 **
599 ** This routine contains most of the time of many sendmail runs.
600 ** It deserves to be optimized.
601 **
602 ** Parameters:
603 ** name -- the name to match against.
604 ** fuzzyp -- an outarg that is set to TRUE if this entry
605 ** was found using the fuzzy matching algorithm;
606 ** set to FALSE otherwise.
607 **
608 ** Returns:
609 ** A pointer to a pw struct.
610 ** NULL if name is unknown or ambiguous.
611 **
612 ** Side Effects:
613 ** may modify name.
614 */
615
616 struct passwd *
617 finduser(name, fuzzyp)
618 char *name;
619 bool *fuzzyp;
620 {
621 register struct passwd *pw;
622 register char *p;
623
624 if (tTd(29, 4))
625 printf("finduser(%s): ", name);
626
627 *fuzzyp = FALSE;
628
629 #ifdef HESIOD
630 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
631 for (p = name; *p != '\0'; p++)
632 if (!isascii(*p) || !isdigit(*p))
633 break;
634 if (*p == '\0')
635 {
636 if (tTd(29, 4))
637 printf("failed (numeric input)\n");
638 return NULL;
639 }
640 #endif
641
642 /* look up this login name using fast path */
643 if ((pw = sm_getpwnam(name)) != NULL)
644 {
645 if (tTd(29, 4))
646 printf("found (non-fuzzy)\n");
647 return (pw);
648 }
649
650 #ifdef MATCHGECOS
651 /* see if fuzzy matching allowed */
652 if (!MatchGecos)
653 {
654 if (tTd(29, 4))
655 printf("not found (fuzzy disabled)\n");
656 return NULL;
657 }
658
659 /* search for a matching full name instead */
660 for (p = name; *p != '\0'; p++)
661 {
662 if (*p == (SpaceSub & 0177) || *p == '_')
663 *p = ' ';
664 }
665 (void) setpwent();
666 while ((pw = getpwent()) != NULL)
667 {
668 char buf[MAXNAME + 1];
669
670 buildfname(pw->pw_gecos, pw->pw_name, buf);
671 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
672 {
673 if (tTd(29, 4))
674 printf("fuzzy matches %s\n", pw->pw_name);
675 message("sending to login name %s", pw->pw_name);
676 *fuzzyp = TRUE;
677 return (pw);
678 }
679 }
680 if (tTd(29, 4))
681 printf("no fuzzy match found\n");
682 #else
683 if (tTd(29, 4))
684 printf("not found (fuzzy disabled)\n");
685 #endif
686 return (NULL);
687 }
688 �/*
689 ** WRITABLE -- predicate returning if the file is writable.
690 **
691 ** This routine must duplicate the algorithm in sys/fio.c.
692 ** Unfortunately, we cannot use the access call since we
693 ** won't necessarily be the real uid when we try to
694 ** actually open the file.
695 **
696 ** Notice that ANY file with ANY execute bit is automatically
697 ** not writable. This is also enforced by mailfile.
698 **
699 ** Parameters:
700 ** filename -- the file name to check.
701 ** ctladdr -- the controlling address for this file.
702 ** flags -- SFF_* flags to control the function.
703 **
704 ** Returns:
705 ** TRUE -- if we will be able to write this file.
706 ** FALSE -- if we cannot write this file.
707 **
708 ** Side Effects:
709 ** none.
710 */
711
712 bool
713 writable(filename, ctladdr, flags)
714 char *filename;
715 ADDRESS *ctladdr;
716 int flags;
717 {
718 uid_t euid;
719 gid_t egid;
720 int bits;
721 register char *p;
722 char *uname;
723
724 if (tTd(29, 5))
725 printf("writable(%s, 0x%x)\n", filename, flags);
726
727 #ifdef SUID_ROOT_FILES_OK
728 /* really ought to be passed down -- and not a good idea */
729 flags |= SFF_ROOTOK;
730 #endif
731
732 /*
733 ** File does exist -- check that it is writable.
734 */
735
736 if (ctladdr != NULL && geteuid() == 0)
737 {
738 euid = ctladdr->q_uid;
739 egid = ctladdr->q_gid;
740 uname = ctladdr->q_user;
741 }
742 else if (bitset(SFF_RUNASREALUID, flags))
743 {
744 extern char RealUserName[];
745
746 euid = RealUid;
747 egid = RealGid;
748 uname = RealUserName;
749 }
750 else if (FileMailer != NULL)
751 {
752 euid = FileMailer->m_uid;
753 egid = FileMailer->m_gid;
754 }
755 else
756 {
757 euid = egid = 0;
758 }
759 if (euid == 0)
760 {
761 euid = DefUid;
762 uname = DefUser;
763 }
764 if (egid == 0)
765 egid = DefGid;
766 if (geteuid() == 0)
767 flags |= SFF_SETUIDOK;
768
769 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL);
770 return errno == 0;
771 }
772 �/*
773 ** INCLUDE -- handle :include: specification.
774 **
775 ** Parameters:
776 ** fname -- filename to include.
777 ** forwarding -- if TRUE, we are reading a .forward file.
778 ** if FALSE, it's a :include: file.
779 ** ctladdr -- address template to use to fill in these
780 ** addresses -- effective user/group id are
781 ** the important things.
782 ** sendq -- a pointer to the head of the send queue
783 ** to put these addresses in.
784 ** aliaslevel -- the alias nesting depth.
785 ** e -- the current envelope.
786 **
787 ** Returns:
788 ** open error status
789 **
790 ** Side Effects:
791 ** reads the :include: file and sends to everyone
792 ** listed in that file.
793 **
794 ** Security Note:
795 ** If you have restricted chown (that is, you can't
796 ** give a file away), it is reasonable to allow programs
797 ** and files called from this :include: file to be to be
798 ** run as the owner of the :include: file. This is bogus
799 ** if there is any chance of someone giving away a file.
800 ** We assume that pre-POSIX systems can give away files.
801 **
802 ** There is an additional restriction that if you
803 ** forward to a :include: file, it will not take on
804 ** the ownership of the :include: file. This may not
805 ** be necessary, but shouldn't hurt.
806 */
807
808 static jmp_buf CtxIncludeTimeout;
809 static void includetimeout();
810
811 int
812 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
813 char *fname;
814 bool forwarding;
815 ADDRESS *ctladdr;
816 ADDRESS **sendq;
817 int aliaslevel;
818 ENVELOPE *e;
819 {
820 FILE *fp = NULL;
821 char *oldto = e->e_to;
822 char *oldfilename = FileName;
823 int oldlinenumber = LineNumber;
824 register EVENT *ev = NULL;
825 int nincludes;
826 register ADDRESS *ca;
827 uid_t saveduid, uid;
828 gid_t savedgid, gid;
829 char *uname;
830 int rval = 0;
831 int sfflags = SFF_REGONLY;
832 struct stat st;
833 char buf[MAXLINE];
834 #ifdef _POSIX_CHOWN_RESTRICTED
835 # if _POSIX_CHOWN_RESTRICTED == -1
836 # define safechown FALSE
837 # else
838 # define safechown TRUE
839 # endif
840 #else
841 # ifdef _PC_CHOWN_RESTRICTED
842 bool safechown;
843 # else
844 # ifdef BSD
845 # define safechown TRUE
846 # else
847 # define safechown FALSE
848 # endif
849 # endif
850 #endif
851 extern bool chownsafe();
852
853 if (tTd(27, 2))
854 printf("include(%s)\n", fname);
855 if (tTd(27, 4))
856 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
857 if (tTd(27, 14))
858 {
859 printf("ctladdr ");
860 printaddr(ctladdr, FALSE);
861 }
862
863 if (tTd(27, 9))
864 printf("include: old uid = %d/%d\n", getuid(), geteuid());
865
866 if (forwarding)
867 sfflags |= SFF_MUSTOWN|SFF_ROOTOK|SFF_NOSLINK;
868
869 ca = getctladdr(ctladdr);
870 if (ca == NULL)
871 {
872 uid = DefUid;
873 gid = DefGid;
874 uname = DefUser;
875 }
876 else
877 {
878 uid = ca->q_uid;
879 gid = ca->q_gid;
880 uname = ca->q_user;
881 }
882 #ifdef HASSETREUID
883 saveduid = geteuid();
884 savedgid = getegid();
885 if (saveduid == 0)
886 {
887 initgroups(uname, gid);
888 if (uid != 0)
889 {
890 if (setreuid(0, uid) < 0)
891 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
892 uid, getuid(), geteuid());
893 else
894 sfflags |= SFF_NOPATHCHECK;
895 }
896 }
897 #endif
898
899 if (tTd(27, 9))
900 printf("include: new uid = %d/%d\n", getuid(), geteuid());
901
902 /*
903 ** If home directory is remote mounted but server is down,
904 ** this can hang or give errors; use a timeout to avoid this
905 */
906
907 if (setjmp(CtxIncludeTimeout) != 0)
908 {
909 ctladdr->q_flags |= QQUEUEUP;
910 errno = 0;
911
912 /* return pseudo-error code */
913 rval = EOPENTIMEOUT;
914 goto resetuid;
915 }
916 if (TimeOuts.to_fileopen > 0)
917 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
918 else
919 ev = NULL;
920
921 /* the input file must be marked safe */
922 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL);
923 if (rval != 0)
924 {
925 /* don't use this :include: file */
926 if (tTd(27, 4))
927 printf("include: not safe (uid=%d): %s\n",
928 uid, errstring(rval));
929 }
930 else
931 {
932 fp = fopen(fname, "r");
933 if (fp == NULL)
934 {
935 rval = errno;
936 if (tTd(27, 4))
937 printf("include: open: %s\n", errstring(rval));
938 }
939 }
940 if (ev != NULL)
941 clrevent(ev);
942
943 resetuid:
944
945 #ifdef HASSETREUID
946 if (saveduid == 0)
947 {
948 if (uid != 0)
949 {
950 if (setreuid(-1, 0) < 0)
951 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
952 getuid(), geteuid());
953 if (setreuid(RealUid, 0) < 0)
954 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
955 RealUid, getuid(), geteuid());
956 }
957 setgid(savedgid);
958 }
959 #endif
960
961 if (tTd(27, 9))
962 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
963
964 if (rval == EOPENTIMEOUT)
965 usrerr("451 open timeout on %s", fname);
966
967 if (fp == NULL)
968 return rval;
969
970 if (fstat(fileno(fp), &st) < 0)
971 {
972 rval = errno;
973 syserr("Cannot fstat %s!", fname);
974 return rval;
975 }
976
977 #ifndef safechown
978 safechown = chownsafe(fileno(fp));
979 #endif
980 if (ca == NULL && safechown)
981 {
982 ctladdr->q_uid = st.st_uid;
983 ctladdr->q_gid = st.st_gid;
984 ctladdr->q_flags |= QGOODUID;
985 }
986 if (ca != NULL && ca->q_uid == st.st_uid)
987 {
988 /* optimization -- avoid getpwuid if we already have info */
989 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
990 ctladdr->q_ruser = ca->q_ruser;
991 }
992 else
993 {
994 register struct passwd *pw;
995
996 pw = sm_getpwuid(st.st_uid);
997 if (pw == NULL)
998 ctladdr->q_flags |= QBOGUSSHELL;
999 else
1000 {
1001 char *sh;
1002
1003 ctladdr->q_ruser = newstr(pw->pw_name);
1004 if (safechown)
1005 sh = pw->pw_shell;
1006 else
1007 sh = "/SENDMAIL/ANY/SHELL/";
1008 if (!usershellok(sh))
1009 {
1010 if (safechown)
1011 ctladdr->q_flags |= QBOGUSSHELL;
1012 else
1013 ctladdr->q_flags |= QUNSAFEADDR;
1014 }
1015 }
1016 }
1017
1018 if (bitset(EF_VRFYONLY, e->e_flags))
1019 {
1020 /* don't do any more now */
1021 ctladdr->q_flags |= QVERIFIED;
1022 e->e_nrcpts++;
1023 xfclose(fp, "include", fname);
1024 return rval;
1025 }
1026
1027 /*
1028 ** Check to see if some bad guy can write this file
1029 **
1030 ** This should really do something clever with group
1031 ** permissions; currently we just view world writable
1032 ** as unsafe. Also, we don't check for writable
1033 ** directories in the path. We've got to leave
1034 ** something for the local sysad to do.
1035 */
1036
1037 if (bitset(S_IWOTH, st.st_mode))
1038 ctladdr->q_flags |= QUNSAFEADDR;
1039
1040 /* read the file -- each line is a comma-separated list. */
1041 FileName = fname;
1042 LineNumber = 0;
1043 ctladdr->q_flags &= ~QSELFREF;
1044 nincludes = 0;
1045 while (fgets(buf, sizeof buf, fp) != NULL)
1046 {
1047 register char *p = strchr(buf, '\n');
1048
1049 LineNumber++;
1050 if (p != NULL)
1051 *p = '\0';
1052 if (buf[0] == '#' || buf[0] == '\0')
1053 continue;
1054
1055 /* <sp>#@# introduces a comment anywhere */
1056 /* for Japanese character sets */
1057 for (p = buf; (p = strchr(++p, '#')) != NULL; )
1058 {
1059 if (p[1] == '@' && p[2] == '#' &&
1060 isascii(p[-1]) && isspace(p[-1]) &&
1061 isascii(p[3]) && isspace(p[3]))
1062 {
1063 p[-1] = '\0';
1064 break;
1065 }
1066 }
1067 if (buf[0] == '\0')
1068 continue;
1069
1070 e->e_to = NULL;
1071 message("%s to %s",
1072 forwarding ? "forwarding" : "sending", buf);
1073 #ifdef LOG
1074 if (forwarding && LogLevel > 9)
1075 syslog(LOG_INFO, "%s: forward %s => %s",
1076 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1077 oldto, buf);
1078 #endif
1079
1080 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1081 }
1082
1083 if (ferror(fp) && tTd(27, 3))
1084 printf("include: read error: %s\n", errstring(errno));
1085 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1086 {
1087 if (tTd(27, 5))
1088 {
1089 printf("include: QDONTSEND ");
1090 printaddr(ctladdr, FALSE);
1091 }
1092 ctladdr->q_flags |= QDONTSEND;
1093 }
1094
1095 (void) xfclose(fp, "include", fname);
1096 FileName = oldfilename;
1097 LineNumber = oldlinenumber;
1098 e->e_to = oldto;
1099 return rval;
1100 }
1101
1102 static void
1103 includetimeout()
1104 {
1105 longjmp(CtxIncludeTimeout, 1);
1106 }
1107 �/*
1108 ** SENDTOARGV -- send to an argument vector.
1109 **
1110 ** Parameters:
1111 ** argv -- argument vector to send to.
1112 ** e -- the current envelope.
1113 **
1114 ** Returns:
1115 ** none.
1116 **
1117 ** Side Effects:
1118 ** puts all addresses on the argument vector onto the
1119 ** send queue.
1120 */
1121
1122 sendtoargv(argv, e)
1123 register char **argv;
1124 register ENVELOPE *e;
1125 {
1126 register char *p;
1127
1128 while ((p = *argv++) != NULL)
1129 {
1130 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1131 }
1132 }
1133 �/*
1134 ** GETCTLADDR -- get controlling address from an address header.
1135 **
1136 ** If none, get one corresponding to the effective userid.
1137 **
1138 ** Parameters:
1139 ** a -- the address to find the controller of.
1140 **
1141 ** Returns:
1142 ** the controlling address.
1143 **
1144 ** Side Effects:
1145 ** none.
1146 */
1147
1148 ADDRESS *
1149 getctladdr(a)
1150 register ADDRESS *a;
1151 {
1152 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1153 a = a->q_alias;
1154 return (a);
1155 }
1156 �/*
1157 ** SELF_REFERENCE -- check to see if an address references itself
1158 **
1159 ** The check is done through a chain of aliases. If it is part of
1160 ** a loop, break the loop at the "best" address, that is, the one
1161 ** that exists as a real user.
1162 **
1163 ** This is to handle the case of:
1164 ** Andrew.Chang: awc
1165 ** awc: Andrew.Chang@mail.server.
1166 ** which is a problem only on mail.server.
1167 **
1168 ** Parameters:
1169 ** a -- the address to check.
1170 ** e -- the current envelope.
1171 **
1172 ** Returns:
1173 ** The address that should be retained.
1174 */
1175
1176 ADDRESS *
1177 self_reference(a, e)
1178 ADDRESS *a;
1179 ENVELOPE *e;
1180 {
1181 ADDRESS *b; /* top entry in self ref loop */
1182 ADDRESS *c; /* entry that point to a real mail box */
1183
1184 if (tTd(27, 1))
1185 printf("self_reference(%s)\n", a->q_paddr);
1186
1187 for (b = a->q_alias; b != NULL; b = b->q_alias)
1188 {
1189 if (sameaddr(a, b))
1190 break;
1191 }
1192
1193 if (b == NULL)
1194 {
1195 if (tTd(27, 1))
1196 printf("\t... no self ref\n");
1197 return NULL;
1198 }
1199
1200 /*
1201 ** Pick the first address that resolved to a real mail box
1202 ** i.e has a pw entry. The returned value will be marked
1203 ** QSELFREF in recipient(), which in turn will disable alias()
1204 ** from marking it QDONTSEND, which mean it will be used
1205 ** as a deliverable address.
1206 **
1207 ** The 2 key thing to note here are:
1208 ** 1) we are in a recursive call sequence:
1209 ** alias->sentolist->recipient->alias
1210 ** 2) normally, when we return back to alias(), the address
1211 ** will be marked QDONTSEND, since alias() assumes the
1212 ** expanded form will be used instead of the current address.
1213 ** This behaviour is turned off if the address is marked
1214 ** QSELFREF We set QSELFREF when we return to recipient().
1215 */
1216
1217 c = a;
1218 while (c != NULL)
1219 {
1220 if (bitnset(M_HASPWENT, c->q_mailer->m_flags))
1221 {
1222 if (tTd(27, 2))
1223 printf("\t... getpwnam(%s)... ", c->q_user);
1224 if (sm_getpwnam(c->q_user) != NULL)
1225 {
1226 if (tTd(27, 2))
1227 printf("found\n");
1228
1229 /* ought to cache results here */
1230 return c;
1231 }
1232 if (tTd(27, 2))
1233 printf("failed\n");
1234 }
1235 c = c->q_alias;
1236 }
1237
1238 if (tTd(27, 1))
1239 printf("\t... cannot break loop for \"%s\"\n", a->q_paddr);
1240
1241 return NULL;
1242 }
1243