1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.44 (Berkeley) 02/28/94";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** e -- the envelope in which to add these recipients.
31 **
32 ** Returns:
33 ** The number of addresses actually on the list.
34 **
35 ** Side Effects:
36 ** none.
37 */
38
39 # define MAXRCRSN 10
40
41 sendtolist(list, ctladdr, sendq, e)
42 char *list;
43 ADDRESS *ctladdr;
44 ADDRESS **sendq;
45 register ENVELOPE *e;
46 {
47 register char *p;
48 register ADDRESS *al; /* list of addresses to send to */
49 bool firstone; /* set on first address sent */
50 char delimiter; /* the address delimiter */
51 int naddrs;
52 char *oldto = e->e_to;
53
54 if (list == NULL)
55 {
56 syserr("sendtolist: null list");
57 return 0;
58 }
59
60 if (tTd(25, 1))
61 {
62 printf("sendto: %s\n ctladdr=", list);
63 printaddr(ctladdr, FALSE);
64 }
65
66 /* heuristic to determine old versus new style addresses */
67 if (ctladdr == NULL &&
68 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
69 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
70 e->e_flags &= ~EF_OLDSTYLE;
71 delimiter = ' ';
72 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
73 delimiter = ',';
74
75 firstone = TRUE;
76 al = NULL;
77 naddrs = 0;
78
79 for (p = list; *p != '\0'; )
80 {
81 auto char *delimptr;
82 register ADDRESS *a;
83
84 /* parse the address */
85 while ((isascii(*p) && isspace(*p)) || *p == ',')
86 p++;
87 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
88 p = delimptr;
89 if (a == NULL)
90 continue;
91 a->q_next = al;
92 a->q_alias = ctladdr;
93
94 /* see if this should be marked as a primary address */
95 if (ctladdr == NULL ||
96 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
97 a->q_flags |= QPRIMARY;
98
99 if (ctladdr != NULL && sameaddr(ctladdr, a))
100 ctladdr->q_flags |= QSELFREF;
101 al = a;
102 firstone = FALSE;
103 }
104
105 /* arrange to send to everyone on the local send list */
106 while (al != NULL)
107 {
108 register ADDRESS *a = al;
109
110 al = a->q_next;
111 a = recipient(a, sendq, e);
112
113 /* arrange to inherit full name */
114 if (a->q_fullname == NULL && ctladdr != NULL)
115 a->q_fullname = ctladdr->q_fullname;
116 naddrs++;
117 }
118
119 e->e_to = oldto;
120 return (naddrs);
121 }
122 �/*
123 ** RECIPIENT -- Designate a message recipient
124 **
125 ** Saves the named person for future mailing.
126 **
127 ** Parameters:
128 ** a -- the (preparsed) address header for the recipient.
129 ** sendq -- a pointer to the head of a queue to put the
130 ** recipient in. Duplicate supression is done
131 ** in this queue.
132 ** e -- the current envelope.
133 **
134 ** Returns:
135 ** The actual address in the queue. This will be "a" if
136 ** the address is not a duplicate, else the original address.
137 **
138 ** Side Effects:
139 ** none.
140 */
141
142 ADDRESS *
143 recipient(a, sendq, e)
144 register ADDRESS *a;
145 register ADDRESS **sendq;
146 register ENVELOPE *e;
147 {
148 register ADDRESS *q;
149 ADDRESS **pq;
150 register struct mailer *m;
151 register char *p;
152 bool quoted = FALSE; /* set if the addr has a quote bit */
153 int findusercount = 0;
154 char buf[MAXNAME]; /* unquoted image of the user name */
155 extern int safefile();
156
157 e->e_to = a->q_paddr;
158 m = a->q_mailer;
159 errno = 0;
160 if (tTd(26, 1))
161 {
162 printf("\nrecipient: ");
163 printaddr(a, FALSE);
164 }
165
166 /* if this is primary, add it to the original recipient list */
167 if (a->q_alias == NULL)
168 {
169 if (e->e_origrcpt == NULL)
170 e->e_origrcpt = a->q_paddr;
171 else if (e->e_origrcpt != a->q_paddr)
172 e->e_origrcpt = "";
173 }
174
175 /* break aliasing loops */
176 if (AliasLevel > MAXRCRSN)
177 {
178 usrerr("554 aliasing/forwarding loop broken");
179 return (a);
180 }
181
182 /*
183 ** Finish setting up address structure.
184 */
185
186 /* set the queue timeout */
187 a->q_timeout = TimeOuts.to_q_return;
188
189 /* get unquoted user for file, program or user.name check */
190 (void) strcpy(buf, a->q_user);
191 for (p = buf; *p != '\0' && !quoted; p++)
192 {
193 if (*p == '\\')
194 quoted = TRUE;
195 }
196 stripquotes(buf);
197
198 /* check for direct mailing to restricted mailers */
199 if (m == ProgMailer)
200 {
201 if (a->q_alias == NULL)
202 {
203 a->q_flags |= QBADADDR;
204 usrerr("550 Cannot mail directly to programs");
205 }
206 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
207 {
208 a->q_flags |= QBADADDR;
209 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
210 a->q_alias->q_ruser, MyHostName);
211 }
212 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
213 {
214 a->q_flags |= QBADADDR;
215 usrerr("550 Address %s is unsafe for mailing to programs",
216 a->q_alias->q_paddr);
217 }
218 }
219
220 /*
221 ** Look up this person in the recipient list.
222 ** If they are there already, return, otherwise continue.
223 ** If the list is empty, just add it. Notice the cute
224 ** hack to make from addresses suppress things correctly:
225 ** the QDONTSEND bit will be set in the send list.
226 ** [Please note: the emphasis is on "hack."]
227 */
228
229 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
230 {
231 if (sameaddr(q, a))
232 {
233 if (tTd(26, 1))
234 {
235 printf("%s in sendq: ", a->q_paddr);
236 printaddr(q, FALSE);
237 }
238 if (!bitset(QPRIMARY, q->q_flags))
239 {
240 if (!bitset(QDONTSEND, a->q_flags))
241 message("duplicate suppressed");
242 q->q_flags |= a->q_flags;
243 }
244 else if (bitset(QSELFREF, q->q_flags))
245 q->q_flags |= a->q_flags & ~QDONTSEND;
246 a = q;
247 goto testselfdestruct;
248 }
249 }
250
251 /* add address on list */
252 *pq = a;
253 a->q_next = NULL;
254
255 /*
256 ** Alias the name and handle special mailer types.
257 */
258
259 trylocaluser:
260 if (tTd(29, 7))
261 printf("at trylocaluser %s\n", a->q_user);
262
263 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
264 goto testselfdestruct;
265
266 if (m == InclMailer)
267 {
268 a->q_flags |= QDONTSEND;
269 if (a->q_alias == NULL)
270 {
271 a->q_flags |= QBADADDR;
272 usrerr("550 Cannot mail directly to :include:s");
273 }
274 else
275 {
276 int ret;
277
278 message("including file %s", a->q_user);
279 ret = include(a->q_user, FALSE, a, sendq, e);
280 if (transienterror(ret))
281 {
282 #ifdef LOG
283 if (LogLevel > 2)
284 syslog(LOG_ERR, "%s: include %s: transient error: %s",
285 e->e_id == NULL ? "NOQUEUE" : e->e_id,
286 a->q_user, errstring(ret));
287 #endif
288 a->q_flags |= QQUEUEUP;
289 a->q_flags &= ~QDONTSEND;
290 usrerr("451 Cannot open %s: %s",
291 a->q_user, errstring(ret));
292 }
293 else if (ret != 0)
294 {
295 a->q_flags |= QBADADDR;
296 usrerr("550 Cannot open %s: %s",
297 a->q_user, errstring(ret));
298 }
299 }
300 }
301 else if (m == FileMailer)
302 {
303 extern bool writable();
304
305 /* check if writable or creatable */
306 if (a->q_alias == NULL)
307 {
308 a->q_flags |= QBADADDR;
309 usrerr("550 Cannot mail directly to files");
310 }
311 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
312 {
313 a->q_flags |= QBADADDR;
314 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
315 a->q_alias->q_ruser, MyHostName);
316 }
317 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
318 {
319 a->q_flags |= QBADADDR;
320 usrerr("550 Address %s is unsafe for mailing to files",
321 a->q_alias->q_paddr);
322 }
323 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
324 {
325 a->q_flags |= QBADADDR;
326 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
327 }
328 }
329
330 if (m != LocalMailer)
331 {
332 if (!bitset(QDONTSEND, a->q_flags))
333 e->e_nrcpts++;
334 goto testselfdestruct;
335 }
336
337 /* try aliasing */
338 alias(a, sendq, e);
339
340 # ifdef USERDB
341 /* if not aliased, look it up in the user database */
342 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags))
343 {
344 extern int udbexpand();
345
346 if (udbexpand(a, sendq, e) == EX_TEMPFAIL)
347 {
348 a->q_flags |= QQUEUEUP;
349 if (e->e_message == NULL)
350 e->e_message = newstr("Deferred: user database error");
351 # ifdef LOG
352 if (LogLevel > 8)
353 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
354 e->e_id == NULL ? "NOQUEUE" : e->e_id,
355 errstring(errno));
356 # endif
357 message("queued (user database error): %s",
358 errstring(errno));
359 e->e_nrcpts++;
360 goto testselfdestruct;
361 }
362 }
363 # endif
364
365 /* if it was an alias or a UDB expansion, just return now */
366 if (bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags))
367 goto testselfdestruct;
368
369 /*
370 ** If we have a level two config file, then pass the name through
371 ** Ruleset 5 before sending it off. Ruleset 5 has the right
372 ** to send rewrite it to another mailer. This gives us a hook
373 ** after local aliasing has been done.
374 */
375
376 if (tTd(29, 5))
377 {
378 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
379 ConfigLevel, RewriteRules[5]);
380 printaddr(a, FALSE);
381 }
382 if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 &&
383 RewriteRules[5] != NULL)
384 {
385 maplocaluser(a, sendq, e);
386 }
387
388 /*
389 ** If it didn't get rewritten to another mailer, go ahead
390 ** and deliver it.
391 */
392
393 if (!bitset(QDONTSEND|QQUEUEUP, a->q_flags))
394 {
395 auto bool fuzzy;
396 register struct passwd *pw;
397 extern struct passwd *finduser();
398
399 /* warning -- finduser may trash buf */
400 pw = finduser(buf, &fuzzy);
401 if (pw == NULL)
402 {
403 a->q_flags |= QBADADDR;
404 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
405 }
406 else
407 {
408 char nbuf[MAXNAME];
409
410 if (fuzzy)
411 {
412 /* name was a fuzzy match */
413 a->q_user = newstr(pw->pw_name);
414 if (findusercount++ > 3)
415 {
416 a->q_flags |= QBADADDR;
417 usrerr("554 aliasing/forwarding loop for %s broken",
418 pw->pw_name);
419 return (a);
420 }
421
422 /* see if it aliases */
423 (void) strcpy(buf, pw->pw_name);
424 goto trylocaluser;
425 }
426 if (strcmp(pw->pw_dir, "/") == 0)
427 a->q_home = "";
428 else
429 a->q_home = newstr(pw->pw_dir);
430 a->q_uid = pw->pw_uid;
431 a->q_gid = pw->pw_gid;
432 a->q_ruser = newstr(pw->pw_name);
433 a->q_flags |= QGOODUID;
434 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
435 if (nbuf[0] != '\0')
436 a->q_fullname = newstr(nbuf);
437 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
438 !usershellok(pw->pw_shell))
439 {
440 a->q_flags |= QBOGUSSHELL;
441 }
442 if (!quoted)
443 forward(a, sendq, e);
444 }
445 }
446 if (!bitset(QDONTSEND, a->q_flags))
447 e->e_nrcpts++;
448
449 testselfdestruct:
450 if (tTd(26, 8))
451 {
452 printf("testselfdestruct: ");
453 printaddr(a, TRUE);
454 }
455 if (a->q_alias == NULL && a != &e->e_from &&
456 bitset(QDONTSEND, a->q_flags))
457 {
458 q = *sendq;
459 while (q != NULL && bitset(QDONTSEND, q->q_flags))
460 q = q->q_next;
461 if (q == NULL)
462 {
463 a->q_flags |= QBADADDR;
464 usrerr("554 aliasing/forwarding loop broken");
465 }
466 }
467 return (a);
468 }
469 �/*
470 ** FINDUSER -- find the password entry for a user.
471 **
472 ** This looks a lot like getpwnam, except that it may want to
473 ** do some fancier pattern matching in /etc/passwd.
474 **
475 ** This routine contains most of the time of many sendmail runs.
476 ** It deserves to be optimized.
477 **
478 ** Parameters:
479 ** name -- the name to match against.
480 ** fuzzyp -- an outarg that is set to TRUE if this entry
481 ** was found using the fuzzy matching algorithm;
482 ** set to FALSE otherwise.
483 **
484 ** Returns:
485 ** A pointer to a pw struct.
486 ** NULL if name is unknown or ambiguous.
487 **
488 ** Side Effects:
489 ** may modify name.
490 */
491
492 struct passwd *
493 finduser(name, fuzzyp)
494 char *name;
495 bool *fuzzyp;
496 {
497 register struct passwd *pw;
498 register char *p;
499 extern struct passwd *getpwent();
500 extern struct passwd *getpwnam();
501
502 if (tTd(29, 4))
503 printf("finduser(%s): ", name);
504
505 *fuzzyp = FALSE;
506
507 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
508 for (p = name; *p != '\0'; p++)
509 if (!isascii(*p) || !isdigit(*p))
510 break;
511 if (*p == '\0')
512 {
513 if (tTd(29, 4))
514 printf("failed (numeric input)\n");
515 return NULL;
516 }
517
518 /* look up this login name using fast path */
519 if ((pw = getpwnam(name)) != NULL)
520 {
521 if (tTd(29, 4))
522 printf("found (non-fuzzy)\n");
523 return (pw);
524 }
525
526 #ifdef MATCHGECOS
527 /* see if fuzzy matching allowed */
528 if (!MatchGecos)
529 {
530 if (tTd(29, 4))
531 printf("not found (fuzzy disabled)\n");
532 return NULL;
533 }
534
535 /* search for a matching full name instead */
536 for (p = name; *p != '\0'; p++)
537 {
538 if (*p == (SpaceSub & 0177) || *p == '_')
539 *p = ' ';
540 }
541 (void) setpwent();
542 while ((pw = getpwent()) != NULL)
543 {
544 char buf[MAXNAME];
545
546 buildfname(pw->pw_gecos, pw->pw_name, buf);
547 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
548 {
549 if (tTd(29, 4))
550 printf("fuzzy matches %s\n", pw->pw_name);
551 message("sending to login name %s", pw->pw_name);
552 *fuzzyp = TRUE;
553 return (pw);
554 }
555 }
556 if (tTd(29, 4))
557 printf("no fuzzy match found\n");
558 #else
559 if (tTd(29, 4))
560 printf("not found (fuzzy disabled)\n");
561 #endif
562 return (NULL);
563 }
564 �/*
565 ** WRITABLE -- predicate returning if the file is writable.
566 **
567 ** This routine must duplicate the algorithm in sys/fio.c.
568 ** Unfortunately, we cannot use the access call since we
569 ** won't necessarily be the real uid when we try to
570 ** actually open the file.
571 **
572 ** Notice that ANY file with ANY execute bit is automatically
573 ** not writable. This is also enforced by mailfile.
574 **
575 ** Parameters:
576 ** filename -- the file name to check.
577 ** ctladdr -- the controlling address for this file.
578 ** flags -- SFF_* flags to control the function.
579 **
580 ** Returns:
581 ** TRUE -- if we will be able to write this file.
582 ** FALSE -- if we cannot write this file.
583 **
584 ** Side Effects:
585 ** none.
586 */
587
588 bool
589 writable(filename, ctladdr, flags)
590 char *filename;
591 ADDRESS *ctladdr;
592 int flags;
593 {
594 uid_t euid;
595 gid_t egid;
596 int bits;
597 register char *p;
598 char *uname;
599 struct stat stb;
600 extern char RealUserName[];
601
602 if (tTd(29, 5))
603 printf("writable(%s, %x)\n", filename, flags);
604
605 #ifdef HASLSTAT
606 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
607 : stat(filename, &stb)) < 0)
608 #else
609 if (stat(filename, &stb) < 0)
610 #endif
611 {
612 /* file does not exist -- see if directory is safe */
613 p = strrchr(filename, '/');
614 if (p == NULL)
615 {
616 errno = ENOTDIR;
617 return FALSE;
618 }
619 *p = '\0';
620 errno = safefile(filename, RealUid, RealGid, RealUserName,
621 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
622 *p = '/';
623 return errno == 0;
624 }
625
626 #ifdef SUID_ROOT_FILES_OK
627 /* really ought to be passed down -- and not a good idea */
628 flags |= SFF_ROOTOK;
629 #endif
630
631 /*
632 ** File does exist -- check that it is writable.
633 */
634
635 if (bitset(0111, stb.st_mode))
636 {
637 if (tTd(29, 5))
638 printf("failed (mode %o: x bits)\n", stb.st_mode);
639 errno = EPERM;
640 return (FALSE);
641 }
642
643 if (ctladdr != NULL && geteuid() == 0)
644 {
645 euid = ctladdr->q_uid;
646 egid = ctladdr->q_gid;
647 uname = ctladdr->q_user;
648 }
649 else
650 {
651 euid = RealUid;
652 egid = RealGid;
653 uname = RealUserName;
654 }
655 if (euid == 0)
656 {
657 euid = DefUid;
658 uname = DefUser;
659 }
660 if (egid == 0)
661 egid = DefGid;
662 if (geteuid() == 0)
663 {
664 if (bitset(S_ISUID, stb.st_mode) &&
665 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
666 {
667 euid = stb.st_uid;
668 uname = NULL;
669 }
670 if (bitset(S_ISGID, stb.st_mode) &&
671 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
672 egid = stb.st_gid;
673 }
674
675 if (tTd(29, 5))
676 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
677 euid, egid, stb.st_uid, stb.st_gid);
678
679 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
680 return errno == 0;
681 }
682 �/*
683 ** INCLUDE -- handle :include: specification.
684 **
685 ** Parameters:
686 ** fname -- filename to include.
687 ** forwarding -- if TRUE, we are reading a .forward file.
688 ** if FALSE, it's a :include: file.
689 ** ctladdr -- address template to use to fill in these
690 ** addresses -- effective user/group id are
691 ** the important things.
692 ** sendq -- a pointer to the head of the send queue
693 ** to put these addresses in.
694 **
695 ** Returns:
696 ** open error status
697 **
698 ** Side Effects:
699 ** reads the :include: file and sends to everyone
700 ** listed in that file.
701 **
702 ** Security Note:
703 ** If you have restricted chown (that is, you can't
704 ** give a file away), it is reasonable to allow programs
705 ** and files called from this :include: file to be to be
706 ** run as the owner of the :include: file. This is bogus
707 ** if there is any chance of someone giving away a file.
708 ** We assume that pre-POSIX systems can give away files.
709 **
710 ** There is an additional restriction that if you
711 ** forward to a :include: file, it will not take on
712 ** the ownership of the :include: file. This may not
713 ** be necessary, but shouldn't hurt.
714 */
715
716 static jmp_buf CtxIncludeTimeout;
717 static int includetimeout();
718
719 #ifndef S_IWOTH
720 # define S_IWOTH (S_IWRITE >> 6)
721 #endif
722
723 int
724 include(fname, forwarding, ctladdr, sendq, e)
725 char *fname;
726 bool forwarding;
727 ADDRESS *ctladdr;
728 ADDRESS **sendq;
729 ENVELOPE *e;
730 {
731 register FILE *fp = NULL;
732 char *oldto = e->e_to;
733 char *oldfilename = FileName;
734 int oldlinenumber = LineNumber;
735 register EVENT *ev = NULL;
736 int nincludes;
737 register ADDRESS *ca;
738 uid_t saveduid, uid;
739 gid_t savedgid, gid;
740 char *uname;
741 int rval = 0;
742 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
743 struct stat st;
744 char buf[MAXLINE];
745 #ifdef _POSIX_CHOWN_RESTRICTED
746 # if _POSIX_CHOWN_RESTRICTED == -1
747 # define safechown FALSE
748 # else
749 # define safechown TRUE
750 # endif
751 #else
752 # ifdef _PC_CHOWN_RESTRICTED
753 bool safechown;
754 # else
755 # ifdef BSD
756 # define safechown TRUE
757 # else
758 # define safechown FALSE
759 # endif
760 # endif
761 #endif
762 extern bool chownsafe();
763
764 if (tTd(27, 2))
765 printf("include(%s)\n", fname);
766 if (tTd(27, 4))
767 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
768 if (tTd(27, 14))
769 {
770 printf("ctladdr ");
771 printaddr(ctladdr, FALSE);
772 }
773
774 if (tTd(27, 9))
775 printf("include: old uid = %d/%d\n", getuid(), geteuid());
776
777 ca = getctladdr(ctladdr);
778 if (ca == NULL)
779 {
780 uid = DefUid;
781 gid = DefGid;
782 uname = DefUser;
783 saveduid = -1;
784 }
785 else
786 {
787 uid = ca->q_uid;
788 gid = ca->q_gid;
789 uname = ca->q_user;
790 #ifdef HASSETREUID
791 saveduid = geteuid();
792 savedgid = getegid();
793 if (saveduid == 0)
794 {
795 initgroups(uname, gid);
796 if (uid != 0)
797 (void) setreuid(0, uid);
798 }
799 #endif
800 }
801
802 if (tTd(27, 9))
803 printf("include: new uid = %d/%d\n", getuid(), geteuid());
804
805 /*
806 ** If home directory is remote mounted but server is down,
807 ** this can hang or give errors; use a timeout to avoid this
808 */
809
810 if (setjmp(CtxIncludeTimeout) != 0)
811 {
812 ctladdr->q_flags |= QQUEUEUP;
813 errno = 0;
814
815 /* return pseudo-error code */
816 rval = EOPENTIMEOUT;
817 goto resetuid;
818 }
819 ev = setevent((time_t) 60, includetimeout, 0);
820
821 /* the input file must be marked safe */
822 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
823 if (rval != 0)
824 {
825 /* don't use this :include: file */
826 if (tTd(27, 4))
827 printf("include: not safe (uid=%d): %s\n",
828 uid, errstring(rval));
829 }
830 else
831 {
832 fp = fopen(fname, "r");
833 if (fp == NULL)
834 {
835 rval = errno;
836 if (tTd(27, 4))
837 printf("include: open: %s\n", errstring(rval));
838 }
839 }
840 clrevent(ev);
841
842 resetuid:
843
844 #ifdef HASSETREUID
845 if (saveduid == 0)
846 {
847 if (uid != 0)
848 if (setreuid(-1, 0) < 0 || setreuid(RealUid, 0) < 0)
849 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
850 RealUid, getuid(), geteuid());
851 setgid(savedgid);
852 }
853 #endif
854
855 if (tTd(27, 9))
856 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
857
858 if (rval == EOPENTIMEOUT)
859 usrerr("451 open timeout on %s", fname);
860
861 if (fp == NULL)
862 return rval;
863
864 if (fstat(fileno(fp), &st) < 0)
865 {
866 rval = errno;
867 syserr("Cannot fstat %s!", fname);
868 return rval;
869 }
870
871 #ifndef safechown
872 safechown = chownsafe(fileno(fp));
873 #endif
874 if (ca == NULL && safechown)
875 {
876 ctladdr->q_uid = st.st_uid;
877 ctladdr->q_gid = st.st_gid;
878 ctladdr->q_flags |= QGOODUID;
879 }
880 if (ca != NULL && ca->q_uid == st.st_uid)
881 {
882 /* optimization -- avoid getpwuid if we already have info */
883 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
884 ctladdr->q_ruser = ca->q_ruser;
885 }
886 else
887 {
888 char *sh;
889 register struct passwd *pw;
890
891 sh = "/SENDMAIL/ANY/SHELL/";
892 pw = getpwuid(st.st_uid);
893 if (pw != NULL)
894 {
895 ctladdr->q_ruser = newstr(pw->pw_name);
896 if (safechown)
897 sh = pw->pw_shell;
898 }
899 if (pw == NULL)
900 ctladdr->q_flags |= QBOGUSSHELL;
901 else if(!usershellok(sh))
902 {
903 if (safechown)
904 ctladdr->q_flags |= QBOGUSSHELL;
905 else
906 ctladdr->q_flags |= QUNSAFEADDR;
907 }
908 }
909
910 if (bitset(EF_VRFYONLY, e->e_flags))
911 {
912 /* don't do any more now */
913 ctladdr->q_flags |= QVERIFIED;
914 e->e_nrcpts++;
915 xfclose(fp, "include", fname);
916 return rval;
917 }
918
919 /*
920 ** Check to see if some bad guy can write this file
921 **
922 ** This should really do something clever with group
923 ** permissions; currently we just view world writable
924 ** as unsafe. Also, we don't check for writable
925 ** directories in the path. We've got to leave
926 ** something for the local sysad to do.
927 */
928
929 if (bitset(S_IWOTH, st.st_mode))
930 ctladdr->q_flags |= QUNSAFEADDR;
931
932 /* read the file -- each line is a comma-separated list. */
933 FileName = fname;
934 LineNumber = 0;
935 ctladdr->q_flags &= ~QSELFREF;
936 nincludes = 0;
937 while (fgets(buf, sizeof buf, fp) != NULL)
938 {
939 register char *p = strchr(buf, '\n');
940
941 LineNumber++;
942 if (p != NULL)
943 *p = '\0';
944 if (buf[0] == '#' || buf[0] == '\0')
945 continue;
946 e->e_to = NULL;
947 message("%s to %s",
948 forwarding ? "forwarding" : "sending", buf);
949 #ifdef LOG
950 if (forwarding && LogLevel > 9)
951 syslog(LOG_INFO, "%s: forward %s => %s",
952 e->e_id == NULL ? "NOQUEUE" : e->e_id,
953 oldto, buf);
954 #endif
955
956 AliasLevel++;
957 nincludes += sendtolist(buf, ctladdr, sendq, e);
958 AliasLevel--;
959 }
960
961 if (ferror(fp) && tTd(27, 3))
962 printf("include: read error: %s\n", errstring(errno));
963 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
964 {
965 if (tTd(27, 5))
966 {
967 printf("include: QDONTSEND ");
968 printaddr(ctladdr, FALSE);
969 }
970 ctladdr->q_flags |= QDONTSEND;
971 }
972
973 (void) xfclose(fp, "include", fname);
974 FileName = oldfilename;
975 LineNumber = oldlinenumber;
976 e->e_to = oldto;
977 return rval;
978 }
979
980 static
981 includetimeout()
982 {
983 longjmp(CtxIncludeTimeout, 1);
984 }
985 �/*
986 ** SENDTOARGV -- send to an argument vector.
987 **
988 ** Parameters:
989 ** argv -- argument vector to send to.
990 ** e -- the current envelope.
991 **
992 ** Returns:
993 ** none.
994 **
995 ** Side Effects:
996 ** puts all addresses on the argument vector onto the
997 ** send queue.
998 */
999
1000 sendtoargv(argv, e)
1001 register char **argv;
1002 register ENVELOPE *e;
1003 {
1004 register char *p;
1005
1006 while ((p = *argv++) != NULL)
1007 {
1008 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
1009 }
1010 }
1011 �/*
1012 ** GETCTLADDR -- get controlling address from an address header.
1013 **
1014 ** If none, get one corresponding to the effective userid.
1015 **
1016 ** Parameters:
1017 ** a -- the address to find the controller of.
1018 **
1019 ** Returns:
1020 ** the controlling address.
1021 **
1022 ** Side Effects:
1023 ** none.
1024 */
1025
1026 ADDRESS *
1027 getctladdr(a)
1028 register ADDRESS *a;
1029 {
1030 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1031 a = a->q_alias;
1032 return (a);
1033 }
1034