1 /* 2 * Copyright (c) 1983 Eric P. Allman 3 * Copyright (c) 1988, 1993 4 * The Regents of the University of California. All rights reserved. 5 * 6 * %sccs.include.redist.c% 7 */ 8 9 #ifndef lint 10 static char sccsid[] = "@(#)recipient.c 8.74 (Berkeley) 03/25/95"; 11 #endif /* not lint */ 12 13 # include "sendmail.h" 14 # include <pwd.h> 15 16 /* 17 ** SENDTOLIST -- Designate a send list. 18 ** 19 ** The parameter is a comma-separated list of people to send to. 20 ** This routine arranges to send to all of them. 21 ** 22 ** Parameters: 23 ** list -- the send list. 24 ** ctladdr -- the address template for the person to 25 ** send to -- effective uid/gid are important. 26 ** This is typically the alias that caused this 27 ** expansion. 28 ** sendq -- a pointer to the head of a queue to put 29 ** these people into. 30 ** aliaslevel -- the current alias nesting depth -- to 31 ** diagnose loops. 32 ** e -- the envelope in which to add these recipients. 33 ** 34 ** Returns: 35 ** The number of addresses actually on the list. 36 ** 37 ** Side Effects: 38 ** none. 39 */ 40 41 #define MAXRCRSN 10 /* maximum levels of alias recursion */ 42 43 /* q_flags bits inherited from ctladdr */ 44 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 45 46 int 47 sendtolist(list, ctladdr, sendq, aliaslevel, e) 48 char *list; 49 ADDRESS *ctladdr; 50 ADDRESS **sendq; 51 int aliaslevel; 52 register ENVELOPE *e; 53 { 54 register char *p; 55 register ADDRESS *al; /* list of addresses to send to */ 56 bool firstone; /* set on first address sent */ 57 char delimiter; /* the address delimiter */ 58 int naddrs; 59 int i; 60 char *oldto = e->e_to; 61 char *bufp; 62 char buf[MAXNAME + 1]; 63 64 if (list == NULL) 65 { 66 syserr("sendtolist: null list"); 67 return 0; 68 } 69 70 if (tTd(25, 1)) 71 { 72 printf("sendto: %s\n ctladdr=", list); 73 printaddr(ctladdr, FALSE); 74 } 75 76 /* heuristic to determine old versus new style addresses */ 77 if (ctladdr == NULL && 78 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 79 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 80 e->e_flags &= ~EF_OLDSTYLE; 81 delimiter = ' '; 82 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 83 delimiter = ','; 84 85 firstone = TRUE; 86 al = NULL; 87 naddrs = 0; 88 89 /* make sure we have enough space to copy the string */ 90 i = strlen(list) + 1; 91 if (i <= sizeof buf) 92 bufp = buf; 93 else 94 bufp = xalloc(i); 95 strcpy(bufp, denlstring(list, FALSE, TRUE)); 96 97 for (p = bufp; *p != '\0'; ) 98 { 99 auto char *delimptr; 100 register ADDRESS *a; 101 102 /* parse the address */ 103 while ((isascii(*p) && isspace(*p)) || *p == ',') 104 p++; 105 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e); 106 p = delimptr; 107 if (a == NULL) 108 continue; 109 a->q_next = al; 110 a->q_alias = ctladdr; 111 112 /* see if this should be marked as a primary address */ 113 if (ctladdr == NULL || 114 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags))) 115 a->q_flags |= QPRIMARY; 116 117 /* arrange to inherit attributes from parent */ 118 if (ctladdr != NULL) 119 { 120 /* self reference test */ 121 if (sameaddr(ctladdr, a)) 122 ctladdr->q_flags |= QSELFREF; 123 124 /* full name */ 125 if (a->q_fullname == NULL) 126 a->q_fullname = ctladdr->q_fullname; 127 128 /* various flag bits */ 129 a->q_flags &= ~QINHERITEDBITS; 130 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 131 132 /* original recipient information */ 133 a->q_orcpt = ctladdr->q_orcpt; 134 } 135 136 al = a; 137 firstone = FALSE; 138 } 139 140 /* arrange to send to everyone on the local send list */ 141 while (al != NULL) 142 { 143 register ADDRESS *a = al; 144 145 al = a->q_next; 146 a = recipient(a, sendq, aliaslevel, e); 147 naddrs++; 148 } 149 150 e->e_to = oldto; 151 if (bufp != buf) 152 free(bufp); 153 return (naddrs); 154 } 155 /* 156 ** RECIPIENT -- Designate a message recipient 157 ** 158 ** Saves the named person for future mailing. 159 ** 160 ** Parameters: 161 ** a -- the (preparsed) address header for the recipient. 162 ** sendq -- a pointer to the head of a queue to put the 163 ** recipient in. Duplicate supression is done 164 ** in this queue. 165 ** aliaslevel -- the current alias nesting depth. 166 ** e -- the current envelope. 167 ** 168 ** Returns: 169 ** The actual address in the queue. This will be "a" if 170 ** the address is not a duplicate, else the original address. 171 ** 172 ** Side Effects: 173 ** none. 174 */ 175 176 ADDRESS * 177 recipient(a, sendq, aliaslevel, e) 178 register ADDRESS *a; 179 register ADDRESS **sendq; 180 int aliaslevel; 181 register ENVELOPE *e; 182 { 183 register ADDRESS *q; 184 ADDRESS **pq; 185 register struct mailer *m; 186 register char *p; 187 bool quoted = FALSE; /* set if the addr has a quote bit */ 188 int findusercount = 0; 189 int i; 190 char *buf; 191 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 192 extern int safefile(); 193 194 e->e_to = a->q_paddr; 195 m = a->q_mailer; 196 errno = 0; 197 if (tTd(26, 1)) 198 { 199 printf("\nrecipient: "); 200 printaddr(a, FALSE); 201 } 202 203 /* if this is primary, add it to the original recipient list */ 204 if (a->q_alias == NULL) 205 { 206 if (e->e_origrcpt == NULL) 207 e->e_origrcpt = a->q_paddr; 208 else if (e->e_origrcpt != a->q_paddr) 209 e->e_origrcpt = ""; 210 } 211 212 /* break aliasing loops */ 213 if (aliaslevel > MAXRCRSN) 214 { 215 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max", 216 aliaslevel, MAXRCRSN); 217 return (a); 218 } 219 220 /* 221 ** Finish setting up address structure. 222 */ 223 224 /* get unquoted user for file, program or user.name check */ 225 i = strlen(a->q_user); 226 if (i >= sizeof buf0) 227 buf = xalloc(i + 1); 228 else 229 buf = buf0; 230 (void) strcpy(buf, a->q_user); 231 for (p = buf; *p != '\0' && !quoted; p++) 232 { 233 if (*p == '\\') 234 quoted = TRUE; 235 } 236 stripquotes(buf); 237 238 /* check for direct mailing to restricted mailers */ 239 if (m == ProgMailer) 240 { 241 if (a->q_alias == NULL) 242 { 243 a->q_flags |= QBADADDR; 244 usrerr("550 Cannot mail directly to programs"); 245 } 246 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 247 { 248 a->q_flags |= QBADADDR; 249 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs", 250 a->q_alias->q_ruser, MyHostName); 251 } 252 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 253 { 254 a->q_flags |= QBADADDR; 255 usrerr("550 Address %s is unsafe for mailing to programs", 256 a->q_alias->q_paddr); 257 } 258 } 259 260 /* 261 ** Look up this person in the recipient list. 262 ** If they are there already, return, otherwise continue. 263 ** If the list is empty, just add it. Notice the cute 264 ** hack to make from addresses suppress things correctly: 265 ** the QDONTSEND bit will be set in the send list. 266 ** [Please note: the emphasis is on "hack."] 267 */ 268 269 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 270 { 271 if (sameaddr(q, a)) 272 { 273 if (tTd(26, 1)) 274 { 275 printf("%s in sendq: ", a->q_paddr); 276 printaddr(q, FALSE); 277 } 278 if (!bitset(QPRIMARY, q->q_flags)) 279 { 280 if (!bitset(QDONTSEND, a->q_flags)) 281 message("duplicate suppressed"); 282 q->q_flags |= a->q_flags; 283 } 284 else if (bitset(QSELFREF, q->q_flags)) 285 q->q_flags |= a->q_flags & ~QDONTSEND; 286 a = q; 287 goto done; 288 } 289 } 290 291 /* add address on list */ 292 *pq = a; 293 a->q_next = NULL; 294 295 /* 296 ** Alias the name and handle special mailer types. 297 */ 298 299 trylocaluser: 300 if (tTd(29, 7)) 301 printf("at trylocaluser %s\n", a->q_user); 302 303 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags)) 304 goto testselfdestruct; 305 306 if (m == InclMailer) 307 { 308 a->q_flags |= QDONTSEND; 309 if (a->q_alias == NULL) 310 { 311 a->q_flags |= QBADADDR; 312 usrerr("550 Cannot mail directly to :include:s"); 313 } 314 else 315 { 316 int ret; 317 318 message("including file %s", a->q_user); 319 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e); 320 if (transienterror(ret)) 321 { 322 #ifdef LOG 323 if (LogLevel > 2) 324 syslog(LOG_ERR, "%s: include %s: transient error: %s", 325 e->e_id == NULL ? "NOQUEUE" : e->e_id, 326 a->q_user, errstring(ret)); 327 #endif 328 a->q_flags |= QQUEUEUP; 329 a->q_flags &= ~QDONTSEND; 330 usrerr("451 Cannot open %s: %s", 331 a->q_user, errstring(ret)); 332 } 333 else if (ret != 0) 334 { 335 a->q_flags |= QBADADDR; 336 usrerr("550 Cannot open %s: %s", 337 a->q_user, errstring(ret)); 338 } 339 } 340 } 341 else if (m == FileMailer) 342 { 343 extern bool writable(); 344 345 /* check if writable or creatable */ 346 if (a->q_alias == NULL) 347 { 348 a->q_flags |= QBADADDR; 349 usrerr("550 Cannot mail directly to files"); 350 } 351 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags)) 352 { 353 a->q_flags |= QBADADDR; 354 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files", 355 a->q_alias->q_ruser, MyHostName); 356 } 357 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags)) 358 { 359 a->q_flags |= QBADADDR; 360 usrerr("550 Address %s is unsafe for mailing to files", 361 a->q_alias->q_paddr); 362 } 363 else if (!writable(buf, getctladdr(a), SFF_CREAT)) 364 { 365 a->q_flags |= QBADADDR; 366 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, 367 (time_t) 0, e); 368 } 369 } 370 371 /* try aliasing */ 372 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags)) 373 alias(a, sendq, aliaslevel, e); 374 375 # ifdef USERDB 376 /* if not aliased, look it up in the user database */ 377 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) && 378 bitnset(M_CHECKUDB, m->m_flags)) 379 { 380 extern int udbexpand(); 381 382 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL) 383 { 384 a->q_flags |= QQUEUEUP; 385 if (e->e_message == NULL) 386 e->e_message = newstr("Deferred: user database error"); 387 # ifdef LOG 388 if (LogLevel > 8) 389 syslog(LOG_INFO, "%s: deferred: udbexpand: %s", 390 e->e_id == NULL ? "NOQUEUE" : e->e_id, 391 errstring(errno)); 392 # endif 393 message("queued (user database error): %s", 394 errstring(errno)); 395 e->e_nrcpts++; 396 goto testselfdestruct; 397 } 398 } 399 # endif 400 401 /* 402 ** If we have a level two config file, then pass the name through 403 ** Ruleset 5 before sending it off. Ruleset 5 has the right 404 ** to send rewrite it to another mailer. This gives us a hook 405 ** after local aliasing has been done. 406 */ 407 408 if (tTd(29, 5)) 409 { 410 printf("recipient: testing local? cl=%d, rr5=%x\n\t", 411 ConfigLevel, RewriteRules[5]); 412 printaddr(a, FALSE); 413 } 414 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 415 ConfigLevel >= 2 && RewriteRules[5] != NULL && 416 bitnset(M_TRYRULESET5, m->m_flags)) 417 { 418 maplocaluser(a, sendq, aliaslevel, e); 419 } 420 421 /* 422 ** If it didn't get rewritten to another mailer, go ahead 423 ** and deliver it. 424 */ 425 426 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) && 427 bitnset(M_HASPWENT, m->m_flags)) 428 { 429 auto bool fuzzy; 430 register struct passwd *pw; 431 extern struct passwd *finduser(); 432 433 /* warning -- finduser may trash buf */ 434 pw = finduser(buf, &fuzzy); 435 if (pw == NULL) 436 { 437 a->q_flags |= QBADADDR; 438 giveresponse(EX_NOUSER, m, NULL, a->q_alias, 439 (time_t) 0, e); 440 } 441 else 442 { 443 char nbuf[MAXNAME + 1]; 444 445 if (fuzzy) 446 { 447 /* name was a fuzzy match */ 448 a->q_user = newstr(pw->pw_name); 449 if (findusercount++ > 3) 450 { 451 a->q_flags |= QBADADDR; 452 usrerr("554 aliasing/forwarding loop for %s broken", 453 pw->pw_name); 454 goto done; 455 } 456 457 /* see if it aliases */ 458 (void) strcpy(buf, pw->pw_name); 459 goto trylocaluser; 460 } 461 if (strcmp(pw->pw_dir, "/") == 0) 462 a->q_home = ""; 463 else 464 a->q_home = newstr(pw->pw_dir); 465 a->q_uid = pw->pw_uid; 466 a->q_gid = pw->pw_gid; 467 a->q_ruser = newstr(pw->pw_name); 468 a->q_flags |= QGOODUID; 469 buildfname(pw->pw_gecos, pw->pw_name, nbuf); 470 if (nbuf[0] != '\0') 471 a->q_fullname = newstr(nbuf); 472 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' && 473 !usershellok(pw->pw_shell)) 474 { 475 a->q_flags |= QBOGUSSHELL; 476 } 477 if (!quoted) 478 forward(a, sendq, aliaslevel, e); 479 } 480 } 481 if (!bitset(QDONTSEND, a->q_flags)) 482 e->e_nrcpts++; 483 484 testselfdestruct: 485 if (tTd(26, 8)) 486 { 487 printf("testselfdestruct: "); 488 printaddr(a, TRUE); 489 } 490 if (a->q_alias == NULL && a != &e->e_from && 491 bitset(QDONTSEND, a->q_flags)) 492 { 493 q = *sendq; 494 while (q != NULL && bitset(QDONTSEND, q->q_flags)) 495 q = q->q_next; 496 if (q == NULL) 497 { 498 a->q_flags |= QBADADDR; 499 usrerr("554 aliasing/forwarding loop broken"); 500 } 501 } 502 503 done: 504 if (buf != buf0) 505 free(buf); 506 return (a); 507 } 508 /* 509 ** FINDUSER -- find the password entry for a user. 510 ** 511 ** This looks a lot like getpwnam, except that it may want to 512 ** do some fancier pattern matching in /etc/passwd. 513 ** 514 ** This routine contains most of the time of many sendmail runs. 515 ** It deserves to be optimized. 516 ** 517 ** Parameters: 518 ** name -- the name to match against. 519 ** fuzzyp -- an outarg that is set to TRUE if this entry 520 ** was found using the fuzzy matching algorithm; 521 ** set to FALSE otherwise. 522 ** 523 ** Returns: 524 ** A pointer to a pw struct. 525 ** NULL if name is unknown or ambiguous. 526 ** 527 ** Side Effects: 528 ** may modify name. 529 */ 530 531 struct passwd * 532 finduser(name, fuzzyp) 533 char *name; 534 bool *fuzzyp; 535 { 536 register struct passwd *pw; 537 register char *p; 538 extern struct passwd *getpwent(); 539 extern struct passwd *getpwnam(); 540 541 if (tTd(29, 4)) 542 printf("finduser(%s): ", name); 543 544 *fuzzyp = FALSE; 545 546 #ifdef HESIOD 547 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 548 for (p = name; *p != '\0'; p++) 549 if (!isascii(*p) || !isdigit(*p)) 550 break; 551 if (*p == '\0') 552 { 553 if (tTd(29, 4)) 554 printf("failed (numeric input)\n"); 555 return NULL; 556 } 557 #endif 558 559 /* look up this login name using fast path */ 560 if ((pw = getpwnam(name)) != NULL) 561 { 562 if (tTd(29, 4)) 563 printf("found (non-fuzzy)\n"); 564 return (pw); 565 } 566 567 #ifdef MATCHGECOS 568 /* see if fuzzy matching allowed */ 569 if (!MatchGecos) 570 { 571 if (tTd(29, 4)) 572 printf("not found (fuzzy disabled)\n"); 573 return NULL; 574 } 575 576 /* search for a matching full name instead */ 577 for (p = name; *p != '\0'; p++) 578 { 579 if (*p == (SpaceSub & 0177) || *p == '_') 580 *p = ' '; 581 } 582 (void) setpwent(); 583 while ((pw = getpwent()) != NULL) 584 { 585 char buf[MAXNAME + 1]; 586 587 buildfname(pw->pw_gecos, pw->pw_name, buf); 588 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) 589 { 590 if (tTd(29, 4)) 591 printf("fuzzy matches %s\n", pw->pw_name); 592 message("sending to login name %s", pw->pw_name); 593 *fuzzyp = TRUE; 594 return (pw); 595 } 596 } 597 if (tTd(29, 4)) 598 printf("no fuzzy match found\n"); 599 #else 600 if (tTd(29, 4)) 601 printf("not found (fuzzy disabled)\n"); 602 #endif 603 return (NULL); 604 } 605 /* 606 ** WRITABLE -- predicate returning if the file is writable. 607 ** 608 ** This routine must duplicate the algorithm in sys/fio.c. 609 ** Unfortunately, we cannot use the access call since we 610 ** won't necessarily be the real uid when we try to 611 ** actually open the file. 612 ** 613 ** Notice that ANY file with ANY execute bit is automatically 614 ** not writable. This is also enforced by mailfile. 615 ** 616 ** Parameters: 617 ** filename -- the file name to check. 618 ** ctladdr -- the controlling address for this file. 619 ** flags -- SFF_* flags to control the function. 620 ** 621 ** Returns: 622 ** TRUE -- if we will be able to write this file. 623 ** FALSE -- if we cannot write this file. 624 ** 625 ** Side Effects: 626 ** none. 627 */ 628 629 bool 630 writable(filename, ctladdr, flags) 631 char *filename; 632 ADDRESS *ctladdr; 633 int flags; 634 { 635 uid_t euid; 636 gid_t egid; 637 int bits; 638 register char *p; 639 char *uname; 640 641 if (tTd(29, 5)) 642 printf("writable(%s, %x)\n", filename, flags); 643 644 #ifdef SUID_ROOT_FILES_OK 645 /* really ought to be passed down -- and not a good idea */ 646 flags |= SFF_ROOTOK; 647 #endif 648 649 /* 650 ** File does exist -- check that it is writable. 651 */ 652 653 if (ctladdr != NULL && geteuid() == 0) 654 { 655 euid = ctladdr->q_uid; 656 egid = ctladdr->q_gid; 657 uname = ctladdr->q_user; 658 } 659 #ifdef RUN_AS_REAL_UID 660 else 661 { 662 extern char RealUserName[]; 663 664 euid = RealUid; 665 egid = RealGid; 666 uname = RealUserName; 667 } 668 #else 669 else if (FileMailer != NULL) 670 { 671 euid = FileMailer->m_uid; 672 egid = FileMailer->m_gid; 673 } 674 else 675 { 676 euid = egid = 0; 677 } 678 #endif 679 if (euid == 0) 680 { 681 euid = DefUid; 682 uname = DefUser; 683 } 684 if (egid == 0) 685 egid = DefGid; 686 if (geteuid() == 0) 687 flags |= SFF_SETUIDOK; 688 689 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE, NULL); 690 return errno == 0; 691 } 692 /* 693 ** INCLUDE -- handle :include: specification. 694 ** 695 ** Parameters: 696 ** fname -- filename to include. 697 ** forwarding -- if TRUE, we are reading a .forward file. 698 ** if FALSE, it's a :include: file. 699 ** ctladdr -- address template to use to fill in these 700 ** addresses -- effective user/group id are 701 ** the important things. 702 ** sendq -- a pointer to the head of the send queue 703 ** to put these addresses in. 704 ** aliaslevel -- the alias nesting depth. 705 ** e -- the current envelope. 706 ** 707 ** Returns: 708 ** open error status 709 ** 710 ** Side Effects: 711 ** reads the :include: file and sends to everyone 712 ** listed in that file. 713 ** 714 ** Security Note: 715 ** If you have restricted chown (that is, you can't 716 ** give a file away), it is reasonable to allow programs 717 ** and files called from this :include: file to be to be 718 ** run as the owner of the :include: file. This is bogus 719 ** if there is any chance of someone giving away a file. 720 ** We assume that pre-POSIX systems can give away files. 721 ** 722 ** There is an additional restriction that if you 723 ** forward to a :include: file, it will not take on 724 ** the ownership of the :include: file. This may not 725 ** be necessary, but shouldn't hurt. 726 */ 727 728 static jmp_buf CtxIncludeTimeout; 729 static void includetimeout(); 730 731 int 732 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 733 char *fname; 734 bool forwarding; 735 ADDRESS *ctladdr; 736 ADDRESS **sendq; 737 int aliaslevel; 738 ENVELOPE *e; 739 { 740 FILE *fp = NULL; 741 char *oldto = e->e_to; 742 char *oldfilename = FileName; 743 int oldlinenumber = LineNumber; 744 register EVENT *ev = NULL; 745 int nincludes; 746 register ADDRESS *ca; 747 uid_t saveduid, uid; 748 gid_t savedgid, gid; 749 char *uname; 750 int rval = 0; 751 int sfflags = SFF_REGONLY; 752 struct stat st; 753 char buf[MAXLINE]; 754 #ifdef _POSIX_CHOWN_RESTRICTED 755 # if _POSIX_CHOWN_RESTRICTED == -1 756 # define safechown FALSE 757 # else 758 # define safechown TRUE 759 # endif 760 #else 761 # ifdef _PC_CHOWN_RESTRICTED 762 bool safechown; 763 # else 764 # ifdef BSD 765 # define safechown TRUE 766 # else 767 # define safechown FALSE 768 # endif 769 # endif 770 #endif 771 extern bool chownsafe(); 772 773 if (tTd(27, 2)) 774 printf("include(%s)\n", fname); 775 if (tTd(27, 4)) 776 printf(" ruid=%d euid=%d\n", getuid(), geteuid()); 777 if (tTd(27, 14)) 778 { 779 printf("ctladdr "); 780 printaddr(ctladdr, FALSE); 781 } 782 783 if (tTd(27, 9)) 784 printf("include: old uid = %d/%d\n", getuid(), geteuid()); 785 786 if (forwarding) 787 sfflags |= SFF_MUSTOWN; 788 789 ca = getctladdr(ctladdr); 790 if (ca == NULL) 791 { 792 uid = DefUid; 793 gid = DefGid; 794 uname = DefUser; 795 } 796 else 797 { 798 uid = ca->q_uid; 799 gid = ca->q_gid; 800 uname = ca->q_user; 801 } 802 #ifdef HASSETREUID 803 saveduid = geteuid(); 804 savedgid = getegid(); 805 if (saveduid == 0) 806 { 807 initgroups(uname, gid); 808 if (uid != 0) 809 { 810 if (setreuid(0, uid) < 0) 811 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 812 uid, getuid(), geteuid()); 813 else 814 sfflags |= SFF_NOPATHCHECK; 815 } 816 } 817 #endif 818 819 if (tTd(27, 9)) 820 printf("include: new uid = %d/%d\n", getuid(), geteuid()); 821 822 /* 823 ** If home directory is remote mounted but server is down, 824 ** this can hang or give errors; use a timeout to avoid this 825 */ 826 827 if (setjmp(CtxIncludeTimeout) != 0) 828 { 829 ctladdr->q_flags |= QQUEUEUP; 830 errno = 0; 831 832 /* return pseudo-error code */ 833 rval = EOPENTIMEOUT; 834 goto resetuid; 835 } 836 if (TimeOuts.to_fileopen > 0) 837 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0); 838 else 839 ev = NULL; 840 841 /* the input file must be marked safe */ 842 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD, NULL); 843 if (rval != 0) 844 { 845 /* don't use this :include: file */ 846 if (tTd(27, 4)) 847 printf("include: not safe (uid=%d): %s\n", 848 uid, errstring(rval)); 849 } 850 else 851 { 852 fp = fopen(fname, "r"); 853 if (fp == NULL) 854 { 855 rval = errno; 856 if (tTd(27, 4)) 857 printf("include: open: %s\n", errstring(rval)); 858 } 859 } 860 if (ev != NULL) 861 clrevent(ev); 862 863 resetuid: 864 865 #ifdef HASSETREUID 866 if (saveduid == 0) 867 { 868 if (uid != 0) 869 { 870 if (setreuid(-1, 0) < 0) 871 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", 872 getuid(), geteuid()); 873 if (setreuid(RealUid, 0) < 0) 874 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", 875 RealUid, getuid(), geteuid()); 876 } 877 setgid(savedgid); 878 } 879 #endif 880 881 if (tTd(27, 9)) 882 printf("include: reset uid = %d/%d\n", getuid(), geteuid()); 883 884 if (rval == EOPENTIMEOUT) 885 usrerr("451 open timeout on %s", fname); 886 887 if (fp == NULL) 888 return rval; 889 890 if (fstat(fileno(fp), &st) < 0) 891 { 892 rval = errno; 893 syserr("Cannot fstat %s!", fname); 894 return rval; 895 } 896 897 #ifndef safechown 898 safechown = chownsafe(fileno(fp)); 899 #endif 900 if (ca == NULL && safechown) 901 { 902 ctladdr->q_uid = st.st_uid; 903 ctladdr->q_gid = st.st_gid; 904 ctladdr->q_flags |= QGOODUID; 905 } 906 if (ca != NULL && ca->q_uid == st.st_uid) 907 { 908 /* optimization -- avoid getpwuid if we already have info */ 909 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 910 ctladdr->q_ruser = ca->q_ruser; 911 } 912 else 913 { 914 register struct passwd *pw; 915 916 pw = getpwuid(st.st_uid); 917 if (pw == NULL) 918 ctladdr->q_flags |= QBOGUSSHELL; 919 else 920 { 921 char *sh; 922 923 ctladdr->q_ruser = newstr(pw->pw_name); 924 if (safechown) 925 sh = pw->pw_shell; 926 else 927 sh = "/SENDMAIL/ANY/SHELL/"; 928 if (!usershellok(sh)) 929 { 930 if (safechown) 931 ctladdr->q_flags |= QBOGUSSHELL; 932 else 933 ctladdr->q_flags |= QUNSAFEADDR; 934 } 935 } 936 } 937 938 if (bitset(EF_VRFYONLY, e->e_flags)) 939 { 940 /* don't do any more now */ 941 ctladdr->q_flags |= QVERIFIED; 942 e->e_nrcpts++; 943 xfclose(fp, "include", fname); 944 return rval; 945 } 946 947 /* 948 ** Check to see if some bad guy can write this file 949 ** 950 ** This should really do something clever with group 951 ** permissions; currently we just view world writable 952 ** as unsafe. Also, we don't check for writable 953 ** directories in the path. We've got to leave 954 ** something for the local sysad to do. 955 */ 956 957 if (bitset(S_IWOTH, st.st_mode)) 958 ctladdr->q_flags |= QUNSAFEADDR; 959 960 /* read the file -- each line is a comma-separated list. */ 961 FileName = fname; 962 LineNumber = 0; 963 ctladdr->q_flags &= ~QSELFREF; 964 nincludes = 0; 965 while (fgets(buf, sizeof buf, fp) != NULL) 966 { 967 register char *p = strchr(buf, '\n'); 968 969 LineNumber++; 970 if (p != NULL) 971 *p = '\0'; 972 if (buf[0] == '#' || buf[0] == '\0') 973 continue; 974 e->e_to = NULL; 975 message("%s to %s", 976 forwarding ? "forwarding" : "sending", buf); 977 #ifdef LOG 978 if (forwarding && LogLevel > 9) 979 syslog(LOG_INFO, "%s: forward %s => %s", 980 e->e_id == NULL ? "NOQUEUE" : e->e_id, 981 oldto, buf); 982 #endif 983 984 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 985 } 986 987 if (ferror(fp) && tTd(27, 3)) 988 printf("include: read error: %s\n", errstring(errno)); 989 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 990 { 991 if (tTd(27, 5)) 992 { 993 printf("include: QDONTSEND "); 994 printaddr(ctladdr, FALSE); 995 } 996 ctladdr->q_flags |= QDONTSEND; 997 } 998 999 (void) xfclose(fp, "include", fname); 1000 FileName = oldfilename; 1001 LineNumber = oldlinenumber; 1002 e->e_to = oldto; 1003 return rval; 1004 } 1005 1006 static void 1007 includetimeout() 1008 { 1009 longjmp(CtxIncludeTimeout, 1); 1010 } 1011 /* 1012 ** SENDTOARGV -- send to an argument vector. 1013 ** 1014 ** Parameters: 1015 ** argv -- argument vector to send to. 1016 ** e -- the current envelope. 1017 ** 1018 ** Returns: 1019 ** none. 1020 ** 1021 ** Side Effects: 1022 ** puts all addresses on the argument vector onto the 1023 ** send queue. 1024 */ 1025 1026 sendtoargv(argv, e) 1027 register char **argv; 1028 register ENVELOPE *e; 1029 { 1030 register char *p; 1031 1032 while ((p = *argv++) != NULL) 1033 { 1034 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1035 } 1036 } 1037 /* 1038 ** GETCTLADDR -- get controlling address from an address header. 1039 ** 1040 ** If none, get one corresponding to the effective userid. 1041 ** 1042 ** Parameters: 1043 ** a -- the address to find the controller of. 1044 ** 1045 ** Returns: 1046 ** the controlling address. 1047 ** 1048 ** Side Effects: 1049 ** none. 1050 */ 1051 1052 ADDRESS * 1053 getctladdr(a) 1054 register ADDRESS *a; 1055 { 1056 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1057 a = a->q_alias; 1058 return (a); 1059 } 1060