1 /*
2 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers.
3 * All rights reserved.
4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved.
5 * Copyright (c) 1988, 1993
6 * The Regents of the University of California. All rights reserved.
7 *
8 * By using this file, you agree to the terms and conditions set
9 * forth in the LICENSE file which can be found at the top level of
10 * the sendmail distribution.
11 *
12 */
13
14 #pragma ident "%Z%%M% %I% %E% SMI"
15
16 #include <sendmail.h>
17
18 SM_RCSID("@(#)$Id: recipient.c,v 8.349 2007/07/10 17:01:22 ca Exp $")
19
20 static void includetimeout __P((int));
21 static ADDRESS *self_reference __P((ADDRESS *));
22 static int sortexpensive __P((ADDRESS *, ADDRESS *));
23 static int sortbysignature __P((ADDRESS *, ADDRESS *));
24 static int sorthost __P((ADDRESS *, ADDRESS *));
25
26 typedef int sortfn_t __P((ADDRESS *, ADDRESS *));
27
28 /*
29 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS
30 **
31 ** Parameters:
32 ** xx -- first ADDRESS
33 ** yy -- second ADDRESS
34 **
35 ** Returns:
36 ** <0 when xx->q_host is less than yy->q_host
37 ** >0 when xx->q_host is greater than yy->q_host
38 ** 0 when equal
39 */
40
41 static int
sorthost(xx,yy)42 sorthost(xx, yy)
43 register ADDRESS *xx;
44 register ADDRESS *yy;
45 {
46 #if _FFR_HOST_SORT_REVERSE
47 /* XXX maybe compare hostnames from the end? */
48 return sm_strrevcasecmp(xx->q_host, yy->q_host);
49 #else /* _FFR_HOST_SORT_REVERSE */
50 return sm_strcasecmp(xx->q_host, yy->q_host);
51 #endif /* _FFR_HOST_SORT_REVERSE */
52 }
53
54 /*
55 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers
56 **
57 ** The mailer has been noted already as "expensive" for 'xx'. This
58 ** will give a result relative to 'yy'. Expensive mailers get rated
59 ** "greater than" non-expensive mailers because during the delivery phase
60 ** it will get queued -- no use it getting in the way of less expensive
61 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are
62 ** expensive since an MX RR lookup happens when extracted from the queue
63 ** later.
64 **
65 ** Parameters:
66 ** xx -- first ADDRESS
67 ** yy -- second ADDRESS
68 **
69 ** Returns:
70 ** <0 when xx->q_host is less than yy->q_host and both are
71 ** expensive
72 ** >0 when xx->q_host is greater than yy->q_host, or when
73 ** 'yy' is non-expensive
74 ** 0 when equal (by expense and q_host)
75 */
76
77 static int
sortexpensive(xx,yy)78 sortexpensive(xx, yy)
79 ADDRESS *xx;
80 ADDRESS *yy;
81 {
82 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags))
83 return 1; /* xx should go later */
84 #if _FFR_HOST_SORT_REVERSE
85 /* XXX maybe compare hostnames from the end? */
86 return sm_strrevcasecmp(xx->q_host, yy->q_host);
87 #else /* _FFR_HOST_SORT_REVERSE */
88 return sm_strcasecmp(xx->q_host, yy->q_host);
89 #endif /* _FFR_HOST_SORT_REVERSE */
90 }
91
92 /*
93 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS
94 **
95 ** Parameters:
96 ** xx -- first ADDRESS
97 ** yy -- second ADDRESS
98 **
99 ** Returns:
100 ** 0 when the "signature"'s are same
101 ** <0 when xx->q_signature is less than yy->q_signature
102 ** >0 when xx->q_signature is greater than yy->q_signature
103 **
104 ** Side Effect:
105 ** May set ADDRESS pointer for q_signature if not already set.
106 */
107
108 static int
sortbysignature(xx,yy)109 sortbysignature(xx, yy)
110 ADDRESS *xx;
111 ADDRESS *yy;
112 {
113 register int ret;
114
115 /* Let's avoid redoing the signature over and over again */
116 if (xx->q_signature == NULL)
117 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host);
118 if (yy->q_signature == NULL)
119 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host);
120 ret = strcmp(xx->q_signature, yy->q_signature);
121
122 /*
123 ** If the two signatures are the same then we will return a sort
124 ** value based on 'q_user'. But note that we have reversed xx and yy
125 ** on purpose. This additional compare helps reduce the number of
126 ** sameaddr() calls and loops in recipient() for the case when
127 ** the rcpt list has been provided already in-order.
128 */
129
130 if (ret == 0)
131 return strcmp(yy->q_user, xx->q_user);
132 else
133 return ret;
134 }
135
136 /*
137 ** SENDTOLIST -- Designate a send list.
138 **
139 ** The parameter is a comma-separated list of people to send to.
140 ** This routine arranges to send to all of them.
141 **
142 ** Parameters:
143 ** list -- the send list.
144 ** ctladdr -- the address template for the person to
145 ** send to -- effective uid/gid are important.
146 ** This is typically the alias that caused this
147 ** expansion.
148 ** sendq -- a pointer to the head of a queue to put
149 ** these people into.
150 ** aliaslevel -- the current alias nesting depth -- to
151 ** diagnose loops.
152 ** e -- the envelope in which to add these recipients.
153 **
154 ** Returns:
155 ** The number of addresses actually on the list.
156 */
157
158 /* q_flags bits inherited from ctladdr */
159 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)
160
161 int
sendtolist(list,ctladdr,sendq,aliaslevel,e)162 sendtolist(list, ctladdr, sendq, aliaslevel, e)
163 char *list;
164 ADDRESS *ctladdr;
165 ADDRESS **sendq;
166 int aliaslevel;
167 register ENVELOPE *e;
168 {
169 register char *p;
170 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */
171 SM_NONVOLATILE char delimiter; /* the address delimiter */
172 SM_NONVOLATILE int naddrs;
173 SM_NONVOLATILE int i;
174 char *endp;
175 char *oldto = e->e_to;
176 char *SM_NONVOLATILE bufp;
177 char buf[MAXNAME + 1];
178
179 if (list == NULL)
180 {
181 syserr("sendtolist: null list");
182 return 0;
183 }
184
185 if (tTd(25, 1))
186 {
187 sm_dprintf("sendto: %s\n ctladdr=", list);
188 printaddr(sm_debug_file(), ctladdr, false);
189 }
190
191 /* heuristic to determine old versus new style addresses */
192 if (ctladdr == NULL &&
193 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
194 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
195 e->e_flags &= ~EF_OLDSTYLE;
196 delimiter = ' ';
197 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
198 delimiter = ',';
199
200 al = NULL;
201 naddrs = 0;
202
203 /* make sure we have enough space to copy the string */
204 i = strlen(list) + 1;
205 if (i <= sizeof(buf))
206 {
207 bufp = buf;
208 i = sizeof(buf);
209 }
210 else
211 bufp = sm_malloc_x(i);
212 endp = bufp + i;
213
214 SM_TRY
215 {
216 (void) sm_strlcpy(bufp, denlstring(list, false, true), i);
217
218 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r");
219 for (p = bufp; *p != '\0'; )
220 {
221 auto char *delimptr;
222 register ADDRESS *a;
223
224 SM_ASSERT(p < endp);
225
226 /* parse the address */
227 while ((isascii(*p) && isspace(*p)) || *p == ',')
228 p++;
229 SM_ASSERT(p < endp);
230 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter,
231 &delimptr, e, true);
232 p = delimptr;
233 SM_ASSERT(p < endp);
234 if (a == NULL)
235 continue;
236 a->q_next = al;
237 a->q_alias = ctladdr;
238
239 /* arrange to inherit attributes from parent */
240 if (ctladdr != NULL)
241 {
242 ADDRESS *b;
243
244 /* self reference test */
245 if (sameaddr(ctladdr, a))
246 {
247 if (tTd(27, 5))
248 {
249 sm_dprintf("sendtolist: QSELFREF ");
250 printaddr(sm_debug_file(), ctladdr, false);
251 }
252 ctladdr->q_flags |= QSELFREF;
253 }
254
255 /* check for address loops */
256 b = self_reference(a);
257 if (b != NULL)
258 {
259 b->q_flags |= QSELFREF;
260 if (tTd(27, 5))
261 {
262 sm_dprintf("sendtolist: QSELFREF ");
263 printaddr(sm_debug_file(), b, false);
264 }
265 if (a != b)
266 {
267 if (tTd(27, 5))
268 {
269 sm_dprintf("sendtolist: QS_DONTSEND ");
270 printaddr(sm_debug_file(), a, false);
271 }
272 a->q_state = QS_DONTSEND;
273 b->q_flags |= a->q_flags & QNOTREMOTE;
274 continue;
275 }
276 }
277
278 /* full name */
279 if (a->q_fullname == NULL)
280 a->q_fullname = ctladdr->q_fullname;
281
282 /* various flag bits */
283 a->q_flags &= ~QINHERITEDBITS;
284 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
285
286 /* DSN recipient information */
287 a->q_finalrcpt = ctladdr->q_finalrcpt;
288 a->q_orcpt = ctladdr->q_orcpt;
289 }
290
291 al = a;
292 }
293
294 /* arrange to send to everyone on the local send list */
295 while (al != NULL)
296 {
297 register ADDRESS *a = al;
298
299 al = a->q_next;
300 a = recipient(a, sendq, aliaslevel, e);
301 naddrs++;
302 }
303 }
304 SM_FINALLY
305 {
306 e->e_to = oldto;
307 if (bufp != buf)
308 sm_free(bufp);
309 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
310 }
311 SM_END_TRY
312 return naddrs;
313 }
314
315 #if MILTER
316 /*
317 ** REMOVEFROMLIST -- Remove addresses from a send list.
318 **
319 ** The parameter is a comma-separated list of recipients to remove.
320 ** Note that it only deletes matching addresses. If those addresses
321 ** have been expanded already in the sendq, it won't mark the
322 ** expanded recipients as QS_REMOVED.
323 **
324 ** Parameters:
325 ** list -- the list to remove.
326 ** sendq -- a pointer to the head of a queue to remove
327 ** these addresses from.
328 ** e -- the envelope in which to remove these recipients.
329 **
330 ** Returns:
331 ** The number of addresses removed from the list.
332 **
333 */
334
335 int
removefromlist(list,sendq,e)336 removefromlist(list, sendq, e)
337 char *list;
338 ADDRESS **sendq;
339 ENVELOPE *e;
340 {
341 SM_NONVOLATILE char delimiter; /* the address delimiter */
342 SM_NONVOLATILE int naddrs;
343 SM_NONVOLATILE int i;
344 char *p;
345 char *oldto = e->e_to;
346 char *SM_NONVOLATILE bufp;
347 char buf[MAXNAME + 1];
348
349 if (list == NULL)
350 {
351 syserr("removefromlist: null list");
352 return 0;
353 }
354
355 if (tTd(25, 1))
356 sm_dprintf("removefromlist: %s\n", list);
357
358 /* heuristic to determine old versus new style addresses */
359 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
360 strchr(list, '<') != NULL || strchr(list, '(') != NULL)
361 e->e_flags &= ~EF_OLDSTYLE;
362 delimiter = ' ';
363 if (!bitset(EF_OLDSTYLE, e->e_flags))
364 delimiter = ',';
365
366 naddrs = 0;
367
368 /* make sure we have enough space to copy the string */
369 i = strlen(list) + 1;
370 if (i <= sizeof(buf))
371 {
372 bufp = buf;
373 i = sizeof(buf);
374 }
375 else
376 bufp = sm_malloc_x(i);
377
378 SM_TRY
379 {
380 (void) sm_strlcpy(bufp, denlstring(list, false, true), i);
381
382 #if _FFR_ADDR_TYPE_MODES
383 if (AddrTypeModes)
384 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"),
385 "e r d");
386 else
387 #endif /* _FFR_ADDR_TYPE_MODES */
388 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r");
389 for (p = bufp; *p != '\0'; )
390 {
391 ADDRESS a; /* parsed address to be removed */
392 ADDRESS *q;
393 ADDRESS **pq;
394 char *delimptr;
395
396 /* parse the address */
397 while ((isascii(*p) && isspace(*p)) || *p == ',')
398 p++;
399 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR,
400 delimiter, &delimptr, e, true) == NULL)
401 {
402 p = delimptr;
403 continue;
404 }
405 p = delimptr;
406 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
407 {
408 if (!QS_IS_DEAD(q->q_state) &&
409 (sameaddr(q, &a) ||
410 strcmp(q->q_paddr, a.q_paddr) == 0))
411 {
412 if (tTd(25, 5))
413 {
414 sm_dprintf("removefromlist: QS_REMOVED ");
415 printaddr(sm_debug_file(), &a, false);
416 }
417 q->q_state = QS_REMOVED;
418 naddrs++;
419 break;
420 }
421 }
422 }
423 }
424 SM_FINALLY
425 {
426 e->e_to = oldto;
427 if (bufp != buf)
428 sm_free(bufp);
429 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
430 }
431 SM_END_TRY
432 return naddrs;
433 }
434 #endif /* MILTER */
435
436 /*
437 ** RECIPIENT -- Designate a message recipient
438 ** Saves the named person for future mailing (after some checks).
439 **
440 ** Parameters:
441 ** new -- the (preparsed) address header for the recipient.
442 ** sendq -- a pointer to the head of a queue to put the
443 ** recipient in. Duplicate suppression is done
444 ** in this queue.
445 ** aliaslevel -- the current alias nesting depth.
446 ** e -- the current envelope.
447 **
448 ** Returns:
449 ** The actual address in the queue. This will be "a" if
450 ** the address is not a duplicate, else the original address.
451 **
452 */
453
454 ADDRESS *
recipient(new,sendq,aliaslevel,e)455 recipient(new, sendq, aliaslevel, e)
456 register ADDRESS *new;
457 register ADDRESS **sendq;
458 int aliaslevel;
459 register ENVELOPE *e;
460 {
461 register ADDRESS *q;
462 ADDRESS **pq;
463 ADDRESS **prev;
464 register struct mailer *m;
465 register char *p;
466 int i, buflen;
467 bool quoted; /* set if the addr has a quote bit */
468 bool insert;
469 int findusercount;
470 bool initialdontsend;
471 char *buf;
472 char buf0[MAXNAME + 1]; /* unquoted image of the user name */
473 sortfn_t *sortfn;
474
475 p = NULL;
476 quoted = false;
477 insert = false;
478 findusercount = 0;
479 initialdontsend = QS_IS_DEAD(new->q_state);
480 e->e_to = new->q_paddr;
481 m = new->q_mailer;
482 errno = 0;
483 if (aliaslevel == 0)
484 new->q_flags |= QPRIMARY;
485 if (tTd(26, 1))
486 {
487 sm_dprintf("\nrecipient (%d): ", aliaslevel);
488 printaddr(sm_debug_file(), new, false);
489 }
490
491 /* if this is primary, use it as original recipient */
492 if (new->q_alias == NULL)
493 {
494 if (e->e_origrcpt == NULL)
495 e->e_origrcpt = new->q_paddr;
496 else if (e->e_origrcpt != new->q_paddr)
497 e->e_origrcpt = "";
498 }
499
500 /* find parent recipient for finalrcpt and orcpt */
501 for (q = new; q->q_alias != NULL; q = q->q_alias)
502 continue;
503
504 /* find final recipient DSN address */
505 if (new->q_finalrcpt == NULL &&
506 e->e_from.q_mailer != NULL)
507 {
508 char frbuf[MAXLINE];
509
510 p = e->e_from.q_mailer->m_addrtype;
511 if (p == NULL)
512 p = "rfc822";
513 if (sm_strcasecmp(p, "rfc822") != 0)
514 {
515 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
516 q->q_mailer->m_addrtype,
517 q->q_user);
518 }
519 else if (strchr(q->q_user, '@') != NULL)
520 {
521 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
522 p, q->q_user);
523 }
524 else if (strchr(q->q_paddr, '@') != NULL)
525 {
526 char *qp;
527 bool b;
528
529 qp = q->q_paddr;
530
531 /* strip brackets from address */
532 b = false;
533 if (*qp == '<')
534 {
535 b = qp[strlen(qp) - 1] == '>';
536 if (b)
537 qp[strlen(qp) - 1] = '\0';
538 qp++;
539 }
540 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
541 p, qp);
542
543 /* undo damage */
544 if (b)
545 qp[strlen(qp)] = '>';
546 }
547 else
548 {
549 (void) sm_snprintf(frbuf, sizeof(frbuf),
550 "%s; %.700s@%.100s",
551 p, q->q_user, MyHostName);
552 }
553 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf);
554 }
555
556 #if _FFR_GEN_ORCPT
557 /* set ORCPT DSN arg if not already set */
558 if (new->q_orcpt == NULL)
559 {
560 /* check for an existing ORCPT */
561 if (q->q_orcpt != NULL)
562 new->q_orcpt = q->q_orcpt;
563 else
564 {
565 /* make our own */
566 bool b = false;
567 char *qp;
568 char obuf[MAXLINE];
569
570 if (e->e_from.q_mailer != NULL)
571 p = e->e_from.q_mailer->m_addrtype;
572 if (p == NULL)
573 p = "rfc822";
574 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";");
575
576 qp = q->q_paddr;
577
578 /* FFR: Needs to strip comments from stdin addrs */
579
580 /* strip brackets from address */
581 if (*qp == '<')
582 {
583 b = qp[strlen(qp) - 1] == '>';
584 if (b)
585 qp[strlen(qp) - 1] = '\0';
586 qp++;
587 }
588
589 p = xtextify(denlstring(qp, true, false), "=");
590
591 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf))
592 {
593 /* if too big, don't use it */
594 obuf[0] = '\0';
595 }
596
597 /* undo damage */
598 if (b)
599 qp[strlen(qp)] = '>';
600
601 if (obuf[0] != '\0')
602 new->q_orcpt =
603 sm_rpool_strdup_x(e->e_rpool, obuf);
604 }
605 }
606 #endif /* _FFR_GEN_ORCPT */
607
608 /* break aliasing loops */
609 if (aliaslevel > MaxAliasRecursion)
610 {
611 new->q_state = QS_BADADDR;
612 new->q_status = "5.4.6";
613 if (new->q_alias != NULL)
614 {
615 new->q_alias->q_state = QS_BADADDR;
616 new->q_alias->q_status = "5.4.6";
617 }
618 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0)
619 {
620 sm_syslog(LOG_ERR, e->e_id,
621 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)",
622 FileName != NULL ? FileName : "", aliaslevel,
623 MaxAliasRecursion);
624 }
625 usrerrenh(new->q_status,
626 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)",
627 aliaslevel, MaxAliasRecursion);
628 return new;
629 }
630
631 /*
632 ** Finish setting up address structure.
633 */
634
635 /* get unquoted user for file, program or user.name check */
636 i = strlen(new->q_user);
637 if (i >= sizeof(buf0))
638 {
639 buflen = i + 1;
640 buf = xalloc(buflen);
641 }
642 else
643 {
644 buf = buf0;
645 buflen = sizeof(buf0);
646 }
647 (void) sm_strlcpy(buf, new->q_user, buflen);
648 for (p = buf; *p != '\0' && !quoted; p++)
649 {
650 if (*p == '\\')
651 quoted = true;
652 }
653 stripquotes(buf);
654
655 /* check for direct mailing to restricted mailers */
656 if (m == ProgMailer)
657 {
658 if (new->q_alias == NULL || UseMSP ||
659 bitset(EF_UNSAFE, e->e_flags))
660 {
661 new->q_state = QS_BADADDR;
662 new->q_status = "5.7.1";
663 usrerrenh(new->q_status,
664 "550 Cannot mail directly to programs");
665 }
666 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
667 {
668 new->q_state = QS_BADADDR;
669 new->q_status = "5.7.1";
670 if (new->q_alias->q_ruser == NULL)
671 usrerrenh(new->q_status,
672 "550 UID %d is an unknown user: cannot mail to programs",
673 new->q_alias->q_uid);
674 else
675 usrerrenh(new->q_status,
676 "550 User %s@%s doesn't have a valid shell for mailing to programs",
677 new->q_alias->q_ruser, MyHostName);
678 }
679 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
680 {
681 new->q_state = QS_BADADDR;
682 new->q_status = "5.7.1";
683 new->q_rstatus = "550 Unsafe for mailing to programs";
684 usrerrenh(new->q_status,
685 "550 Address %s is unsafe for mailing to programs",
686 new->q_alias->q_paddr);
687 }
688 }
689
690 /*
691 ** Look up this person in the recipient list.
692 ** If they are there already, return, otherwise continue.
693 ** If the list is empty, just add it. Notice the cute
694 ** hack to make from addresses suppress things correctly:
695 ** the QS_DUPLICATE state will be set in the send list.
696 ** [Please note: the emphasis is on "hack."]
697 */
698
699 prev = NULL;
700
701 /*
702 ** If this message is going to the queue or FastSplit is set
703 ** and it is the first try and the envelope hasn't split, then we
704 ** avoid doing an MX RR lookup now because one will be done when the
705 ** message is extracted from the queue later. It can go to the queue
706 ** because all messages are going to the queue or this mailer of
707 ** the current recipient is marked expensive.
708 */
709
710 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) ||
711 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 &&
712 FastSplit > 0))
713 sortfn = sorthost;
714 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags))
715 sortfn = sortexpensive;
716 else
717 sortfn = sortbysignature;
718
719 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
720 {
721 /*
722 ** If address is "less than" it should be inserted now.
723 ** If address is "greater than" current comparison it'll
724 ** insert later in the list; so loop again (if possible).
725 ** If address is "equal" (different equal than sameaddr()
726 ** call) then check if sameaddr() will be true.
727 ** Because this list is now sorted, it'll mean fewer
728 ** comparisons and fewer loops which is important for more
729 ** recipients.
730 */
731
732 i = (*sortfn)(new, q);
733 if (i == 0) /* equal */
734 {
735 /*
736 ** Sortbysignature() has said that the two have
737 ** equal MX RR's and the same user. Calling sameaddr()
738 ** now checks if the two hosts are as identical as the
739 ** MX RR's are (which might not be the case)
740 ** before saying these are the identical addresses.
741 */
742
743 if (sameaddr(q, new) &&
744 (bitset(QRCPTOK, q->q_flags) ||
745 !bitset(QPRIMARY, q->q_flags)))
746 {
747 if (tTd(26, 1))
748 {
749 sm_dprintf("%s in sendq: ",
750 new->q_paddr);
751 printaddr(sm_debug_file(), q, false);
752 }
753 if (!bitset(QPRIMARY, q->q_flags))
754 {
755 if (!QS_IS_DEAD(new->q_state))
756 message("duplicate suppressed");
757 else
758 q->q_state = QS_DUPLICATE;
759 q->q_flags |= new->q_flags;
760 }
761 else if (bitset(QSELFREF, q->q_flags)
762 || q->q_state == QS_REMOVED)
763 {
764 /*
765 ** If an earlier milter removed the
766 ** address, a later one can still add
767 ** it back.
768 */
769
770 q->q_state = new->q_state;
771 q->q_flags |= new->q_flags;
772 }
773 new = q;
774 goto done;
775 }
776 }
777 else if (i < 0) /* less than */
778 {
779 insert = true;
780 break;
781 }
782 prev = pq;
783 }
784
785 /* pq should point to an address, never NULL */
786 SM_ASSERT(pq != NULL);
787
788 /* add address on list */
789 if (insert)
790 {
791 /*
792 ** insert before 'pq'. Only possible when at least 1
793 ** ADDRESS is in the list already.
794 */
795
796 new->q_next = *pq;
797 if (prev == NULL)
798 *sendq = new; /* To be the first ADDRESS */
799 else
800 (*prev)->q_next = new;
801 }
802 else
803 {
804 /*
805 ** Place in list at current 'pq' position. Possible
806 ** when there are 0 or more ADDRESS's in the list.
807 */
808
809 new->q_next = NULL;
810 *pq = new;
811 }
812
813 /* added a new address: clear split flag */
814 e->e_flags &= ~EF_SPLIT;
815
816 /*
817 ** Alias the name and handle special mailer types.
818 */
819
820 trylocaluser:
821 if (tTd(29, 7))
822 {
823 sm_dprintf("at trylocaluser: ");
824 printaddr(sm_debug_file(), new, false);
825 }
826
827 if (!QS_IS_OK(new->q_state))
828 {
829 if (QS_IS_UNDELIVERED(new->q_state))
830 e->e_nrcpts++;
831 goto testselfdestruct;
832 }
833
834 if (m == InclMailer)
835 {
836 new->q_state = QS_INCLUDED;
837 if (new->q_alias == NULL || UseMSP ||
838 bitset(EF_UNSAFE, e->e_flags))
839 {
840 new->q_state = QS_BADADDR;
841 new->q_status = "5.7.1";
842 usrerrenh(new->q_status,
843 "550 Cannot mail directly to :include:s");
844 }
845 else
846 {
847 int ret;
848
849 message("including file %s", new->q_user);
850 ret = include(new->q_user, false, new,
851 sendq, aliaslevel, e);
852 if (transienterror(ret))
853 {
854 if (LogLevel > 2)
855 sm_syslog(LOG_ERR, e->e_id,
856 "include %s: transient error: %s",
857 shortenstring(new->q_user,
858 MAXSHORTSTR),
859 sm_errstring(ret));
860 new->q_state = QS_QUEUEUP;
861 usrerr("451 4.2.4 Cannot open %s: %s",
862 shortenstring(new->q_user,
863 MAXSHORTSTR),
864 sm_errstring(ret));
865 }
866 else if (ret != 0)
867 {
868 new->q_state = QS_BADADDR;
869 new->q_status = "5.2.4";
870 usrerrenh(new->q_status,
871 "550 Cannot open %s: %s",
872 shortenstring(new->q_user,
873 MAXSHORTSTR),
874 sm_errstring(ret));
875 }
876 }
877 }
878 else if (m == FileMailer)
879 {
880 /* check if allowed */
881 if (new->q_alias == NULL || UseMSP ||
882 bitset(EF_UNSAFE, e->e_flags))
883 {
884 new->q_state = QS_BADADDR;
885 new->q_status = "5.7.1";
886 usrerrenh(new->q_status,
887 "550 Cannot mail directly to files");
888 }
889 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
890 {
891 new->q_state = QS_BADADDR;
892 new->q_status = "5.7.1";
893 if (new->q_alias->q_ruser == NULL)
894 usrerrenh(new->q_status,
895 "550 UID %d is an unknown user: cannot mail to files",
896 new->q_alias->q_uid);
897 else
898 usrerrenh(new->q_status,
899 "550 User %s@%s doesn't have a valid shell for mailing to files",
900 new->q_alias->q_ruser, MyHostName);
901 }
902 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
903 {
904 new->q_state = QS_BADADDR;
905 new->q_status = "5.7.1";
906 new->q_rstatus = "550 Unsafe for mailing to files";
907 usrerrenh(new->q_status,
908 "550 Address %s is unsafe for mailing to files",
909 new->q_alias->q_paddr);
910 }
911 }
912
913 /* try aliasing */
914 if (!quoted && QS_IS_OK(new->q_state) &&
915 bitnset(M_ALIASABLE, m->m_flags))
916 alias(new, sendq, aliaslevel, e);
917
918 #if USERDB
919 /* if not aliased, look it up in the user database */
920 if (!bitset(QNOTREMOTE, new->q_flags) &&
921 QS_IS_SENDABLE(new->q_state) &&
922 bitnset(M_CHECKUDB, m->m_flags))
923 {
924 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL)
925 {
926 new->q_state = QS_QUEUEUP;
927 if (e->e_message == NULL)
928 e->e_message = sm_rpool_strdup_x(e->e_rpool,
929 "Deferred: user database error");
930 if (new->q_message == NULL)
931 new->q_message = "Deferred: user database error";
932 if (LogLevel > 8)
933 sm_syslog(LOG_INFO, e->e_id,
934 "deferred: udbexpand: %s",
935 sm_errstring(errno));
936 message("queued (user database error): %s",
937 sm_errstring(errno));
938 e->e_nrcpts++;
939 goto testselfdestruct;
940 }
941 }
942 #endif /* USERDB */
943
944 /*
945 ** If we have a level two config file, then pass the name through
946 ** Ruleset 5 before sending it off. Ruleset 5 has the right
947 ** to rewrite it to another mailer. This gives us a hook
948 ** after local aliasing has been done.
949 */
950
951 if (tTd(29, 5))
952 {
953 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t",
954 ConfigLevel, RewriteRules[5]);
955 printaddr(sm_debug_file(), new, false);
956 }
957 if (ConfigLevel >= 2 && RewriteRules[5] != NULL &&
958 bitnset(M_TRYRULESET5, m->m_flags) &&
959 !bitset(QNOTREMOTE, new->q_flags) &&
960 QS_IS_OK(new->q_state))
961 {
962 maplocaluser(new, sendq, aliaslevel + 1, e);
963 }
964
965 /*
966 ** If it didn't get rewritten to another mailer, go ahead
967 ** and deliver it.
968 */
969
970 if (QS_IS_OK(new->q_state) &&
971 bitnset(M_HASPWENT, m->m_flags))
972 {
973 auto bool fuzzy;
974 SM_MBDB_T user;
975 int status;
976
977 /* warning -- finduser may trash buf */
978 status = finduser(buf, &fuzzy, &user);
979 switch (status)
980 {
981 case EX_TEMPFAIL:
982 new->q_state = QS_QUEUEUP;
983 new->q_status = "4.5.2";
984 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL,
985 new->q_alias, (time_t) 0, e, new);
986 break;
987 default:
988 new->q_state = QS_BADADDR;
989 new->q_status = "5.1.1";
990 new->q_rstatus = "550 5.1.1 User unknown";
991 giveresponse(EX_NOUSER, new->q_status, m, NULL,
992 new->q_alias, (time_t) 0, e, new);
993 break;
994 case EX_OK:
995 if (fuzzy)
996 {
997 /* name was a fuzzy match */
998 new->q_user = sm_rpool_strdup_x(e->e_rpool,
999 user.mbdb_name);
1000 if (findusercount++ > 3)
1001 {
1002 new->q_state = QS_BADADDR;
1003 new->q_status = "5.4.6";
1004 usrerrenh(new->q_status,
1005 "554 aliasing/forwarding loop for %s broken",
1006 user.mbdb_name);
1007 goto done;
1008 }
1009
1010 /* see if it aliases */
1011 (void) sm_strlcpy(buf, user.mbdb_name, buflen);
1012 goto trylocaluser;
1013 }
1014 if (*user.mbdb_homedir == '\0')
1015 new->q_home = NULL;
1016 else if (strcmp(user.mbdb_homedir, "/") == 0)
1017 new->q_home = "";
1018 else
1019 new->q_home = sm_rpool_strdup_x(e->e_rpool,
1020 user.mbdb_homedir);
1021 if (user.mbdb_uid != SM_NO_UID)
1022 {
1023 new->q_uid = user.mbdb_uid;
1024 new->q_gid = user.mbdb_gid;
1025 new->q_flags |= QGOODUID;
1026 }
1027 new->q_ruser = sm_rpool_strdup_x(e->e_rpool,
1028 user.mbdb_name);
1029 if (user.mbdb_fullname[0] != '\0')
1030 new->q_fullname = sm_rpool_strdup_x(e->e_rpool,
1031 user.mbdb_fullname);
1032 if (!usershellok(user.mbdb_name, user.mbdb_shell))
1033 {
1034 new->q_flags |= QBOGUSSHELL;
1035 }
1036 if (bitset(EF_VRFYONLY, e->e_flags))
1037 {
1038 /* don't do any more now */
1039 new->q_state = QS_VERIFIED;
1040 }
1041 else if (!quoted)
1042 forward(new, sendq, aliaslevel, e);
1043 }
1044 }
1045 if (!QS_IS_DEAD(new->q_state))
1046 e->e_nrcpts++;
1047
1048 testselfdestruct:
1049 new->q_flags |= QTHISPASS;
1050 if (tTd(26, 8))
1051 {
1052 sm_dprintf("testselfdestruct: ");
1053 printaddr(sm_debug_file(), new, false);
1054 if (tTd(26, 10))
1055 {
1056 sm_dprintf("SENDQ:\n");
1057 printaddr(sm_debug_file(), *sendq, true);
1058 sm_dprintf("----\n");
1059 }
1060 }
1061 if (new->q_alias == NULL && new != &e->e_from &&
1062 QS_IS_DEAD(new->q_state))
1063 {
1064 for (q = *sendq; q != NULL; q = q->q_next)
1065 {
1066 if (!QS_IS_DEAD(q->q_state))
1067 break;
1068 }
1069 if (q == NULL)
1070 {
1071 new->q_state = QS_BADADDR;
1072 new->q_status = "5.4.6";
1073 usrerrenh(new->q_status,
1074 "554 aliasing/forwarding loop broken");
1075 }
1076 }
1077
1078 done:
1079 new->q_flags |= QTHISPASS;
1080 if (buf != buf0)
1081 sm_free(buf); /* XXX leak if above code raises exception */
1082
1083 /*
1084 ** If we are at the top level, check to see if this has
1085 ** expanded to exactly one address. If so, it can inherit
1086 ** the primaryness of the address.
1087 **
1088 ** While we're at it, clear the QTHISPASS bits.
1089 */
1090
1091 if (aliaslevel == 0)
1092 {
1093 int nrcpts = 0;
1094 ADDRESS *only = NULL;
1095
1096 for (q = *sendq; q != NULL; q = q->q_next)
1097 {
1098 if (bitset(QTHISPASS, q->q_flags) &&
1099 QS_IS_SENDABLE(q->q_state))
1100 {
1101 nrcpts++;
1102 only = q;
1103 }
1104 q->q_flags &= ~QTHISPASS;
1105 }
1106 if (nrcpts == 1)
1107 {
1108 /* check to see if this actually got a new owner */
1109 q = only;
1110 while ((q = q->q_alias) != NULL)
1111 {
1112 if (q->q_owner != NULL)
1113 break;
1114 }
1115 if (q == NULL)
1116 only->q_flags |= QPRIMARY;
1117 }
1118 else if (!initialdontsend && nrcpts > 0)
1119 {
1120 /* arrange for return receipt */
1121 e->e_flags |= EF_SENDRECEIPT;
1122 new->q_flags |= QEXPANDED;
1123 if (e->e_xfp != NULL &&
1124 bitset(QPINGONSUCCESS, new->q_flags))
1125 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
1126 "%s... expanded to multiple addresses\n",
1127 new->q_paddr);
1128 }
1129 }
1130 new->q_flags |= QRCPTOK;
1131 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts);
1132 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0);
1133 return new;
1134 }
1135
1136 /*
1137 ** FINDUSER -- find the password entry for a user.
1138 **
1139 ** This looks a lot like getpwnam, except that it may want to
1140 ** do some fancier pattern matching in /etc/passwd.
1141 **
1142 ** This routine contains most of the time of many sendmail runs.
1143 ** It deserves to be optimized.
1144 **
1145 ** Parameters:
1146 ** name -- the name to match against.
1147 ** fuzzyp -- an outarg that is set to true if this entry
1148 ** was found using the fuzzy matching algorithm;
1149 ** set to false otherwise.
1150 ** user -- structure to fill in if user is found
1151 **
1152 ** Returns:
1153 ** On success, fill in *user, set *fuzzyp and return EX_OK.
1154 ** If the user was not found, return EX_NOUSER.
1155 ** On error, return EX_TEMPFAIL or EX_OSERR.
1156 **
1157 ** Side Effects:
1158 ** may modify name.
1159 */
1160
1161 int
finduser(name,fuzzyp,user)1162 finduser(name, fuzzyp, user)
1163 char *name;
1164 bool *fuzzyp;
1165 SM_MBDB_T *user;
1166 {
1167 #if MATCHGECOS
1168 register struct passwd *pw;
1169 #endif /* MATCHGECOS */
1170 register char *p;
1171 bool tryagain;
1172 int status;
1173
1174 if (tTd(29, 4))
1175 sm_dprintf("finduser(%s): ", name);
1176
1177 *fuzzyp = false;
1178
1179 #if HESIOD
1180 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
1181 for (p = name; *p != '\0'; p++)
1182 if (!isascii(*p) || !isdigit(*p))
1183 break;
1184 if (*p == '\0')
1185 {
1186 if (tTd(29, 4))
1187 sm_dprintf("failed (numeric input)\n");
1188 return EX_NOUSER;
1189 }
1190 #endif /* HESIOD */
1191
1192 /* look up this login name using fast path */
1193 status = sm_mbdb_lookup(name, user);
1194 if (status != EX_NOUSER)
1195 {
1196 if (tTd(29, 4))
1197 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status));
1198 return status;
1199 }
1200
1201 /* try mapping it to lower case */
1202 tryagain = false;
1203 for (p = name; *p != '\0'; p++)
1204 {
1205 if (isascii(*p) && isupper(*p))
1206 {
1207 *p = tolower(*p);
1208 tryagain = true;
1209 }
1210 }
1211 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER)
1212 {
1213 if (tTd(29, 4))
1214 sm_dprintf("%s (lower case)\n", sm_strexit(status));
1215 *fuzzyp = true;
1216 return status;
1217 }
1218
1219 #if MATCHGECOS
1220 /* see if fuzzy matching allowed */
1221 if (!MatchGecos)
1222 {
1223 if (tTd(29, 4))
1224 sm_dprintf("not found (fuzzy disabled)\n");
1225 return EX_NOUSER;
1226 }
1227
1228 /* search for a matching full name instead */
1229 for (p = name; *p != '\0'; p++)
1230 {
1231 if (*p == (SpaceSub & 0177) || *p == '_')
1232 *p = ' ';
1233 }
1234 (void) setpwent();
1235 while ((pw = getpwent()) != NULL)
1236 {
1237 char buf[MAXNAME + 1];
1238
1239 # if 0
1240 if (sm_strcasecmp(pw->pw_name, name) == 0)
1241 {
1242 if (tTd(29, 4))
1243 sm_dprintf("found (case wrapped)\n");
1244 break;
1245 }
1246 # endif /* 0 */
1247
1248 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf));
1249 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0)
1250 {
1251 if (tTd(29, 4))
1252 sm_dprintf("fuzzy matches %s\n", pw->pw_name);
1253 message("sending to login name %s", pw->pw_name);
1254 break;
1255 }
1256 }
1257 if (pw != NULL)
1258 *fuzzyp = true;
1259 else if (tTd(29, 4))
1260 sm_dprintf("no fuzzy match found\n");
1261 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */
1262 endpwent();
1263 # endif /* DEC_OSF_BROKEN_GETPWENT */
1264 if (pw == NULL)
1265 return EX_NOUSER;
1266 sm_mbdb_frompw(user, pw);
1267 return EX_OK;
1268 #else /* MATCHGECOS */
1269 if (tTd(29, 4))
1270 sm_dprintf("not found (fuzzy disabled)\n");
1271 return EX_NOUSER;
1272 #endif /* MATCHGECOS */
1273 }
1274
1275 /*
1276 ** WRITABLE -- predicate returning if the file is writable.
1277 **
1278 ** This routine must duplicate the algorithm in sys/fio.c.
1279 ** Unfortunately, we cannot use the access call since we
1280 ** won't necessarily be the real uid when we try to
1281 ** actually open the file.
1282 **
1283 ** Notice that ANY file with ANY execute bit is automatically
1284 ** not writable. This is also enforced by mailfile.
1285 **
1286 ** Parameters:
1287 ** filename -- the file name to check.
1288 ** ctladdr -- the controlling address for this file.
1289 ** flags -- SFF_* flags to control the function.
1290 **
1291 ** Returns:
1292 ** true -- if we will be able to write this file.
1293 ** false -- if we cannot write this file.
1294 **
1295 ** Side Effects:
1296 ** none.
1297 */
1298
1299 bool
writable(filename,ctladdr,flags)1300 writable(filename, ctladdr, flags)
1301 char *filename;
1302 ADDRESS *ctladdr;
1303 long flags;
1304 {
1305 uid_t euid = 0;
1306 gid_t egid = 0;
1307 char *user = NULL;
1308
1309 if (tTd(44, 5))
1310 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags);
1311
1312 /*
1313 ** File does exist -- check that it is writable.
1314 */
1315
1316 if (geteuid() != 0)
1317 {
1318 euid = geteuid();
1319 egid = getegid();
1320 user = NULL;
1321 }
1322 else if (ctladdr != NULL)
1323 {
1324 euid = ctladdr->q_uid;
1325 egid = ctladdr->q_gid;
1326 user = ctladdr->q_user;
1327 }
1328 else if (bitset(SFF_RUNASREALUID, flags))
1329 {
1330 euid = RealUid;
1331 egid = RealGid;
1332 user = RealUserName;
1333 }
1334 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags))
1335 {
1336 if (FileMailer->m_uid == NO_UID)
1337 {
1338 euid = DefUid;
1339 user = DefUser;
1340 }
1341 else
1342 {
1343 euid = FileMailer->m_uid;
1344 user = NULL;
1345 }
1346 if (FileMailer->m_gid == NO_GID)
1347 egid = DefGid;
1348 else
1349 egid = FileMailer->m_gid;
1350 }
1351 else
1352 {
1353 euid = egid = 0;
1354 user = NULL;
1355 }
1356 if (!bitset(SFF_ROOTOK, flags))
1357 {
1358 if (euid == 0)
1359 {
1360 euid = DefUid;
1361 user = DefUser;
1362 }
1363 if (egid == 0)
1364 egid = DefGid;
1365 }
1366 if (geteuid() == 0 &&
1367 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags)))
1368 flags |= SFF_SETUIDOK;
1369
1370 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail))
1371 flags |= SFF_NOSLINK;
1372 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail))
1373 flags |= SFF_NOHLINK;
1374
1375 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL);
1376 return errno == 0;
1377 }
1378
1379 /*
1380 ** INCLUDE -- handle :include: specification.
1381 **
1382 ** Parameters:
1383 ** fname -- filename to include.
1384 ** forwarding -- if true, we are reading a .forward file.
1385 ** if false, it's a :include: file.
1386 ** ctladdr -- address template to use to fill in these
1387 ** addresses -- effective user/group id are
1388 ** the important things.
1389 ** sendq -- a pointer to the head of the send queue
1390 ** to put these addresses in.
1391 ** aliaslevel -- the alias nesting depth.
1392 ** e -- the current envelope.
1393 **
1394 ** Returns:
1395 ** open error status
1396 **
1397 ** Side Effects:
1398 ** reads the :include: file and sends to everyone
1399 ** listed in that file.
1400 **
1401 ** Security Note:
1402 ** If you have restricted chown (that is, you can't
1403 ** give a file away), it is reasonable to allow programs
1404 ** and files called from this :include: file to be to be
1405 ** run as the owner of the :include: file. This is bogus
1406 ** if there is any chance of someone giving away a file.
1407 ** We assume that pre-POSIX systems can give away files.
1408 **
1409 ** There is an additional restriction that if you
1410 ** forward to a :include: file, it will not take on
1411 ** the ownership of the :include: file. This may not
1412 ** be necessary, but shouldn't hurt.
1413 */
1414
1415 static jmp_buf CtxIncludeTimeout;
1416
1417 int
include(fname,forwarding,ctladdr,sendq,aliaslevel,e)1418 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
1419 char *fname;
1420 bool forwarding;
1421 ADDRESS *ctladdr;
1422 ADDRESS **sendq;
1423 int aliaslevel;
1424 ENVELOPE *e;
1425 {
1426 SM_FILE_T *volatile fp = NULL;
1427 char *oldto = e->e_to;
1428 char *oldfilename = FileName;
1429 int oldlinenumber = LineNumber;
1430 register SM_EVENT *ev = NULL;
1431 int nincludes;
1432 int mode;
1433 volatile bool maxreached = false;
1434 register ADDRESS *ca;
1435 volatile uid_t saveduid;
1436 volatile gid_t savedgid;
1437 volatile uid_t uid;
1438 volatile gid_t gid;
1439 char *volatile user;
1440 int rval = 0;
1441 volatile long sfflags = SFF_REGONLY;
1442 register char *p;
1443 bool safechown = false;
1444 volatile bool safedir = false;
1445 struct stat st;
1446 char buf[MAXLINE];
1447
1448 if (tTd(27, 2))
1449 sm_dprintf("include(%s)\n", fname);
1450 if (tTd(27, 4))
1451 sm_dprintf(" ruid=%d euid=%d\n",
1452 (int) getuid(), (int) geteuid());
1453 if (tTd(27, 14))
1454 {
1455 sm_dprintf("ctladdr ");
1456 printaddr(sm_debug_file(), ctladdr, false);
1457 }
1458
1459 if (tTd(27, 9))
1460 sm_dprintf("include: old uid = %d/%d\n",
1461 (int) getuid(), (int) geteuid());
1462
1463 if (forwarding)
1464 {
1465 sfflags |= SFF_MUSTOWN|SFF_ROOTOK;
1466 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail))
1467 sfflags |= SFF_NOGWFILES;
1468 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail))
1469 sfflags |= SFF_NOWWFILES;
1470 }
1471 else
1472 {
1473 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail))
1474 sfflags |= SFF_NOGWFILES;
1475 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail))
1476 sfflags |= SFF_NOWWFILES;
1477 }
1478
1479 /*
1480 ** If RunAsUser set, won't be able to run programs as user
1481 ** so mark them as unsafe unless the administrator knows better.
1482 */
1483
1484 if ((geteuid() != 0 || RunAsUid != 0) &&
1485 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail))
1486 {
1487 if (tTd(27, 4))
1488 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n",
1489 (int) geteuid(), (int) RunAsUid);
1490 ctladdr->q_flags |= QUNSAFEADDR;
1491 }
1492
1493 ca = getctladdr(ctladdr);
1494 if (ca == NULL ||
1495 (ca->q_uid == DefUid && ca->q_gid == 0))
1496 {
1497 uid = DefUid;
1498 gid = DefGid;
1499 user = DefUser;
1500 }
1501 else
1502 {
1503 uid = ca->q_uid;
1504 gid = ca->q_gid;
1505 user = ca->q_user;
1506 }
1507 #if MAILER_SETUID_METHOD != USE_SETUID
1508 saveduid = geteuid();
1509 savedgid = getegid();
1510 if (saveduid == 0)
1511 {
1512 if (!DontInitGroups)
1513 {
1514 if (initgroups(user, gid) == -1)
1515 {
1516 rval = EAGAIN;
1517 syserr("include: initgroups(%s, %d) failed",
1518 user, gid);
1519 goto resetuid;
1520 }
1521 }
1522 else
1523 {
1524 GIDSET_T gidset[1];
1525
1526 gidset[0] = gid;
1527 if (setgroups(1, gidset) == -1)
1528 {
1529 rval = EAGAIN;
1530 syserr("include: setgroups() failed");
1531 goto resetuid;
1532 }
1533 }
1534
1535 if (gid != 0 && setgid(gid) < -1)
1536 {
1537 rval = EAGAIN;
1538 syserr("setgid(%d) failure", gid);
1539 goto resetuid;
1540 }
1541 if (uid != 0)
1542 {
1543 # if MAILER_SETUID_METHOD == USE_SETEUID
1544 if (seteuid(uid) < 0)
1545 {
1546 rval = EAGAIN;
1547 syserr("seteuid(%d) failure (real=%d, eff=%d)",
1548 uid, (int) getuid(), (int) geteuid());
1549 goto resetuid;
1550 }
1551 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */
1552 # if MAILER_SETUID_METHOD == USE_SETREUID
1553 if (setreuid(0, uid) < 0)
1554 {
1555 rval = EAGAIN;
1556 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
1557 uid, (int) getuid(), (int) geteuid());
1558 goto resetuid;
1559 }
1560 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */
1561 }
1562 }
1563 #endif /* MAILER_SETUID_METHOD != USE_SETUID */
1564
1565 if (tTd(27, 9))
1566 sm_dprintf("include: new uid = %d/%d\n",
1567 (int) getuid(), (int) geteuid());
1568
1569 /*
1570 ** If home directory is remote mounted but server is down,
1571 ** this can hang or give errors; use a timeout to avoid this
1572 */
1573
1574 if (setjmp(CtxIncludeTimeout) != 0)
1575 {
1576 ctladdr->q_state = QS_QUEUEUP;
1577 errno = 0;
1578
1579 /* return pseudo-error code */
1580 rval = E_SM_OPENTIMEOUT;
1581 goto resetuid;
1582 }
1583 if (TimeOuts.to_fileopen > 0)
1584 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0);
1585 else
1586 ev = NULL;
1587
1588
1589 /* check for writable parent directory */
1590 p = strrchr(fname, '/');
1591 if (p != NULL)
1592 {
1593 int ret;
1594
1595 *p = '\0';
1596 ret = safedirpath(fname, uid, gid, user,
1597 sfflags|SFF_SAFEDIRPATH, 0, 0);
1598 if (ret == 0)
1599 {
1600 /* in safe directory: relax chown & link rules */
1601 safedir = true;
1602 sfflags |= SFF_NOPATHCHECK;
1603 }
1604 else
1605 {
1606 if (bitnset((forwarding ?
1607 DBS_FORWARDFILEINUNSAFEDIRPATH :
1608 DBS_INCLUDEFILEINUNSAFEDIRPATH),
1609 DontBlameSendmail))
1610 sfflags |= SFF_NOPATHCHECK;
1611 else if (bitnset((forwarding ?
1612 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH :
1613 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH),
1614 DontBlameSendmail) &&
1615 ret == E_SM_GWDIR)
1616 {
1617 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
1618 DontBlameSendmail);
1619 ret = safedirpath(fname, uid, gid, user,
1620 sfflags|SFF_SAFEDIRPATH,
1621 0, 0);
1622 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
1623 DontBlameSendmail);
1624 if (ret == 0)
1625 sfflags |= SFF_NOPATHCHECK;
1626 else
1627 sfflags |= SFF_SAFEDIRPATH;
1628 }
1629 else
1630 sfflags |= SFF_SAFEDIRPATH;
1631 if (ret > E_PSEUDOBASE &&
1632 !bitnset((forwarding ?
1633 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE :
1634 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE),
1635 DontBlameSendmail))
1636 {
1637 if (LogLevel > 11)
1638 sm_syslog(LOG_INFO, e->e_id,
1639 "%s: unsafe directory path, marked unsafe",
1640 shortenstring(fname, MAXSHORTSTR));
1641 ctladdr->q_flags |= QUNSAFEADDR;
1642 }
1643 }
1644 *p = '/';
1645 }
1646
1647 /* allow links only in unwritable directories */
1648 if (!safedir &&
1649 !bitnset((forwarding ?
1650 DBS_LINKEDFORWARDFILEINWRITABLEDIR :
1651 DBS_LINKEDINCLUDEFILEINWRITABLEDIR),
1652 DontBlameSendmail))
1653 sfflags |= SFF_NOLINK;
1654
1655 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st);
1656 if (rval != 0)
1657 {
1658 /* don't use this :include: file */
1659 if (tTd(27, 4))
1660 sm_dprintf("include: not safe (uid=%d): %s\n",
1661 (int) uid, sm_errstring(rval));
1662 }
1663 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname,
1664 SM_IO_RDONLY, NULL)) == NULL)
1665 {
1666 rval = errno;
1667 if (tTd(27, 4))
1668 sm_dprintf("include: open: %s\n", sm_errstring(rval));
1669 }
1670 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st))
1671 {
1672 rval = E_SM_FILECHANGE;
1673 if (tTd(27, 4))
1674 sm_dprintf("include: file changed after open\n");
1675 }
1676 if (ev != NULL)
1677 sm_clrevent(ev);
1678
1679 resetuid:
1680
1681 #if HASSETREUID || USESETEUID
1682 if (saveduid == 0)
1683 {
1684 if (uid != 0)
1685 {
1686 # if USESETEUID
1687 if (seteuid(0) < 0)
1688 syserr("!seteuid(0) failure (real=%d, eff=%d)",
1689 (int) getuid(), (int) geteuid());
1690 # else /* USESETEUID */
1691 if (setreuid(-1, 0) < 0)
1692 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)",
1693 (int) getuid(), (int) geteuid());
1694 if (setreuid(RealUid, 0) < 0)
1695 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)",
1696 (int) RealUid, (int) getuid(),
1697 (int) geteuid());
1698 # endif /* USESETEUID */
1699 }
1700 if (setgid(savedgid) < 0)
1701 syserr("!setgid(%d) failure (real=%d eff=%d)",
1702 (int) savedgid, (int) getgid(),
1703 (int) getegid());
1704 }
1705 #endif /* HASSETREUID || USESETEUID */
1706
1707 if (tTd(27, 9))
1708 sm_dprintf("include: reset uid = %d/%d\n",
1709 (int) getuid(), (int) geteuid());
1710
1711 if (rval == E_SM_OPENTIMEOUT)
1712 usrerr("451 4.4.1 open timeout on %s", fname);
1713
1714 if (fp == NULL)
1715 return rval;
1716
1717 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0)
1718 {
1719 rval = errno;
1720 syserr("Cannot fstat %s!", fname);
1721 (void) sm_io_close(fp, SM_TIME_DEFAULT);
1722 return rval;
1723 }
1724
1725 /* if path was writable, check to avoid file giveaway tricks */
1726 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir);
1727 if (tTd(27, 6))
1728 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n",
1729 fname, safedir ? "safe" : "dangerous",
1730 safechown ? "" : "un");
1731
1732 /* if no controlling user or coming from an alias delivery */
1733 if (safechown &&
1734 (ca == NULL ||
1735 (ca->q_uid == DefUid && ca->q_gid == 0)))
1736 {
1737 ctladdr->q_uid = st.st_uid;
1738 ctladdr->q_gid = st.st_gid;
1739 ctladdr->q_flags |= QGOODUID;
1740 }
1741 if (ca != NULL && ca->q_uid == st.st_uid)
1742 {
1743 /* optimization -- avoid getpwuid if we already have info */
1744 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
1745 ctladdr->q_ruser = ca->q_ruser;
1746 }
1747 else if (!forwarding)
1748 {
1749 register struct passwd *pw;
1750
1751 pw = sm_getpwuid(st.st_uid);
1752 if (pw == NULL)
1753 {
1754 ctladdr->q_uid = st.st_uid;
1755 ctladdr->q_flags |= QBOGUSSHELL;
1756 }
1757 else
1758 {
1759 char *sh;
1760
1761 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool,
1762 pw->pw_name);
1763 if (safechown)
1764 sh = pw->pw_shell;
1765 else
1766 sh = "/SENDMAIL/ANY/SHELL/";
1767 if (!usershellok(pw->pw_name, sh))
1768 {
1769 if (LogLevel > 11)
1770 sm_syslog(LOG_INFO, e->e_id,
1771 "%s: user %s has bad shell %s, marked %s",
1772 shortenstring(fname,
1773 MAXSHORTSTR),
1774 pw->pw_name, sh,
1775 safechown ? "bogus" : "unsafe");
1776 if (safechown)
1777 ctladdr->q_flags |= QBOGUSSHELL;
1778 else
1779 ctladdr->q_flags |= QUNSAFEADDR;
1780 }
1781 }
1782 }
1783
1784 if (bitset(EF_VRFYONLY, e->e_flags))
1785 {
1786 /* don't do any more now */
1787 ctladdr->q_state = QS_VERIFIED;
1788 e->e_nrcpts++;
1789 (void) sm_io_close(fp, SM_TIME_DEFAULT);
1790 return rval;
1791 }
1792
1793 /*
1794 ** Check to see if some bad guy can write this file
1795 **
1796 ** Group write checking could be more clever, e.g.,
1797 ** guessing as to which groups are actually safe ("sys"
1798 ** may be; "user" probably is not).
1799 */
1800
1801 mode = S_IWOTH;
1802 if (!bitnset((forwarding ?
1803 DBS_GROUPWRITABLEFORWARDFILESAFE :
1804 DBS_GROUPWRITABLEINCLUDEFILESAFE),
1805 DontBlameSendmail))
1806 mode |= S_IWGRP;
1807
1808 if (bitset(mode, st.st_mode))
1809 {
1810 if (tTd(27, 6))
1811 sm_dprintf("include: %s is %s writable, marked unsafe\n",
1812 shortenstring(fname, MAXSHORTSTR),
1813 bitset(S_IWOTH, st.st_mode) ? "world"
1814 : "group");
1815 if (LogLevel > 11)
1816 sm_syslog(LOG_INFO, e->e_id,
1817 "%s: %s writable %s file, marked unsafe",
1818 shortenstring(fname, MAXSHORTSTR),
1819 bitset(S_IWOTH, st.st_mode) ? "world" : "group",
1820 forwarding ? "forward" : ":include:");
1821 ctladdr->q_flags |= QUNSAFEADDR;
1822 }
1823
1824 /* read the file -- each line is a comma-separated list. */
1825 FileName = fname;
1826 LineNumber = 0;
1827 ctladdr->q_flags &= ~QSELFREF;
1828 nincludes = 0;
1829 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL &&
1830 !maxreached)
1831 {
1832 fixcrlf(buf, true);
1833 LineNumber++;
1834 if (buf[0] == '#' || buf[0] == '\0')
1835 continue;
1836
1837 /* <sp>#@# introduces a comment anywhere */
1838 /* for Japanese character sets */
1839 for (p = buf; (p = strchr(++p, '#')) != NULL; )
1840 {
1841 if (p[1] == '@' && p[2] == '#' &&
1842 isascii(p[-1]) && isspace(p[-1]) &&
1843 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3]))))
1844 {
1845 --p;
1846 while (p > buf && isascii(p[-1]) &&
1847 isspace(p[-1]))
1848 --p;
1849 p[0] = '\0';
1850 break;
1851 }
1852 }
1853 if (buf[0] == '\0')
1854 continue;
1855
1856 e->e_to = NULL;
1857 message("%s to %s",
1858 forwarding ? "forwarding" : "sending", buf);
1859 if (forwarding && LogLevel > 10)
1860 sm_syslog(LOG_INFO, e->e_id,
1861 "forward %.200s => %s",
1862 oldto, shortenstring(buf, MAXSHORTSTR));
1863
1864 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1865
1866 if (forwarding &&
1867 MaxForwardEntries > 0 &&
1868 nincludes >= MaxForwardEntries)
1869 {
1870 /* just stop reading and processing further entries */
1871 #if 0
1872 /* additional: (?) */
1873 ctladdr->q_state = QS_DONTSEND;
1874 #endif /* 0 */
1875
1876 syserr("Attempt to forward to more than %d addresses (in %s)!",
1877 MaxForwardEntries, fname);
1878 maxreached = true;
1879 }
1880 }
1881
1882 if (sm_io_error(fp) && tTd(27, 3))
1883 sm_dprintf("include: read error: %s\n", sm_errstring(errno));
1884 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1885 {
1886 if (aliaslevel <= MaxAliasRecursion ||
1887 ctladdr->q_state != QS_BADADDR)
1888 {
1889 ctladdr->q_state = QS_DONTSEND;
1890 if (tTd(27, 5))
1891 {
1892 sm_dprintf("include: QS_DONTSEND ");
1893 printaddr(sm_debug_file(), ctladdr, false);
1894 }
1895 }
1896 }
1897
1898 (void) sm_io_close(fp, SM_TIME_DEFAULT);
1899 FileName = oldfilename;
1900 LineNumber = oldlinenumber;
1901 e->e_to = oldto;
1902 return rval;
1903 }
1904
1905 static void
includetimeout(ignore)1906 includetimeout(ignore)
1907 int ignore;
1908 {
1909 /*
1910 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD
1911 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
1912 ** DOING.
1913 */
1914
1915 errno = ETIMEDOUT;
1916 longjmp(CtxIncludeTimeout, 1);
1917 }
1918
1919 /*
1920 ** SENDTOARGV -- send to an argument vector.
1921 **
1922 ** Parameters:
1923 ** argv -- argument vector to send to.
1924 ** e -- the current envelope.
1925 **
1926 ** Returns:
1927 ** none.
1928 **
1929 ** Side Effects:
1930 ** puts all addresses on the argument vector onto the
1931 ** send queue.
1932 */
1933
1934 void
sendtoargv(argv,e)1935 sendtoargv(argv, e)
1936 register char **argv;
1937 register ENVELOPE *e;
1938 {
1939 register char *p;
1940
1941 while ((p = *argv++) != NULL)
1942 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1943 }
1944
1945 /*
1946 ** GETCTLADDR -- get controlling address from an address header.
1947 **
1948 ** If none, get one corresponding to the effective userid.
1949 **
1950 ** Parameters:
1951 ** a -- the address to find the controller of.
1952 **
1953 ** Returns:
1954 ** the controlling address.
1955 */
1956
1957 ADDRESS *
getctladdr(a)1958 getctladdr(a)
1959 register ADDRESS *a;
1960 {
1961 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1962 a = a->q_alias;
1963 return a;
1964 }
1965
1966 /*
1967 ** SELF_REFERENCE -- check to see if an address references itself
1968 **
1969 ** The check is done through a chain of aliases. If it is part of
1970 ** a loop, break the loop at the "best" address, that is, the one
1971 ** that exists as a real user.
1972 **
1973 ** This is to handle the case of:
1974 ** awc: Andrew.Chang
1975 ** Andrew.Chang: awc@mail.server
1976 ** which is a problem only on mail.server.
1977 **
1978 ** Parameters:
1979 ** a -- the address to check.
1980 **
1981 ** Returns:
1982 ** The address that should be retained.
1983 */
1984
1985 static ADDRESS *
self_reference(a)1986 self_reference(a)
1987 ADDRESS *a;
1988 {
1989 ADDRESS *b; /* top entry in self ref loop */
1990 ADDRESS *c; /* entry that point to a real mail box */
1991
1992 if (tTd(27, 1))
1993 sm_dprintf("self_reference(%s)\n", a->q_paddr);
1994
1995 for (b = a->q_alias; b != NULL; b = b->q_alias)
1996 {
1997 if (sameaddr(a, b))
1998 break;
1999 }
2000
2001 if (b == NULL)
2002 {
2003 if (tTd(27, 1))
2004 sm_dprintf("\t... no self ref\n");
2005 return NULL;
2006 }
2007
2008 /*
2009 ** Pick the first address that resolved to a real mail box
2010 ** i.e has a mbdb entry. The returned value will be marked
2011 ** QSELFREF in recipient(), which in turn will disable alias()
2012 ** from marking it as QS_IS_DEAD(), which mean it will be used
2013 ** as a deliverable address.
2014 **
2015 ** The 2 key thing to note here are:
2016 ** 1) we are in a recursive call sequence:
2017 ** alias->sendtolist->recipient->alias
2018 ** 2) normally, when we return back to alias(), the address
2019 ** will be marked QS_EXPANDED, since alias() assumes the
2020 ** expanded form will be used instead of the current address.
2021 ** This behaviour is turned off if the address is marked
2022 ** QSELFREF. We set QSELFREF when we return to recipient().
2023 */
2024
2025 c = a;
2026 while (c != NULL)
2027 {
2028 if (tTd(27, 10))
2029 sm_dprintf(" %s", c->q_user);
2030 if (bitnset(M_HASPWENT, c->q_mailer->m_flags))
2031 {
2032 SM_MBDB_T user;
2033
2034 if (tTd(27, 2))
2035 sm_dprintf("\t... getpwnam(%s)... ", c->q_user);
2036 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK)
2037 {
2038 if (tTd(27, 2))
2039 sm_dprintf("found\n");
2040
2041 /* ought to cache results here */
2042 if (sameaddr(b, c))
2043 return b;
2044 else
2045 return c;
2046 }
2047 if (tTd(27, 2))
2048 sm_dprintf("failed\n");
2049 }
2050 else
2051 {
2052 /* if local delivery, compare usernames */
2053 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) &&
2054 b->q_mailer == c->q_mailer)
2055 {
2056 if (tTd(27, 2))
2057 sm_dprintf("\t... local match (%s)\n",
2058 c->q_user);
2059 if (sameaddr(b, c))
2060 return b;
2061 else
2062 return c;
2063 }
2064 }
2065 if (tTd(27, 10))
2066 sm_dprintf("\n");
2067 c = c->q_alias;
2068 }
2069
2070 if (tTd(27, 1))
2071 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr);
2072
2073 return NULL;
2074 }
2075