xref: /freebsd/contrib/sendmail/libsm/mpeix.c (revision 2da066ef6d85d3f7cd8aaec14369d66254836536)
1 /*
2  * Copyright (c) 2001-2002 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  *
5  * By using this file, you agree to the terms and conditions set
6  * forth in the LICENSE file which can be found at the top level of
7  * the sendmail distribution.
8  *
9  */
10 
11 #include <sm/gen.h>
12 SM_RCSID("@(#)$Id: mpeix.c,v 1.8 2013-11-22 20:51:43 ca Exp $")
13 
14 #ifdef MPE
15 /*
16 **	MPE lacks many common functions required across all sendmail programs
17 **	so we define implementations for these functions here.
18 */
19 
20 # include <errno.h>
21 # include <fcntl.h>
22 # include <limits.h>
23 # include <mpe.h>
24 # include <netinet/in.h>
25 # include <pwd.h>
26 # include <sys/socket.h>
27 # include <sys/stat.h>
28 # include <unistd.h>
29 # include <sm/conf.h>
30 
31 /*
32 **  CHROOT -- dummy chroot() function
33 **
34 **	The MPE documentation for sendmail says that chroot-based
35 **	functionality is not implemented because MPE lacks chroot.  But
36 **	rather than mucking around with all the sendmail calls to chroot,
37 **	we define this dummy function to return an ENOSYS failure just in
38 **	case a sendmail user attempts to enable chroot-based functionality.
39 **
40 **	Parameters:
41 **		path -- pathname of new root (ignored).
42 **
43 **	Returns:
44 **		-1 and errno == ENOSYS (function not implemented)
45 */
46 
47 int
48 chroot(path)
49 	char *path;
50 {
51 	errno = ENOSYS;
52 	return -1;
53 }
54 
55 /*
56 **  ENDPWENT -- dummy endpwent() function
57 **
58 **	Parameters:
59 **		none
60 **
61 **	Returns:
62 **		none
63 */
64 
65 void
66 endpwent()
67 {
68 	return;
69 }
70 
71 /*
72 **  In addition to missing functions, certain existing MPE functions have
73 **  slightly different semantics (or bugs) compared to normal Unix OSes.
74 **
75 **  Here we define wrappers for these functions to make them behave in the
76 **  manner expected by sendmail.
77 */
78 
79 /*
80 **  SENDMAIL_MPE_BIND -- shadow function for the standard socket bind()
81 **
82 **	MPE requires GETPRIVMODE() for AF_INET sockets less than port 1024.
83 **
84 **	Parameters:
85 **		sd -- socket descriptor.
86 **		addr -- socket address.
87 **		addrlen -- length of socket address.
88 **
89 **	Results:
90 **		0 -- success
91 **		!= 0 -- failure
92 */
93 
94 #undef bind
95 int
96 sendmail_mpe_bind(sd, addr, addrlen)
97 	int sd;
98 	void *addr;
99 	int addrlen;
100 {
101 	bool priv = false;
102 	int result;
103 	extern void GETPRIVMODE __P((void));
104 	extern void GETUSERMODE __P((void));
105 
106 	if (addrlen == sizeof(struct sockaddr_in) &&
107 	    ((struct sockaddr_in *)addr)->sin_family == AF_INET)
108 	{
109 		/* AF_INET */
110 		if (((struct sockaddr_in *)addr)->sin_port > 0 &&
111 		    ((struct sockaddr_in *)addr)->sin_port < 1024)
112 		{
113 			priv = true;
114 			GETPRIVMODE();
115 		}
116 		((struct sockaddr_in *)addr)->sin_addr.s_addr = 0;
117 		result = bind(sd, addr, addrlen);
118 		if (priv)
119 			GETUSERMODE();
120 		return result;
121 	}
122 
123 	/* AF_UNIX */
124 	return bind(sd, addr, addrlen);
125 }
126 
127 /*
128 **  SENDMAIL_MPE__EXIT -- wait for children to terminate, then _exit()
129 **
130 **	Child processes cannot survive the death of their parent on MPE, so
131 **	we must call wait() before _exit() in order to prevent this
132 **	infanticide.
133 **
134 **	Parameters:
135 **		status -- _exit status value.
136 **
137 **	Returns:
138 **		none.
139 */
140 
141 #undef _exit
142 void
143 sendmail_mpe__exit(status)
144 	int status;
145 {
146 	int result;
147 
148 	/* Wait for all children to terminate. */
149 	do
150 	{
151 		result = wait(NULL);
152 	} while (result > 0 || errno == EINTR);
153 	_exit(status);
154 }
155 
156 /*
157 **  SENDMAIL_MPE_EXIT -- wait for children to terminate, then exit()
158 **
159 **	Child processes cannot survive the death of their parent on MPE, so
160 **	we must call wait() before exit() in order to prevent this
161 **	infanticide.
162 **
163 **	Parameters:
164 **		status -- exit status value.
165 **
166 **	Returns:
167 **		none.
168 */
169 
170 #undef exit
171 void
172 sendmail_mpe_exit(status)
173 	int status;
174 {
175 	int result;
176 
177 	/* Wait for all children to terminate. */
178 	do
179 	{
180 		result = wait(NULL);
181 	} while (result > 0 || errno == EINTR);
182 	exit(status);
183 }
184 
185 /*
186 **  SENDMAIL_MPE_FCNTL -- shadow function for fcntl()
187 **
188 **	MPE requires sfcntl() for sockets, and fcntl() for everything
189 **	else.  This shadow routine determines the descriptor type and
190 **	makes the appropriate call.
191 **
192 **	Parameters:
193 **		same as fcntl().
194 **
195 **	Returns:
196 **		same as fcntl().
197 */
198 
199 #undef fcntl
200 int
201 sendmail_mpe_fcntl(int fildes, int cmd, ...)
202 {
203 	int len, result;
204 	struct sockaddr sa;
205 
206 	void *arg;
207 	va_list ap;
208 
209 	va_start(ap, cmd);
210 	arg = va_arg(ap, void *);
211 	va_end(ap);
212 
213 	len = sizeof sa;
214 	if (getsockname(fildes, &sa, &len) == -1)
215 	{
216 		if (errno == EAFNOSUPPORT)
217 		{
218 			/* AF_UNIX socket */
219 			return sfcntl(fildes, cmd, arg);
220 		}
221 		else if (errno == ENOTSOCK)
222 		{
223 			/* file or pipe */
224 			return fcntl(fildes, cmd, arg);
225 		}
226 
227 		/* unknown getsockname() failure */
228 		return (-1);
229 	}
230 	else
231 	{
232 		/* AF_INET socket */
233 		if ((result = sfcntl(fildes, cmd, arg)) != -1 &&
234 		    cmd == F_GETFL)
235 			result |= O_RDWR;  /* fill in some missing flags */
236 		return result;
237 	}
238 }
239 
240 /*
241 **  SENDMAIL_MPE_GETPWNAM - shadow function for getpwnam()
242 **
243 **	Several issues apply here:
244 **
245 **	- MPE user names MUST have one '.' separator character
246 **	- MPE user names MUST be in upper case
247 **	- MPE does not initialize all fields in the passwd struct
248 **
249 **	Parameters:
250 **		name -- username string.
251 **
252 **	Returns:
253 **		pointer to struct passwd if found else NULL
254 */
255 
256 static char *sendmail_mpe_nullstr = "";
257 
258 #undef getpwnam
259 extern struct passwd *getpwnam(const char *);
260 
261 struct passwd *
262 sendmail_mpe_getpwnam(name)
263 	const char *name;
264 {
265 	int dots = 0;
266 	int err;
267 	int i = strlen(name);
268 	char *upper;
269 	struct passwd *result = NULL;
270 
271 	if (i <= 0)
272 	{
273 		errno = EINVAL;
274 		return result;
275 	}
276 
277 	if ((upper = (char *)malloc(i + 1)) != NULL)
278 	{
279 		/* upshift the username parameter and count the dots */
280 		while (i >= 0)
281 		{
282 			if (name[i] == '.')
283 			{
284 				dots++;
285 				upper[i] = '.';
286 			}
287 			else
288 				upper[i] = toupper(name[i]);
289 			i--;
290 		}
291 
292 		if (dots != 1)
293 		{
294 			/* prevent bug when dots == 0 */
295 			err = EINVAL;
296 		}
297 		else if ((result = getpwnam(upper)) != NULL)
298 		{
299 			/* init the uninitialized fields */
300 			result->pw_gecos = sendmail_mpe_nullstr;
301 			result->pw_passwd = sendmail_mpe_nullstr;
302 			result->pw_age = sendmail_mpe_nullstr;
303 			result->pw_comment = sendmail_mpe_nullstr;
304 			result->pw_audid = 0;
305 			result->pw_audflg = 0;
306 		}
307 		err = errno;
308 		free(upper);
309 	}
310 	errno = err;
311 	return result;
312 }
313 
314 /*
315 **  SENDMAIL_MPE_GETPWUID -- shadow function for getpwuid()
316 **
317 **	Initializes the uninitialized fields in the passwd struct.
318 **
319 **	Parameters:
320 **		uid -- uid to obtain passwd data for
321 **
322 **	Returns:
323 **		pointer to struct passwd or NULL if not found
324 */
325 
326 #undef getpwuid
327 extern struct passwd *getpwuid __P((uid_t));
328 
329 struct passwd *
330 sendmail_mpe_getpwuid(uid)
331 	uid_t uid;
332 {
333 	struct passwd *result;
334 
335 	if ((result = getpwuid(uid)) != NULL)
336 	{
337 		/* initialize the uninitialized fields */
338 		result->pw_gecos = sendmail_mpe_nullstr;
339 		result->pw_passwd = sendmail_mpe_nullstr;
340 		result->pw_age = sendmail_mpe_nullstr;
341 		result->pw_comment = sendmail_mpe_nullstr;
342 		result->pw_audid = 0;
343 		result->pw_audflg = 0;
344 	}
345 	return result;
346 }
347 
348 /*
349 **  OK boys and girls, time for some serious voodoo!
350 **
351 **  MPE does not have a complete implementation of POSIX users and groups:
352 **
353 **  - there is no uid 0 superuser
354 **  - setuid/setgid file permission bits exist but have no-op functionality
355 **  - setgid() exists, but only supports new gid == current gid (boring!)
356 **  - setuid() forces a gid change to the new uid's primary (and only) gid
357 **
358 **  ...all of which thoroughly annoys sendmail.
359 **
360 **  So what to do?  We can't go on an #ifdef MPE rampage throughout
361 **  sendmail, because there are only about a zillion references to uid 0
362 **  and so success (and security) would probably be rather dubious by the
363 **  time we finished.
364 **
365 **  Instead we take the approach of defining wrapper functions for the
366 **  gid/uid management functions getegid(), geteuid(), setgid(), and
367 **  setuid() in order to implement the following model:
368 **
369 **  - the sendmail program thinks it is a setuid-root (uid 0) program
370 **  - uid 0 is recognized as being valid, but does not grant extra powers
371 **	- MPE priv mode allows sendmail to call setuid(), not uid 0
372 **	- file access is still controlled by the real non-zero uid
373 **  - the other programs (vacation, etc) have standard MPE POSIX behavior
374 **
375 **  This emulation model is activated by use of the program file setgid and
376 **  setuid mode bits which exist but are unused by MPE.  If the setgid mode
377 **  bit is on, then gid emulation will be enabled.  If the setuid mode bit is
378 **  on, then uid emulation will be enabled.  So for the mail daemon, we need
379 **  to do chmod u+s,g+s /SENDMAIL/CURRENT/SENDMAIL.
380 **
381 **  The following flags determine the current emulation state:
382 **
383 **  true == emulation enabled
384 **  false == emulation disabled, use unmodified MPE semantics
385 */
386 
387 static bool sendmail_mpe_flaginit = false;
388 static bool sendmail_mpe_gidflag = false;
389 static bool sendmail_mpe_uidflag = false;
390 
391 /*
392 **  SENDMAIL_MPE_GETMODE -- return the mode bits for the current process
393 **
394 **	Parameters:
395 **		none.
396 **
397 **	Returns:
398 **		file mode bits for the current process program file.
399 */
400 
401 mode_t
402 sendmail_mpe_getmode()
403 {
404 	int status = 666;
405 	int myprogram_length;
406 	int myprogram_syntax = 2;
407 	char formaldesig[28];
408 	char myprogram[PATH_MAX + 2];
409 	char path[PATH_MAX + 1];
410 	struct stat st;
411 	extern HPMYPROGRAM __P((int parms, char *formaldesig, int *status,
412 				int *length, char *myprogram,
413 				int *myprogram_length, int *myprogram_syntax));
414 
415 	myprogram_length = sizeof(myprogram);
416 	HPMYPROGRAM(6, formaldesig, &status, NULL, myprogram,
417 		    &myprogram_length, &myprogram_syntax);
418 
419 	/* should not occur, do not attempt emulation */
420 	if (status != 0)
421 		return 0;
422 
423 	memcpy(&path, &myprogram[1], myprogram_length - 2);
424 	path[myprogram_length - 2] = '\0';
425 
426 	/* should not occur, do not attempt emulation */
427 	if (stat(path, &st) < 0)
428 		return 0;
429 
430 	return st.st_mode;
431 }
432 
433 /*
434 **  SENDMAIL_MPE_EMULGID -- should we perform gid emulation?
435 **
436 **	If !sendmail_mpe_flaginit then obtain the mode bits to determine
437 **	if the setgid bit is on, we want gid emulation and so set
438 **	sendmail_mpe_gidflag to true.  Otherwise we do not want gid emulation
439 **	and so set sendmail_mpe_gidflag to false.
440 **
441 **	Parameters:
442 **		none.
443 **
444 **	Returns:
445 **		true -- perform gid emulation
446 **		false -- do not perform gid emulation
447 */
448 
449 bool
450 sendmail_mpe_emulgid()
451 {
452 	if (!sendmail_mpe_flaginit)
453 	{
454 		mode_t mode;
455 
456 		mode = sendmail_mpe_getmode();
457 		sendmail_mpe_gidflag = ((mode & S_ISGID) == S_ISGID);
458 		sendmail_mpe_uidflag = ((mode & S_ISUID) == S_ISUID);
459 		sendmail_mpe_flaginit = true;
460 	}
461 	return sendmail_mpe_gidflag;
462 }
463 
464 /*
465 **  SENDMAIL_MPE_EMULUID -- should we perform uid emulation?
466 **
467 **	If sendmail_mpe_uidflag == -1 then obtain the mode bits to determine
468 **	if the setuid bit is on, we want uid emulation and so set
469 **	sendmail_mpe_uidflag to true.  Otherwise we do not want uid emulation
470 **	and so set sendmail_mpe_uidflag to false.
471 **
472 **	Parameters:
473 **		none.
474 **
475 **	Returns:
476 **		true -- perform uid emulation
477 **		false -- do not perform uid emulation
478 */
479 
480 bool
481 sendmail_mpe_emuluid()
482 {
483 	if (!sendmail_mpe_flaginit)
484 	{
485 		mode_t mode;
486 
487 		mode = sendmail_mpe_getmode();
488 		sendmail_mpe_gidflag = ((mode & S_ISGID) == S_ISGID);
489 		sendmail_mpe_uidflag = ((mode & S_ISUID) == S_ISUID);
490 		sendmail_mpe_flaginit = true;
491 	}
492 	return sendmail_mpe_uidflag;
493 }
494 
495 /*
496 **  SENDMAIL_MPE_GETEGID -- shadow function for getegid()
497 **
498 **	If emulation mode is in effect and the saved egid has been
499 **	initialized, return the saved egid; otherwise return the value of the
500 **	real getegid() function.
501 **
502 **	Parameters:
503 **		none.
504 **
505 **	Returns:
506 **		emulated egid if present, else true egid.
507 */
508 
509 static gid_t sendmail_mpe_egid = -1;
510 
511 #undef getegid
512 gid_t
513 sendmail_mpe_getegid()
514 {
515 	if (sendmail_mpe_emulgid() && sendmail_mpe_egid != -1)
516 		return sendmail_mpe_egid;
517 	return getegid();
518 }
519 
520 /*
521 **  SENDMAIL_MPE_GETEUID -- shadow function for geteuid()
522 **
523 **	If emulation mode is in effect, return the saved euid; otherwise
524 **	return the value of the real geteuid() function.
525 **
526 **	Note that the initial value of the saved euid is zero, to simulate
527 **	a setuid-root program.
528 **
529 **	Parameters:
530 **		none
531 **
532 **	Returns:
533 **		emulated euid if in emulation mode, else true euid.
534 */
535 
536 static uid_t sendmail_mpe_euid = 0;
537 
538 #undef geteuid
539 uid_t
540 sendmail_mpe_geteuid()
541 {
542 	if (sendmail_mpe_emuluid())
543 		return sendmail_mpe_euid;
544 	return geteuid();
545 }
546 
547 /*
548 **  SENDMAIL_MPE_SETGID -- shadow function for setgid()
549 **
550 **	Simulate a call to setgid() without actually calling the real
551 **	function.  Implement the expected uid 0 semantics.
552 **
553 **	Note that sendmail will also be calling setuid() which will force an
554 **	implicit real setgid() to the proper primary gid.  So it doesn't matter
555 **	that we don't actually alter the real gid in this shadow function.
556 **
557 **	Parameters:
558 **		gid -- desired gid.
559 **
560 **	Returns:
561 **		0 -- emulated success
562 **		-1 -- emulated failure
563 */
564 
565 #undef setgid
566 int
567 sendmail_mpe_setgid(gid)
568 	gid_t gid;
569 {
570 	if (sendmail_mpe_emulgid())
571 	{
572 		if (gid == getgid() || sendmail_mpe_euid == 0)
573 		{
574 			sendmail_mpe_egid = gid;
575 			return 0;
576 		}
577 		errno = EINVAL;
578 		return -1;
579 	}
580 	return setgid(gid);
581 }
582 
583 /*
584 **  SENDMAIL_MPE_SETUID -- shadow function for setuid()
585 **
586 **	setuid() is broken as of MPE 7.0 in that it changes the current
587 **	working directory to be the home directory of the new uid.  Thus
588 **	we must obtain the cwd and restore it after the setuid().
589 **
590 **	Note that expected uid 0 semantics have been added, as well as
591 **	remembering the new uid for later use by the other shadow functions.
592 **
593 **	Parameters:
594 **		uid -- desired uid.
595 **
596 **	Returns:
597 **		0 -- success
598 **		-1 -- failure
599 **
600 **	Globals:
601 **		sendmail_mpe_euid
602 */
603 
604 #undef setuid
605 int
606 sendmail_mpe_setuid(uid)
607 	uid_t uid;
608 {
609 	char *cwd;
610 	char cwd_buf[PATH_MAX + 1];
611 	int result;
612 	extern void GETPRIVMODE __P((void));
613 	extern void GETUSERMODE __P((void));
614 
615 	if (sendmail_mpe_emuluid())
616 	{
617 		if (uid == 0)
618 		{
619 			if (sendmail_mpe_euid != 0)
620 			{
621 				errno = EINVAL;
622 				return -1;
623 			}
624 			sendmail_mpe_euid = 0;
625 			return 0;
626 		}
627 
628 		/* Preserve the current working directory */
629 		if ((cwd = getcwd(cwd_buf, PATH_MAX + 1)) == NULL)
630 			return -1;
631 
632 		GETPRIVMODE();
633 		result = setuid(uid);
634 		GETUSERMODE();
635 
636 		/* Restore the current working directory */
637 		chdir(cwd_buf);
638 
639 		if (result == 0)
640 			sendmail_mpe_euid = uid;
641 
642 		return result;
643 	}
644 	return setuid(uid);
645 }
646 #endif /* MPE */
647