1 /* 2 * Copyright (c) 1998-2003, 2006 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #include <sendmail.h> 15 16 SM_RCSID("@(#)$Id: recipient.c,v 8.351 2013-11-22 20:51:56 ca Exp $") 17 18 static void includetimeout __P((int)); 19 static ADDRESS *self_reference __P((ADDRESS *)); 20 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 21 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 22 static int sorthost __P((ADDRESS *, ADDRESS *)); 23 24 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 25 26 /* 27 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 28 ** 29 ** Parameters: 30 ** xx -- first ADDRESS 31 ** yy -- second ADDRESS 32 ** 33 ** Returns: 34 ** <0 when xx->q_host is less than yy->q_host 35 ** >0 when xx->q_host is greater than yy->q_host 36 ** 0 when equal 37 */ 38 39 static int 40 sorthost(xx, yy) 41 register ADDRESS *xx; 42 register ADDRESS *yy; 43 { 44 #if _FFR_HOST_SORT_REVERSE 45 /* XXX maybe compare hostnames from the end? */ 46 return sm_strrevcasecmp(xx->q_host, yy->q_host); 47 #else /* _FFR_HOST_SORT_REVERSE */ 48 return sm_strcasecmp(xx->q_host, yy->q_host); 49 #endif /* _FFR_HOST_SORT_REVERSE */ 50 } 51 52 /* 53 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 54 ** 55 ** The mailer has been noted already as "expensive" for 'xx'. This 56 ** will give a result relative to 'yy'. Expensive mailers get rated 57 ** "greater than" non-expensive mailers because during the delivery phase 58 ** it will get queued -- no use it getting in the way of less expensive 59 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 60 ** expensive since an MX RR lookup happens when extracted from the queue 61 ** later. 62 ** 63 ** Parameters: 64 ** xx -- first ADDRESS 65 ** yy -- second ADDRESS 66 ** 67 ** Returns: 68 ** <0 when xx->q_host is less than yy->q_host and both are 69 ** expensive 70 ** >0 when xx->q_host is greater than yy->q_host, or when 71 ** 'yy' is non-expensive 72 ** 0 when equal (by expense and q_host) 73 */ 74 75 static int 76 sortexpensive(xx, yy) 77 ADDRESS *xx; 78 ADDRESS *yy; 79 { 80 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 81 return 1; /* xx should go later */ 82 #if _FFR_HOST_SORT_REVERSE 83 /* XXX maybe compare hostnames from the end? */ 84 return sm_strrevcasecmp(xx->q_host, yy->q_host); 85 #else /* _FFR_HOST_SORT_REVERSE */ 86 return sm_strcasecmp(xx->q_host, yy->q_host); 87 #endif /* _FFR_HOST_SORT_REVERSE */ 88 } 89 90 /* 91 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 92 ** 93 ** Parameters: 94 ** xx -- first ADDRESS 95 ** yy -- second ADDRESS 96 ** 97 ** Returns: 98 ** 0 when the "signature"'s are same 99 ** <0 when xx->q_signature is less than yy->q_signature 100 ** >0 when xx->q_signature is greater than yy->q_signature 101 ** 102 ** Side Effect: 103 ** May set ADDRESS pointer for q_signature if not already set. 104 */ 105 106 static int 107 sortbysignature(xx, yy) 108 ADDRESS *xx; 109 ADDRESS *yy; 110 { 111 register int ret; 112 113 /* Let's avoid redoing the signature over and over again */ 114 if (xx->q_signature == NULL) 115 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 116 if (yy->q_signature == NULL) 117 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 118 ret = strcmp(xx->q_signature, yy->q_signature); 119 120 /* 121 ** If the two signatures are the same then we will return a sort 122 ** value based on 'q_user'. But note that we have reversed xx and yy 123 ** on purpose. This additional compare helps reduce the number of 124 ** sameaddr() calls and loops in recipient() for the case when 125 ** the rcpt list has been provided already in-order. 126 */ 127 128 if (ret == 0) 129 return strcmp(yy->q_user, xx->q_user); 130 else 131 return ret; 132 } 133 134 /* 135 ** SENDTOLIST -- Designate a send list. 136 ** 137 ** The parameter is a comma-separated list of people to send to. 138 ** This routine arranges to send to all of them. 139 ** 140 ** Parameters: 141 ** list -- the send list. 142 ** ctladdr -- the address template for the person to 143 ** send to -- effective uid/gid are important. 144 ** This is typically the alias that caused this 145 ** expansion. 146 ** sendq -- a pointer to the head of a queue to put 147 ** these people into. 148 ** aliaslevel -- the current alias nesting depth -- to 149 ** diagnose loops. 150 ** e -- the envelope in which to add these recipients. 151 ** 152 ** Returns: 153 ** The number of addresses actually on the list. 154 */ 155 156 /* q_flags bits inherited from ctladdr */ 157 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 158 159 int 160 sendtolist(list, ctladdr, sendq, aliaslevel, e) 161 char *list; 162 ADDRESS *ctladdr; 163 ADDRESS **sendq; 164 int aliaslevel; 165 register ENVELOPE *e; 166 { 167 register char *p; 168 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 169 SM_NONVOLATILE char delimiter; /* the address delimiter */ 170 SM_NONVOLATILE int naddrs; 171 SM_NONVOLATILE int i; 172 char *endp; 173 char *oldto = e->e_to; 174 char *SM_NONVOLATILE bufp; 175 char buf[MAXNAME + 1]; 176 177 if (list == NULL) 178 { 179 syserr("sendtolist: null list"); 180 return 0; 181 } 182 183 if (tTd(25, 1)) 184 { 185 sm_dprintf("sendto: %s\n ctladdr=", list); 186 printaddr(sm_debug_file(), ctladdr, false); 187 } 188 189 /* heuristic to determine old versus new style addresses */ 190 if (ctladdr == NULL && 191 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 192 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 193 e->e_flags &= ~EF_OLDSTYLE; 194 delimiter = ' '; 195 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 196 delimiter = ','; 197 198 al = NULL; 199 naddrs = 0; 200 201 /* make sure we have enough space to copy the string */ 202 i = strlen(list) + 1; 203 if (i <= sizeof(buf)) 204 { 205 bufp = buf; 206 i = sizeof(buf); 207 } 208 else 209 bufp = sm_malloc_x(i); 210 endp = bufp + i; 211 212 SM_TRY 213 { 214 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 215 216 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 217 for (p = bufp; *p != '\0'; ) 218 { 219 auto char *delimptr; 220 register ADDRESS *a; 221 222 SM_ASSERT(p < endp); 223 224 /* parse the address */ 225 while ((isascii(*p) && isspace(*p)) || *p == ',') 226 p++; 227 SM_ASSERT(p < endp); 228 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 229 &delimptr, e, true); 230 p = delimptr; 231 SM_ASSERT(p < endp); 232 if (a == NULL) 233 continue; 234 a->q_next = al; 235 a->q_alias = ctladdr; 236 237 /* arrange to inherit attributes from parent */ 238 if (ctladdr != NULL) 239 { 240 ADDRESS *b; 241 242 /* self reference test */ 243 if (sameaddr(ctladdr, a)) 244 { 245 if (tTd(27, 5)) 246 { 247 sm_dprintf("sendtolist: QSELFREF "); 248 printaddr(sm_debug_file(), ctladdr, false); 249 } 250 ctladdr->q_flags |= QSELFREF; 251 } 252 253 /* check for address loops */ 254 b = self_reference(a); 255 if (b != NULL) 256 { 257 b->q_flags |= QSELFREF; 258 if (tTd(27, 5)) 259 { 260 sm_dprintf("sendtolist: QSELFREF "); 261 printaddr(sm_debug_file(), b, false); 262 } 263 if (a != b) 264 { 265 if (tTd(27, 5)) 266 { 267 sm_dprintf("sendtolist: QS_DONTSEND "); 268 printaddr(sm_debug_file(), a, false); 269 } 270 a->q_state = QS_DONTSEND; 271 b->q_flags |= a->q_flags & QNOTREMOTE; 272 continue; 273 } 274 } 275 276 /* full name */ 277 if (a->q_fullname == NULL) 278 a->q_fullname = ctladdr->q_fullname; 279 280 /* various flag bits */ 281 a->q_flags &= ~QINHERITEDBITS; 282 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 283 284 /* DSN recipient information */ 285 a->q_finalrcpt = ctladdr->q_finalrcpt; 286 a->q_orcpt = ctladdr->q_orcpt; 287 } 288 289 al = a; 290 } 291 292 /* arrange to send to everyone on the local send list */ 293 while (al != NULL) 294 { 295 register ADDRESS *a = al; 296 297 al = a->q_next; 298 a = recipient(a, sendq, aliaslevel, e); 299 naddrs++; 300 } 301 } 302 SM_FINALLY 303 { 304 e->e_to = oldto; 305 if (bufp != buf) 306 sm_free(bufp); 307 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 308 } 309 SM_END_TRY 310 return naddrs; 311 } 312 313 #if MILTER 314 /* 315 ** REMOVEFROMLIST -- Remove addresses from a send list. 316 ** 317 ** The parameter is a comma-separated list of recipients to remove. 318 ** Note that it only deletes matching addresses. If those addresses 319 ** have been expanded already in the sendq, it won't mark the 320 ** expanded recipients as QS_REMOVED. 321 ** 322 ** Parameters: 323 ** list -- the list to remove. 324 ** sendq -- a pointer to the head of a queue to remove 325 ** these addresses from. 326 ** e -- the envelope in which to remove these recipients. 327 ** 328 ** Returns: 329 ** The number of addresses removed from the list. 330 ** 331 */ 332 333 int 334 removefromlist(list, sendq, e) 335 char *list; 336 ADDRESS **sendq; 337 ENVELOPE *e; 338 { 339 SM_NONVOLATILE char delimiter; /* the address delimiter */ 340 SM_NONVOLATILE int naddrs; 341 SM_NONVOLATILE int i; 342 char *p; 343 char *oldto = e->e_to; 344 char *SM_NONVOLATILE bufp; 345 char buf[MAXNAME + 1]; 346 347 if (list == NULL) 348 { 349 syserr("removefromlist: null list"); 350 return 0; 351 } 352 353 if (tTd(25, 1)) 354 sm_dprintf("removefromlist: %s\n", list); 355 356 /* heuristic to determine old versus new style addresses */ 357 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 358 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 359 e->e_flags &= ~EF_OLDSTYLE; 360 delimiter = ' '; 361 if (!bitset(EF_OLDSTYLE, e->e_flags)) 362 delimiter = ','; 363 364 naddrs = 0; 365 366 /* make sure we have enough space to copy the string */ 367 i = strlen(list) + 1; 368 if (i <= sizeof(buf)) 369 { 370 bufp = buf; 371 i = sizeof(buf); 372 } 373 else 374 bufp = sm_malloc_x(i); 375 376 SM_TRY 377 { 378 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 379 380 #if _FFR_ADDR_TYPE_MODES 381 if (AddrTypeModes) 382 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), 383 "e r d"); 384 else 385 #endif /* _FFR_ADDR_TYPE_MODES */ 386 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 387 for (p = bufp; *p != '\0'; ) 388 { 389 ADDRESS a; /* parsed address to be removed */ 390 ADDRESS *q; 391 ADDRESS **pq; 392 char *delimptr; 393 394 /* parse the address */ 395 while ((isascii(*p) && isspace(*p)) || *p == ',') 396 p++; 397 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 398 delimiter, &delimptr, e, true) == NULL) 399 { 400 p = delimptr; 401 continue; 402 } 403 p = delimptr; 404 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 405 { 406 if (!QS_IS_DEAD(q->q_state) && 407 (sameaddr(q, &a) || 408 strcmp(q->q_paddr, a.q_paddr) == 0)) 409 { 410 if (tTd(25, 5)) 411 { 412 sm_dprintf("removefromlist: QS_REMOVED "); 413 printaddr(sm_debug_file(), &a, false); 414 } 415 q->q_state = QS_REMOVED; 416 naddrs++; 417 break; 418 } 419 } 420 } 421 } 422 SM_FINALLY 423 { 424 e->e_to = oldto; 425 if (bufp != buf) 426 sm_free(bufp); 427 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 428 } 429 SM_END_TRY 430 return naddrs; 431 } 432 #endif /* MILTER */ 433 434 /* 435 ** RECIPIENT -- Designate a message recipient 436 ** Saves the named person for future mailing (after some checks). 437 ** 438 ** Parameters: 439 ** new -- the (preparsed) address header for the recipient. 440 ** sendq -- a pointer to the head of a queue to put the 441 ** recipient in. Duplicate suppression is done 442 ** in this queue. 443 ** aliaslevel -- the current alias nesting depth. 444 ** e -- the current envelope. 445 ** 446 ** Returns: 447 ** The actual address in the queue. This will be "a" if 448 ** the address is not a duplicate, else the original address. 449 ** 450 */ 451 452 ADDRESS * 453 recipient(new, sendq, aliaslevel, e) 454 register ADDRESS *new; 455 register ADDRESS **sendq; 456 int aliaslevel; 457 register ENVELOPE *e; 458 { 459 register ADDRESS *q; 460 ADDRESS **pq; 461 ADDRESS **prev; 462 register struct mailer *m; 463 register char *p; 464 int i, buflen; 465 bool quoted; /* set if the addr has a quote bit */ 466 bool insert; 467 int findusercount; 468 bool initialdontsend; 469 char *buf; 470 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 471 sortfn_t *sortfn; 472 473 p = NULL; 474 quoted = false; 475 insert = false; 476 findusercount = 0; 477 initialdontsend = QS_IS_DEAD(new->q_state); 478 e->e_to = new->q_paddr; 479 m = new->q_mailer; 480 errno = 0; 481 if (aliaslevel == 0) 482 new->q_flags |= QPRIMARY; 483 if (tTd(26, 1)) 484 { 485 sm_dprintf("\nrecipient (%d): ", aliaslevel); 486 printaddr(sm_debug_file(), new, false); 487 } 488 489 /* if this is primary, use it as original recipient */ 490 if (new->q_alias == NULL) 491 { 492 if (e->e_origrcpt == NULL) 493 e->e_origrcpt = new->q_paddr; 494 else if (e->e_origrcpt != new->q_paddr) 495 e->e_origrcpt = ""; 496 } 497 498 /* find parent recipient for finalrcpt and orcpt */ 499 for (q = new; q->q_alias != NULL; q = q->q_alias) 500 continue; 501 502 /* find final recipient DSN address */ 503 if (new->q_finalrcpt == NULL && 504 e->e_from.q_mailer != NULL) 505 { 506 char frbuf[MAXLINE]; 507 508 p = e->e_from.q_mailer->m_addrtype; 509 if (p == NULL) 510 p = "rfc822"; 511 if (sm_strcasecmp(p, "rfc822") != 0) 512 { 513 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 514 q->q_mailer->m_addrtype, 515 q->q_user); 516 } 517 else if (strchr(q->q_user, '@') != NULL) 518 { 519 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 520 p, q->q_user); 521 } 522 else if (strchr(q->q_paddr, '@') != NULL) 523 { 524 char *qp; 525 bool b; 526 527 qp = q->q_paddr; 528 529 /* strip brackets from address */ 530 b = false; 531 if (*qp == '<') 532 { 533 b = qp[strlen(qp) - 1] == '>'; 534 if (b) 535 qp[strlen(qp) - 1] = '\0'; 536 qp++; 537 } 538 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 539 p, qp); 540 541 /* undo damage */ 542 if (b) 543 qp[strlen(qp)] = '>'; 544 } 545 else 546 { 547 (void) sm_snprintf(frbuf, sizeof(frbuf), 548 "%s; %.700s@%.100s", 549 p, q->q_user, MyHostName); 550 } 551 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 552 } 553 554 #if _FFR_GEN_ORCPT 555 /* set ORCPT DSN arg if not already set */ 556 if (new->q_orcpt == NULL) 557 { 558 /* check for an existing ORCPT */ 559 if (q->q_orcpt != NULL) 560 new->q_orcpt = q->q_orcpt; 561 else 562 { 563 /* make our own */ 564 bool b = false; 565 char *qp; 566 char obuf[MAXLINE]; 567 568 if (e->e_from.q_mailer != NULL) 569 p = e->e_from.q_mailer->m_addrtype; 570 if (p == NULL) 571 p = "rfc822"; 572 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 573 574 qp = q->q_paddr; 575 576 /* FFR: Needs to strip comments from stdin addrs */ 577 578 /* strip brackets from address */ 579 if (*qp == '<') 580 { 581 b = qp[strlen(qp) - 1] == '>'; 582 if (b) 583 qp[strlen(qp) - 1] = '\0'; 584 qp++; 585 } 586 587 p = xtextify(denlstring(qp, true, false), "="); 588 589 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 590 { 591 /* if too big, don't use it */ 592 obuf[0] = '\0'; 593 } 594 595 /* undo damage */ 596 if (b) 597 qp[strlen(qp)] = '>'; 598 599 if (obuf[0] != '\0') 600 new->q_orcpt = 601 sm_rpool_strdup_x(e->e_rpool, obuf); 602 } 603 } 604 #endif /* _FFR_GEN_ORCPT */ 605 606 /* break aliasing loops */ 607 if (aliaslevel > MaxAliasRecursion) 608 { 609 new->q_state = QS_BADADDR; 610 new->q_status = "5.4.6"; 611 if (new->q_alias != NULL) 612 { 613 new->q_alias->q_state = QS_BADADDR; 614 new->q_alias->q_status = "5.4.6"; 615 } 616 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 617 { 618 sm_syslog(LOG_ERR, e->e_id, 619 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 620 FileName != NULL ? FileName : "", aliaslevel, 621 MaxAliasRecursion); 622 } 623 usrerrenh(new->q_status, 624 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 625 aliaslevel, MaxAliasRecursion); 626 return new; 627 } 628 629 /* 630 ** Finish setting up address structure. 631 */ 632 633 /* get unquoted user for file, program or user.name check */ 634 i = strlen(new->q_user); 635 if (i >= sizeof(buf0)) 636 { 637 buflen = i + 1; 638 buf = xalloc(buflen); 639 } 640 else 641 { 642 buf = buf0; 643 buflen = sizeof(buf0); 644 } 645 (void) sm_strlcpy(buf, new->q_user, buflen); 646 for (p = buf; *p != '\0' && !quoted; p++) 647 { 648 if (*p == '\\') 649 quoted = true; 650 } 651 stripquotes(buf); 652 653 /* check for direct mailing to restricted mailers */ 654 if (m == ProgMailer) 655 { 656 if (new->q_alias == NULL || UseMSP || 657 bitset(EF_UNSAFE, e->e_flags)) 658 { 659 new->q_state = QS_BADADDR; 660 new->q_status = "5.7.1"; 661 usrerrenh(new->q_status, 662 "550 Cannot mail directly to programs"); 663 } 664 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 665 { 666 new->q_state = QS_BADADDR; 667 new->q_status = "5.7.1"; 668 if (new->q_alias->q_ruser == NULL) 669 usrerrenh(new->q_status, 670 "550 UID %ld is an unknown user: cannot mail to programs", 671 (long) new->q_alias->q_uid); 672 else 673 usrerrenh(new->q_status, 674 "550 User %s@%s doesn't have a valid shell for mailing to programs", 675 new->q_alias->q_ruser, MyHostName); 676 } 677 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 678 { 679 new->q_state = QS_BADADDR; 680 new->q_status = "5.7.1"; 681 new->q_rstatus = "550 Unsafe for mailing to programs"; 682 usrerrenh(new->q_status, 683 "550 Address %s is unsafe for mailing to programs", 684 new->q_alias->q_paddr); 685 } 686 } 687 688 /* 689 ** Look up this person in the recipient list. 690 ** If they are there already, return, otherwise continue. 691 ** If the list is empty, just add it. Notice the cute 692 ** hack to make from addresses suppress things correctly: 693 ** the QS_DUPLICATE state will be set in the send list. 694 ** [Please note: the emphasis is on "hack."] 695 */ 696 697 prev = NULL; 698 699 /* 700 ** If this message is going to the queue or FastSplit is set 701 ** and it is the first try and the envelope hasn't split, then we 702 ** avoid doing an MX RR lookup now because one will be done when the 703 ** message is extracted from the queue later. It can go to the queue 704 ** because all messages are going to the queue or this mailer of 705 ** the current recipient is marked expensive. 706 */ 707 708 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 709 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 710 FastSplit > 0)) 711 sortfn = sorthost; 712 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 713 sortfn = sortexpensive; 714 else 715 sortfn = sortbysignature; 716 717 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 718 { 719 /* 720 ** If address is "less than" it should be inserted now. 721 ** If address is "greater than" current comparison it'll 722 ** insert later in the list; so loop again (if possible). 723 ** If address is "equal" (different equal than sameaddr() 724 ** call) then check if sameaddr() will be true. 725 ** Because this list is now sorted, it'll mean fewer 726 ** comparisons and fewer loops which is important for more 727 ** recipients. 728 */ 729 730 i = (*sortfn)(new, q); 731 if (i == 0) /* equal */ 732 { 733 /* 734 ** Sortbysignature() has said that the two have 735 ** equal MX RR's and the same user. Calling sameaddr() 736 ** now checks if the two hosts are as identical as the 737 ** MX RR's are (which might not be the case) 738 ** before saying these are the identical addresses. 739 */ 740 741 if (sameaddr(q, new) && 742 (bitset(QRCPTOK, q->q_flags) || 743 !bitset(QPRIMARY, q->q_flags))) 744 { 745 if (tTd(26, 1)) 746 { 747 sm_dprintf("%s in sendq: ", 748 new->q_paddr); 749 printaddr(sm_debug_file(), q, false); 750 } 751 if (!bitset(QPRIMARY, q->q_flags)) 752 { 753 if (!QS_IS_DEAD(new->q_state)) 754 message("duplicate suppressed"); 755 else 756 q->q_state = QS_DUPLICATE; 757 q->q_flags |= new->q_flags; 758 } 759 else if (bitset(QSELFREF, q->q_flags) 760 || q->q_state == QS_REMOVED) 761 { 762 /* 763 ** If an earlier milter removed the 764 ** address, a later one can still add 765 ** it back. 766 */ 767 768 q->q_state = new->q_state; 769 q->q_flags |= new->q_flags; 770 } 771 new = q; 772 goto done; 773 } 774 } 775 else if (i < 0) /* less than */ 776 { 777 insert = true; 778 break; 779 } 780 prev = pq; 781 } 782 783 /* pq should point to an address, never NULL */ 784 SM_ASSERT(pq != NULL); 785 786 /* add address on list */ 787 if (insert) 788 { 789 /* 790 ** insert before 'pq'. Only possible when at least 1 791 ** ADDRESS is in the list already. 792 */ 793 794 new->q_next = *pq; 795 if (prev == NULL) 796 *sendq = new; /* To be the first ADDRESS */ 797 else 798 (*prev)->q_next = new; 799 } 800 else 801 { 802 /* 803 ** Place in list at current 'pq' position. Possible 804 ** when there are 0 or more ADDRESS's in the list. 805 */ 806 807 new->q_next = NULL; 808 *pq = new; 809 } 810 811 /* added a new address: clear split flag */ 812 e->e_flags &= ~EF_SPLIT; 813 814 /* 815 ** Alias the name and handle special mailer types. 816 */ 817 818 trylocaluser: 819 if (tTd(29, 7)) 820 { 821 sm_dprintf("at trylocaluser: "); 822 printaddr(sm_debug_file(), new, false); 823 } 824 825 if (!QS_IS_OK(new->q_state)) 826 { 827 if (QS_IS_UNDELIVERED(new->q_state)) 828 e->e_nrcpts++; 829 goto testselfdestruct; 830 } 831 832 if (m == InclMailer) 833 { 834 new->q_state = QS_INCLUDED; 835 if (new->q_alias == NULL || UseMSP || 836 bitset(EF_UNSAFE, e->e_flags)) 837 { 838 new->q_state = QS_BADADDR; 839 new->q_status = "5.7.1"; 840 usrerrenh(new->q_status, 841 "550 Cannot mail directly to :include:s"); 842 } 843 else 844 { 845 int ret; 846 847 message("including file %s", new->q_user); 848 ret = include(new->q_user, false, new, 849 sendq, aliaslevel, e); 850 if (transienterror(ret)) 851 { 852 if (LogLevel > 2) 853 sm_syslog(LOG_ERR, e->e_id, 854 "include %s: transient error: %s", 855 shortenstring(new->q_user, 856 MAXSHORTSTR), 857 sm_errstring(ret)); 858 new->q_state = QS_QUEUEUP; 859 usrerr("451 4.2.4 Cannot open %s: %s", 860 shortenstring(new->q_user, 861 MAXSHORTSTR), 862 sm_errstring(ret)); 863 } 864 else if (ret != 0) 865 { 866 new->q_state = QS_BADADDR; 867 new->q_status = "5.2.4"; 868 usrerrenh(new->q_status, 869 "550 Cannot open %s: %s", 870 shortenstring(new->q_user, 871 MAXSHORTSTR), 872 sm_errstring(ret)); 873 } 874 } 875 } 876 else if (m == FileMailer) 877 { 878 /* check if allowed */ 879 if (new->q_alias == NULL || UseMSP || 880 bitset(EF_UNSAFE, e->e_flags)) 881 { 882 new->q_state = QS_BADADDR; 883 new->q_status = "5.7.1"; 884 usrerrenh(new->q_status, 885 "550 Cannot mail directly to files"); 886 } 887 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 888 { 889 new->q_state = QS_BADADDR; 890 new->q_status = "5.7.1"; 891 if (new->q_alias->q_ruser == NULL) 892 usrerrenh(new->q_status, 893 "550 UID %ld is an unknown user: cannot mail to files", 894 (long) new->q_alias->q_uid); 895 else 896 usrerrenh(new->q_status, 897 "550 User %s@%s doesn't have a valid shell for mailing to files", 898 new->q_alias->q_ruser, MyHostName); 899 } 900 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 901 { 902 new->q_state = QS_BADADDR; 903 new->q_status = "5.7.1"; 904 new->q_rstatus = "550 Unsafe for mailing to files"; 905 usrerrenh(new->q_status, 906 "550 Address %s is unsafe for mailing to files", 907 new->q_alias->q_paddr); 908 } 909 } 910 911 /* try aliasing */ 912 if (!quoted && QS_IS_OK(new->q_state) && 913 bitnset(M_ALIASABLE, m->m_flags)) 914 alias(new, sendq, aliaslevel, e); 915 916 #if USERDB 917 /* if not aliased, look it up in the user database */ 918 if (!bitset(QNOTREMOTE, new->q_flags) && 919 QS_IS_SENDABLE(new->q_state) && 920 bitnset(M_CHECKUDB, m->m_flags)) 921 { 922 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 923 { 924 new->q_state = QS_QUEUEUP; 925 if (e->e_message == NULL) 926 e->e_message = sm_rpool_strdup_x(e->e_rpool, 927 "Deferred: user database error"); 928 if (new->q_message == NULL) 929 new->q_message = "Deferred: user database error"; 930 if (LogLevel > 8) 931 sm_syslog(LOG_INFO, e->e_id, 932 "deferred: udbexpand: %s", 933 sm_errstring(errno)); 934 message("queued (user database error): %s", 935 sm_errstring(errno)); 936 e->e_nrcpts++; 937 goto testselfdestruct; 938 } 939 } 940 #endif /* USERDB */ 941 942 /* 943 ** If we have a level two config file, then pass the name through 944 ** Ruleset 5 before sending it off. Ruleset 5 has the right 945 ** to rewrite it to another mailer. This gives us a hook 946 ** after local aliasing has been done. 947 */ 948 949 if (tTd(29, 5)) 950 { 951 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 952 ConfigLevel, RewriteRules[5]); 953 printaddr(sm_debug_file(), new, false); 954 } 955 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 956 bitnset(M_TRYRULESET5, m->m_flags) && 957 !bitset(QNOTREMOTE, new->q_flags) && 958 QS_IS_OK(new->q_state)) 959 { 960 maplocaluser(new, sendq, aliaslevel + 1, e); 961 } 962 963 /* 964 ** If it didn't get rewritten to another mailer, go ahead 965 ** and deliver it. 966 */ 967 968 if (QS_IS_OK(new->q_state) && 969 bitnset(M_HASPWENT, m->m_flags)) 970 { 971 auto bool fuzzy; 972 SM_MBDB_T user; 973 int status; 974 975 /* warning -- finduser may trash buf */ 976 status = finduser(buf, &fuzzy, &user); 977 switch (status) 978 { 979 case EX_TEMPFAIL: 980 new->q_state = QS_QUEUEUP; 981 new->q_status = "4.5.2"; 982 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 983 new->q_alias, (time_t) 0, e, new); 984 break; 985 default: 986 new->q_state = QS_BADADDR; 987 new->q_status = "5.1.1"; 988 new->q_rstatus = "550 5.1.1 User unknown"; 989 giveresponse(EX_NOUSER, new->q_status, m, NULL, 990 new->q_alias, (time_t) 0, e, new); 991 break; 992 case EX_OK: 993 if (fuzzy) 994 { 995 /* name was a fuzzy match */ 996 new->q_user = sm_rpool_strdup_x(e->e_rpool, 997 user.mbdb_name); 998 if (findusercount++ > 3) 999 { 1000 new->q_state = QS_BADADDR; 1001 new->q_status = "5.4.6"; 1002 usrerrenh(new->q_status, 1003 "554 aliasing/forwarding loop for %s broken", 1004 user.mbdb_name); 1005 goto done; 1006 } 1007 1008 /* see if it aliases */ 1009 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1010 goto trylocaluser; 1011 } 1012 if (*user.mbdb_homedir == '\0') 1013 new->q_home = NULL; 1014 else if (strcmp(user.mbdb_homedir, "/") == 0) 1015 new->q_home = ""; 1016 else 1017 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1018 user.mbdb_homedir); 1019 if (user.mbdb_uid != SM_NO_UID) 1020 { 1021 new->q_uid = user.mbdb_uid; 1022 new->q_gid = user.mbdb_gid; 1023 new->q_flags |= QGOODUID; 1024 } 1025 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1026 user.mbdb_name); 1027 if (user.mbdb_fullname[0] != '\0') 1028 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1029 user.mbdb_fullname); 1030 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1031 { 1032 new->q_flags |= QBOGUSSHELL; 1033 } 1034 if (bitset(EF_VRFYONLY, e->e_flags)) 1035 { 1036 /* don't do any more now */ 1037 new->q_state = QS_VERIFIED; 1038 } 1039 else if (!quoted) 1040 forward(new, sendq, aliaslevel, e); 1041 } 1042 } 1043 if (!QS_IS_DEAD(new->q_state)) 1044 e->e_nrcpts++; 1045 1046 testselfdestruct: 1047 new->q_flags |= QTHISPASS; 1048 if (tTd(26, 8)) 1049 { 1050 sm_dprintf("testselfdestruct: "); 1051 printaddr(sm_debug_file(), new, false); 1052 if (tTd(26, 10)) 1053 { 1054 sm_dprintf("SENDQ:\n"); 1055 printaddr(sm_debug_file(), *sendq, true); 1056 sm_dprintf("----\n"); 1057 } 1058 } 1059 if (new->q_alias == NULL && new != &e->e_from && 1060 QS_IS_DEAD(new->q_state)) 1061 { 1062 for (q = *sendq; q != NULL; q = q->q_next) 1063 { 1064 if (!QS_IS_DEAD(q->q_state)) 1065 break; 1066 } 1067 if (q == NULL) 1068 { 1069 new->q_state = QS_BADADDR; 1070 new->q_status = "5.4.6"; 1071 usrerrenh(new->q_status, 1072 "554 aliasing/forwarding loop broken"); 1073 } 1074 } 1075 1076 done: 1077 new->q_flags |= QTHISPASS; 1078 if (buf != buf0) 1079 sm_free(buf); /* XXX leak if above code raises exception */ 1080 1081 /* 1082 ** If we are at the top level, check to see if this has 1083 ** expanded to exactly one address. If so, it can inherit 1084 ** the primaryness of the address. 1085 ** 1086 ** While we're at it, clear the QTHISPASS bits. 1087 */ 1088 1089 if (aliaslevel == 0) 1090 { 1091 int nrcpts = 0; 1092 ADDRESS *only = NULL; 1093 1094 for (q = *sendq; q != NULL; q = q->q_next) 1095 { 1096 if (bitset(QTHISPASS, q->q_flags) && 1097 QS_IS_SENDABLE(q->q_state)) 1098 { 1099 nrcpts++; 1100 only = q; 1101 } 1102 q->q_flags &= ~QTHISPASS; 1103 } 1104 if (nrcpts == 1) 1105 { 1106 /* check to see if this actually got a new owner */ 1107 q = only; 1108 while ((q = q->q_alias) != NULL) 1109 { 1110 if (q->q_owner != NULL) 1111 break; 1112 } 1113 if (q == NULL) 1114 only->q_flags |= QPRIMARY; 1115 } 1116 else if (!initialdontsend && nrcpts > 0) 1117 { 1118 /* arrange for return receipt */ 1119 e->e_flags |= EF_SENDRECEIPT; 1120 new->q_flags |= QEXPANDED; 1121 if (e->e_xfp != NULL && 1122 bitset(QPINGONSUCCESS, new->q_flags)) 1123 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1124 "%s... expanded to multiple addresses\n", 1125 new->q_paddr); 1126 } 1127 } 1128 new->q_flags |= QRCPTOK; 1129 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1130 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1131 return new; 1132 } 1133 1134 /* 1135 ** FINDUSER -- find the password entry for a user. 1136 ** 1137 ** This looks a lot like getpwnam, except that it may want to 1138 ** do some fancier pattern matching in /etc/passwd. 1139 ** 1140 ** This routine contains most of the time of many sendmail runs. 1141 ** It deserves to be optimized. 1142 ** 1143 ** Parameters: 1144 ** name -- the name to match against. 1145 ** fuzzyp -- an outarg that is set to true if this entry 1146 ** was found using the fuzzy matching algorithm; 1147 ** set to false otherwise. 1148 ** user -- structure to fill in if user is found 1149 ** 1150 ** Returns: 1151 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1152 ** If the user was not found, return EX_NOUSER. 1153 ** On error, return EX_TEMPFAIL or EX_OSERR. 1154 ** 1155 ** Side Effects: 1156 ** may modify name. 1157 */ 1158 1159 int 1160 finduser(name, fuzzyp, user) 1161 char *name; 1162 bool *fuzzyp; 1163 SM_MBDB_T *user; 1164 { 1165 #if MATCHGECOS 1166 register struct passwd *pw; 1167 #endif /* MATCHGECOS */ 1168 register char *p; 1169 bool tryagain; 1170 int status; 1171 1172 if (tTd(29, 4)) 1173 sm_dprintf("finduser(%s): ", name); 1174 1175 *fuzzyp = false; 1176 1177 #if HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN 1178 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1179 for (p = name; *p != '\0'; p++) 1180 if (!isascii(*p) || !isdigit(*p)) 1181 break; 1182 if (*p == '\0') 1183 { 1184 if (tTd(29, 4)) 1185 sm_dprintf("failed (numeric input)\n"); 1186 return EX_NOUSER; 1187 } 1188 #endif /* HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN */ 1189 1190 /* look up this login name using fast path */ 1191 status = sm_mbdb_lookup(name, user); 1192 if (status != EX_NOUSER) 1193 { 1194 if (tTd(29, 4)) 1195 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1196 return status; 1197 } 1198 1199 /* try mapping it to lower case */ 1200 tryagain = false; 1201 for (p = name; *p != '\0'; p++) 1202 { 1203 if (isascii(*p) && isupper(*p)) 1204 { 1205 *p = tolower(*p); 1206 tryagain = true; 1207 } 1208 } 1209 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1210 { 1211 if (tTd(29, 4)) 1212 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1213 *fuzzyp = true; 1214 return status; 1215 } 1216 1217 #if MATCHGECOS 1218 /* see if fuzzy matching allowed */ 1219 if (!MatchGecos) 1220 { 1221 if (tTd(29, 4)) 1222 sm_dprintf("not found (fuzzy disabled)\n"); 1223 return EX_NOUSER; 1224 } 1225 1226 /* search for a matching full name instead */ 1227 for (p = name; *p != '\0'; p++) 1228 { 1229 if (*p == (SpaceSub & 0177) || *p == '_') 1230 *p = ' '; 1231 } 1232 (void) setpwent(); 1233 while ((pw = getpwent()) != NULL) 1234 { 1235 char buf[MAXNAME + 1]; 1236 1237 # if 0 1238 if (sm_strcasecmp(pw->pw_name, name) == 0) 1239 { 1240 if (tTd(29, 4)) 1241 sm_dprintf("found (case wrapped)\n"); 1242 break; 1243 } 1244 # endif /* 0 */ 1245 1246 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1247 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1248 { 1249 if (tTd(29, 4)) 1250 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1251 message("sending to login name %s", pw->pw_name); 1252 break; 1253 } 1254 } 1255 if (pw != NULL) 1256 *fuzzyp = true; 1257 else if (tTd(29, 4)) 1258 sm_dprintf("no fuzzy match found\n"); 1259 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1260 endpwent(); 1261 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1262 if (pw == NULL) 1263 return EX_NOUSER; 1264 sm_mbdb_frompw(user, pw); 1265 return EX_OK; 1266 #else /* MATCHGECOS */ 1267 if (tTd(29, 4)) 1268 sm_dprintf("not found (fuzzy disabled)\n"); 1269 return EX_NOUSER; 1270 #endif /* MATCHGECOS */ 1271 } 1272 1273 /* 1274 ** WRITABLE -- predicate returning if the file is writable. 1275 ** 1276 ** This routine must duplicate the algorithm in sys/fio.c. 1277 ** Unfortunately, we cannot use the access call since we 1278 ** won't necessarily be the real uid when we try to 1279 ** actually open the file. 1280 ** 1281 ** Notice that ANY file with ANY execute bit is automatically 1282 ** not writable. This is also enforced by mailfile. 1283 ** 1284 ** Parameters: 1285 ** filename -- the file name to check. 1286 ** ctladdr -- the controlling address for this file. 1287 ** flags -- SFF_* flags to control the function. 1288 ** 1289 ** Returns: 1290 ** true -- if we will be able to write this file. 1291 ** false -- if we cannot write this file. 1292 ** 1293 ** Side Effects: 1294 ** none. 1295 */ 1296 1297 bool 1298 writable(filename, ctladdr, flags) 1299 char *filename; 1300 ADDRESS *ctladdr; 1301 long flags; 1302 { 1303 uid_t euid = 0; 1304 gid_t egid = 0; 1305 char *user = NULL; 1306 1307 if (tTd(44, 5)) 1308 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1309 1310 /* 1311 ** File does exist -- check that it is writable. 1312 */ 1313 1314 if (geteuid() != 0) 1315 { 1316 euid = geteuid(); 1317 egid = getegid(); 1318 user = NULL; 1319 } 1320 else if (ctladdr != NULL) 1321 { 1322 euid = ctladdr->q_uid; 1323 egid = ctladdr->q_gid; 1324 user = ctladdr->q_user; 1325 } 1326 else if (bitset(SFF_RUNASREALUID, flags)) 1327 { 1328 euid = RealUid; 1329 egid = RealGid; 1330 user = RealUserName; 1331 } 1332 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1333 { 1334 if (FileMailer->m_uid == NO_UID) 1335 { 1336 euid = DefUid; 1337 user = DefUser; 1338 } 1339 else 1340 { 1341 euid = FileMailer->m_uid; 1342 user = NULL; 1343 } 1344 if (FileMailer->m_gid == NO_GID) 1345 egid = DefGid; 1346 else 1347 egid = FileMailer->m_gid; 1348 } 1349 else 1350 { 1351 euid = egid = 0; 1352 user = NULL; 1353 } 1354 if (!bitset(SFF_ROOTOK, flags)) 1355 { 1356 if (euid == 0) 1357 { 1358 euid = DefUid; 1359 user = DefUser; 1360 } 1361 if (egid == 0) 1362 egid = DefGid; 1363 } 1364 if (geteuid() == 0 && 1365 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1366 flags |= SFF_SETUIDOK; 1367 1368 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1369 flags |= SFF_NOSLINK; 1370 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1371 flags |= SFF_NOHLINK; 1372 1373 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1374 return errno == 0; 1375 } 1376 1377 /* 1378 ** INCLUDE -- handle :include: specification. 1379 ** 1380 ** Parameters: 1381 ** fname -- filename to include. 1382 ** forwarding -- if true, we are reading a .forward file. 1383 ** if false, it's a :include: file. 1384 ** ctladdr -- address template to use to fill in these 1385 ** addresses -- effective user/group id are 1386 ** the important things. 1387 ** sendq -- a pointer to the head of the send queue 1388 ** to put these addresses in. 1389 ** aliaslevel -- the alias nesting depth. 1390 ** e -- the current envelope. 1391 ** 1392 ** Returns: 1393 ** open error status 1394 ** 1395 ** Side Effects: 1396 ** reads the :include: file and sends to everyone 1397 ** listed in that file. 1398 ** 1399 ** Security Note: 1400 ** If you have restricted chown (that is, you can't 1401 ** give a file away), it is reasonable to allow programs 1402 ** and files called from this :include: file to be to be 1403 ** run as the owner of the :include: file. This is bogus 1404 ** if there is any chance of someone giving away a file. 1405 ** We assume that pre-POSIX systems can give away files. 1406 ** 1407 ** There is an additional restriction that if you 1408 ** forward to a :include: file, it will not take on 1409 ** the ownership of the :include: file. This may not 1410 ** be necessary, but shouldn't hurt. 1411 */ 1412 1413 static jmp_buf CtxIncludeTimeout; 1414 1415 int 1416 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1417 char *fname; 1418 bool forwarding; 1419 ADDRESS *ctladdr; 1420 ADDRESS **sendq; 1421 int aliaslevel; 1422 ENVELOPE *e; 1423 { 1424 SM_FILE_T *volatile fp = NULL; 1425 char *oldto = e->e_to; 1426 char *oldfilename = FileName; 1427 int oldlinenumber = LineNumber; 1428 register SM_EVENT *ev = NULL; 1429 int nincludes; 1430 int mode; 1431 volatile bool maxreached = false; 1432 register ADDRESS *ca; 1433 volatile uid_t saveduid; 1434 volatile gid_t savedgid; 1435 volatile uid_t uid; 1436 volatile gid_t gid; 1437 char *volatile user; 1438 int rval = 0; 1439 volatile long sfflags = SFF_REGONLY; 1440 register char *p; 1441 bool safechown = false; 1442 volatile bool safedir = false; 1443 struct stat st; 1444 char buf[MAXLINE]; 1445 1446 if (tTd(27, 2)) 1447 sm_dprintf("include(%s)\n", fname); 1448 if (tTd(27, 4)) 1449 sm_dprintf(" ruid=%ld euid=%ld\n", 1450 (long) getuid(), (long) geteuid()); 1451 if (tTd(27, 14)) 1452 { 1453 sm_dprintf("ctladdr "); 1454 printaddr(sm_debug_file(), ctladdr, false); 1455 } 1456 1457 if (tTd(27, 9)) 1458 sm_dprintf("include: old uid = %ld/%ld\n", 1459 (long) getuid(), (long) geteuid()); 1460 1461 if (forwarding) 1462 { 1463 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1464 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1465 sfflags |= SFF_NOGWFILES; 1466 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1467 sfflags |= SFF_NOWWFILES; 1468 } 1469 else 1470 { 1471 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1472 sfflags |= SFF_NOGWFILES; 1473 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1474 sfflags |= SFF_NOWWFILES; 1475 } 1476 1477 /* 1478 ** If RunAsUser set, won't be able to run programs as user 1479 ** so mark them as unsafe unless the administrator knows better. 1480 */ 1481 1482 if ((geteuid() != 0 || RunAsUid != 0) && 1483 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1484 { 1485 if (tTd(27, 4)) 1486 sm_dprintf("include: not safe (euid=%ld, RunAsUid=%ld)\n", 1487 (long) geteuid(), (long) RunAsUid); 1488 ctladdr->q_flags |= QUNSAFEADDR; 1489 } 1490 1491 ca = getctladdr(ctladdr); 1492 if (ca == NULL || 1493 (ca->q_uid == DefUid && ca->q_gid == 0)) 1494 { 1495 uid = DefUid; 1496 gid = DefGid; 1497 user = DefUser; 1498 } 1499 else 1500 { 1501 uid = ca->q_uid; 1502 gid = ca->q_gid; 1503 user = ca->q_user; 1504 } 1505 #if MAILER_SETUID_METHOD != USE_SETUID 1506 saveduid = geteuid(); 1507 savedgid = getegid(); 1508 if (saveduid == 0) 1509 { 1510 if (!DontInitGroups) 1511 { 1512 if (initgroups(user, gid) == -1) 1513 { 1514 rval = EAGAIN; 1515 syserr("include: initgroups(%s, %ld) failed", 1516 user, (long) gid); 1517 goto resetuid; 1518 } 1519 } 1520 else 1521 { 1522 GIDSET_T gidset[1]; 1523 1524 gidset[0] = gid; 1525 if (setgroups(1, gidset) == -1) 1526 { 1527 rval = EAGAIN; 1528 syserr("include: setgroups() failed"); 1529 goto resetuid; 1530 } 1531 } 1532 1533 if (gid != 0 && setgid(gid) < -1) 1534 { 1535 rval = EAGAIN; 1536 syserr("setgid(%ld) failure", (long) gid); 1537 goto resetuid; 1538 } 1539 if (uid != 0) 1540 { 1541 # if MAILER_SETUID_METHOD == USE_SETEUID 1542 if (seteuid(uid) < 0) 1543 { 1544 rval = EAGAIN; 1545 syserr("seteuid(%ld) failure (real=%ld, eff=%ld)", 1546 (long) uid, (long) getuid(), (long) geteuid()); 1547 goto resetuid; 1548 } 1549 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1550 # if MAILER_SETUID_METHOD == USE_SETREUID 1551 if (setreuid(0, uid) < 0) 1552 { 1553 rval = EAGAIN; 1554 syserr("setreuid(0, %ld) failure (real=%ld, eff=%ld)", 1555 (long) uid, (long) getuid(), (long) geteuid()); 1556 goto resetuid; 1557 } 1558 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1559 } 1560 } 1561 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1562 1563 if (tTd(27, 9)) 1564 sm_dprintf("include: new uid = %ld/%ld\n", 1565 (long) getuid(), (long) geteuid()); 1566 1567 /* 1568 ** If home directory is remote mounted but server is down, 1569 ** this can hang or give errors; use a timeout to avoid this 1570 */ 1571 1572 if (setjmp(CtxIncludeTimeout) != 0) 1573 { 1574 ctladdr->q_state = QS_QUEUEUP; 1575 errno = 0; 1576 1577 /* return pseudo-error code */ 1578 rval = E_SM_OPENTIMEOUT; 1579 goto resetuid; 1580 } 1581 if (TimeOuts.to_fileopen > 0) 1582 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1583 else 1584 ev = NULL; 1585 1586 1587 /* check for writable parent directory */ 1588 p = strrchr(fname, '/'); 1589 if (p != NULL) 1590 { 1591 int ret; 1592 1593 *p = '\0'; 1594 ret = safedirpath(fname, uid, gid, user, 1595 sfflags|SFF_SAFEDIRPATH, 0, 0); 1596 if (ret == 0) 1597 { 1598 /* in safe directory: relax chown & link rules */ 1599 safedir = true; 1600 sfflags |= SFF_NOPATHCHECK; 1601 } 1602 else 1603 { 1604 if (bitnset((forwarding ? 1605 DBS_FORWARDFILEINUNSAFEDIRPATH : 1606 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1607 DontBlameSendmail)) 1608 sfflags |= SFF_NOPATHCHECK; 1609 else if (bitnset((forwarding ? 1610 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1611 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1612 DontBlameSendmail) && 1613 ret == E_SM_GWDIR) 1614 { 1615 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1616 DontBlameSendmail); 1617 ret = safedirpath(fname, uid, gid, user, 1618 sfflags|SFF_SAFEDIRPATH, 1619 0, 0); 1620 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1621 DontBlameSendmail); 1622 if (ret == 0) 1623 sfflags |= SFF_NOPATHCHECK; 1624 else 1625 sfflags |= SFF_SAFEDIRPATH; 1626 } 1627 else 1628 sfflags |= SFF_SAFEDIRPATH; 1629 if (ret > E_PSEUDOBASE && 1630 !bitnset((forwarding ? 1631 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1632 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1633 DontBlameSendmail)) 1634 { 1635 if (LogLevel > 11) 1636 sm_syslog(LOG_INFO, e->e_id, 1637 "%s: unsafe directory path, marked unsafe", 1638 shortenstring(fname, MAXSHORTSTR)); 1639 ctladdr->q_flags |= QUNSAFEADDR; 1640 } 1641 } 1642 *p = '/'; 1643 } 1644 1645 /* allow links only in unwritable directories */ 1646 if (!safedir && 1647 !bitnset((forwarding ? 1648 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1649 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1650 DontBlameSendmail)) 1651 sfflags |= SFF_NOLINK; 1652 1653 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1654 if (rval != 0) 1655 { 1656 /* don't use this :include: file */ 1657 if (tTd(27, 4)) 1658 sm_dprintf("include: not safe (uid=%ld): %s\n", 1659 (long) uid, sm_errstring(rval)); 1660 } 1661 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1662 SM_IO_RDONLY, NULL)) == NULL) 1663 { 1664 rval = errno; 1665 if (tTd(27, 4)) 1666 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1667 } 1668 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1669 { 1670 rval = E_SM_FILECHANGE; 1671 if (tTd(27, 4)) 1672 sm_dprintf("include: file changed after open\n"); 1673 } 1674 if (ev != NULL) 1675 sm_clrevent(ev); 1676 1677 resetuid: 1678 1679 #if HASSETREUID || USESETEUID 1680 if (saveduid == 0) 1681 { 1682 if (uid != 0) 1683 { 1684 # if USESETEUID 1685 if (seteuid(0) < 0) 1686 syserr("!seteuid(0) failure (real=%ld, eff=%ld)", 1687 (long) getuid(), (long) geteuid()); 1688 # else /* USESETEUID */ 1689 if (setreuid(-1, 0) < 0) 1690 syserr("!setreuid(-1, 0) failure (real=%ld, eff=%ld)", 1691 (long) getuid(), (long) geteuid()); 1692 if (setreuid(RealUid, 0) < 0) 1693 syserr("!setreuid(%ld, 0) failure (real=%ld, eff=%ld)", 1694 (long) RealUid, (long) getuid(), 1695 (long) geteuid()); 1696 # endif /* USESETEUID */ 1697 } 1698 if (setgid(savedgid) < 0) 1699 syserr("!setgid(%ld) failure (real=%ld eff=%ld)", 1700 (long) savedgid, (long) getgid(), 1701 (long) getegid()); 1702 } 1703 #endif /* HASSETREUID || USESETEUID */ 1704 1705 if (tTd(27, 9)) 1706 sm_dprintf("include: reset uid = %ld/%ld\n", 1707 (long) getuid(), (long) geteuid()); 1708 1709 if (rval == E_SM_OPENTIMEOUT) 1710 usrerr("451 4.4.1 open timeout on %s", fname); 1711 1712 if (fp == NULL) 1713 return rval; 1714 1715 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1716 { 1717 rval = errno; 1718 syserr("Cannot fstat %s!", fname); 1719 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1720 return rval; 1721 } 1722 1723 /* if path was writable, check to avoid file giveaway tricks */ 1724 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1725 if (tTd(27, 6)) 1726 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1727 fname, safedir ? "safe" : "dangerous", 1728 safechown ? "" : "un"); 1729 1730 /* if no controlling user or coming from an alias delivery */ 1731 if (safechown && 1732 (ca == NULL || 1733 (ca->q_uid == DefUid && ca->q_gid == 0))) 1734 { 1735 ctladdr->q_uid = st.st_uid; 1736 ctladdr->q_gid = st.st_gid; 1737 ctladdr->q_flags |= QGOODUID; 1738 } 1739 if (ca != NULL && ca->q_uid == st.st_uid) 1740 { 1741 /* optimization -- avoid getpwuid if we already have info */ 1742 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1743 ctladdr->q_ruser = ca->q_ruser; 1744 } 1745 else if (!forwarding) 1746 { 1747 register struct passwd *pw; 1748 1749 pw = sm_getpwuid(st.st_uid); 1750 if (pw == NULL) 1751 { 1752 ctladdr->q_uid = st.st_uid; 1753 ctladdr->q_flags |= QBOGUSSHELL; 1754 } 1755 else 1756 { 1757 char *sh; 1758 1759 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1760 pw->pw_name); 1761 if (safechown) 1762 sh = pw->pw_shell; 1763 else 1764 sh = "/SENDMAIL/ANY/SHELL/"; 1765 if (!usershellok(pw->pw_name, sh)) 1766 { 1767 if (LogLevel > 11) 1768 sm_syslog(LOG_INFO, e->e_id, 1769 "%s: user %s has bad shell %s, marked %s", 1770 shortenstring(fname, 1771 MAXSHORTSTR), 1772 pw->pw_name, sh, 1773 safechown ? "bogus" : "unsafe"); 1774 if (safechown) 1775 ctladdr->q_flags |= QBOGUSSHELL; 1776 else 1777 ctladdr->q_flags |= QUNSAFEADDR; 1778 } 1779 } 1780 } 1781 1782 if (bitset(EF_VRFYONLY, e->e_flags)) 1783 { 1784 /* don't do any more now */ 1785 ctladdr->q_state = QS_VERIFIED; 1786 e->e_nrcpts++; 1787 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1788 return rval; 1789 } 1790 1791 /* 1792 ** Check to see if some bad guy can write this file 1793 ** 1794 ** Group write checking could be more clever, e.g., 1795 ** guessing as to which groups are actually safe ("sys" 1796 ** may be; "user" probably is not). 1797 */ 1798 1799 mode = S_IWOTH; 1800 if (!bitnset((forwarding ? 1801 DBS_GROUPWRITABLEFORWARDFILESAFE : 1802 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1803 DontBlameSendmail)) 1804 mode |= S_IWGRP; 1805 1806 if (bitset(mode, st.st_mode)) 1807 { 1808 if (tTd(27, 6)) 1809 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1810 shortenstring(fname, MAXSHORTSTR), 1811 bitset(S_IWOTH, st.st_mode) ? "world" 1812 : "group"); 1813 if (LogLevel > 11) 1814 sm_syslog(LOG_INFO, e->e_id, 1815 "%s: %s writable %s file, marked unsafe", 1816 shortenstring(fname, MAXSHORTSTR), 1817 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1818 forwarding ? "forward" : ":include:"); 1819 ctladdr->q_flags |= QUNSAFEADDR; 1820 } 1821 1822 /* read the file -- each line is a comma-separated list. */ 1823 FileName = fname; 1824 LineNumber = 0; 1825 ctladdr->q_flags &= ~QSELFREF; 1826 nincludes = 0; 1827 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0 && 1828 !maxreached) 1829 { 1830 fixcrlf(buf, true); 1831 LineNumber++; 1832 if (buf[0] == '#' || buf[0] == '\0') 1833 continue; 1834 1835 /* <sp>#@# introduces a comment anywhere */ 1836 /* for Japanese character sets */ 1837 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1838 { 1839 if (p[1] == '@' && p[2] == '#' && 1840 isascii(p[-1]) && isspace(p[-1]) && 1841 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1842 { 1843 --p; 1844 while (p > buf && isascii(p[-1]) && 1845 isspace(p[-1])) 1846 --p; 1847 p[0] = '\0'; 1848 break; 1849 } 1850 } 1851 if (buf[0] == '\0') 1852 continue; 1853 1854 e->e_to = NULL; 1855 message("%s to %s", 1856 forwarding ? "forwarding" : "sending", buf); 1857 if (forwarding && LogLevel > 10) 1858 sm_syslog(LOG_INFO, e->e_id, 1859 "forward %.200s => %s", 1860 oldto, shortenstring(buf, MAXSHORTSTR)); 1861 1862 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1863 1864 if (forwarding && 1865 MaxForwardEntries > 0 && 1866 nincludes >= MaxForwardEntries) 1867 { 1868 /* just stop reading and processing further entries */ 1869 #if 0 1870 /* additional: (?) */ 1871 ctladdr->q_state = QS_DONTSEND; 1872 #endif /* 0 */ 1873 1874 syserr("Attempt to forward to more than %d addresses (in %s)!", 1875 MaxForwardEntries, fname); 1876 maxreached = true; 1877 } 1878 } 1879 1880 if (sm_io_error(fp) && tTd(27, 3)) 1881 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1882 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1883 { 1884 if (aliaslevel <= MaxAliasRecursion || 1885 ctladdr->q_state != QS_BADADDR) 1886 { 1887 ctladdr->q_state = QS_DONTSEND; 1888 if (tTd(27, 5)) 1889 { 1890 sm_dprintf("include: QS_DONTSEND "); 1891 printaddr(sm_debug_file(), ctladdr, false); 1892 } 1893 } 1894 } 1895 1896 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1897 FileName = oldfilename; 1898 LineNumber = oldlinenumber; 1899 e->e_to = oldto; 1900 return rval; 1901 } 1902 1903 static void 1904 includetimeout(ignore) 1905 int ignore; 1906 { 1907 /* 1908 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1909 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1910 ** DOING. 1911 */ 1912 1913 errno = ETIMEDOUT; 1914 longjmp(CtxIncludeTimeout, 1); 1915 } 1916 1917 /* 1918 ** SENDTOARGV -- send to an argument vector. 1919 ** 1920 ** Parameters: 1921 ** argv -- argument vector to send to. 1922 ** e -- the current envelope. 1923 ** 1924 ** Returns: 1925 ** none. 1926 ** 1927 ** Side Effects: 1928 ** puts all addresses on the argument vector onto the 1929 ** send queue. 1930 */ 1931 1932 void 1933 sendtoargv(argv, e) 1934 register char **argv; 1935 register ENVELOPE *e; 1936 { 1937 register char *p; 1938 1939 while ((p = *argv++) != NULL) 1940 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1941 } 1942 1943 /* 1944 ** GETCTLADDR -- get controlling address from an address header. 1945 ** 1946 ** If none, get one corresponding to the effective userid. 1947 ** 1948 ** Parameters: 1949 ** a -- the address to find the controller of. 1950 ** 1951 ** Returns: 1952 ** the controlling address. 1953 */ 1954 1955 ADDRESS * 1956 getctladdr(a) 1957 register ADDRESS *a; 1958 { 1959 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1960 a = a->q_alias; 1961 return a; 1962 } 1963 1964 /* 1965 ** SELF_REFERENCE -- check to see if an address references itself 1966 ** 1967 ** The check is done through a chain of aliases. If it is part of 1968 ** a loop, break the loop at the "best" address, that is, the one 1969 ** that exists as a real user. 1970 ** 1971 ** This is to handle the case of: 1972 ** awc: Andrew.Chang 1973 ** Andrew.Chang: awc@mail.server 1974 ** which is a problem only on mail.server. 1975 ** 1976 ** Parameters: 1977 ** a -- the address to check. 1978 ** 1979 ** Returns: 1980 ** The address that should be retained. 1981 */ 1982 1983 static ADDRESS * 1984 self_reference(a) 1985 ADDRESS *a; 1986 { 1987 ADDRESS *b; /* top entry in self ref loop */ 1988 ADDRESS *c; /* entry that point to a real mail box */ 1989 1990 if (tTd(27, 1)) 1991 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1992 1993 for (b = a->q_alias; b != NULL; b = b->q_alias) 1994 { 1995 if (sameaddr(a, b)) 1996 break; 1997 } 1998 1999 if (b == NULL) 2000 { 2001 if (tTd(27, 1)) 2002 sm_dprintf("\t... no self ref\n"); 2003 return NULL; 2004 } 2005 2006 /* 2007 ** Pick the first address that resolved to a real mail box 2008 ** i.e has a mbdb entry. The returned value will be marked 2009 ** QSELFREF in recipient(), which in turn will disable alias() 2010 ** from marking it as QS_IS_DEAD(), which mean it will be used 2011 ** as a deliverable address. 2012 ** 2013 ** The 2 key thing to note here are: 2014 ** 1) we are in a recursive call sequence: 2015 ** alias->sendtolist->recipient->alias 2016 ** 2) normally, when we return back to alias(), the address 2017 ** will be marked QS_EXPANDED, since alias() assumes the 2018 ** expanded form will be used instead of the current address. 2019 ** This behaviour is turned off if the address is marked 2020 ** QSELFREF. We set QSELFREF when we return to recipient(). 2021 */ 2022 2023 c = a; 2024 while (c != NULL) 2025 { 2026 if (tTd(27, 10)) 2027 sm_dprintf(" %s", c->q_user); 2028 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2029 { 2030 SM_MBDB_T user; 2031 2032 if (tTd(27, 2)) 2033 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2034 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2035 { 2036 if (tTd(27, 2)) 2037 sm_dprintf("found\n"); 2038 2039 /* ought to cache results here */ 2040 if (sameaddr(b, c)) 2041 return b; 2042 else 2043 return c; 2044 } 2045 if (tTd(27, 2)) 2046 sm_dprintf("failed\n"); 2047 } 2048 else 2049 { 2050 /* if local delivery, compare usernames */ 2051 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2052 b->q_mailer == c->q_mailer) 2053 { 2054 if (tTd(27, 2)) 2055 sm_dprintf("\t... local match (%s)\n", 2056 c->q_user); 2057 if (sameaddr(b, c)) 2058 return b; 2059 else 2060 return c; 2061 } 2062 } 2063 if (tTd(27, 10)) 2064 sm_dprintf("\n"); 2065 c = c->q_alias; 2066 } 2067 2068 if (tTd(27, 1)) 2069 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2070 2071 return NULL; 2072 } 2073