1 /* 2 * Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #include <sendmail.h> 15 16 SM_RCSID("@(#)$Id: recipient.c,v 8.336 2004/07/23 20:45:02 gshapiro Exp $") 17 18 static void includetimeout __P((void)); 19 static ADDRESS *self_reference __P((ADDRESS *)); 20 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 21 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 22 static int sorthost __P((ADDRESS *, ADDRESS *)); 23 24 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 25 26 /* 27 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 28 ** 29 ** Parameters: 30 ** xx -- first ADDRESS 31 ** yy -- second ADDRESS 32 ** 33 ** Returns: 34 ** <0 when xx->q_host is less than yy->q_host 35 ** >0 when xx->q_host is greater than yy->q_host 36 ** 0 when equal 37 */ 38 39 static int 40 sorthost(xx, yy) 41 register ADDRESS *xx; 42 register ADDRESS *yy; 43 { 44 #if _FFR_HOST_SORT_REVERSE 45 /* XXX maybe compare hostnames from the end? */ 46 return sm_strrevcasecmp(xx->q_host, yy->q_host); 47 #else /* _FFR_HOST_SORT_REVERSE */ 48 return sm_strcasecmp(xx->q_host, yy->q_host); 49 #endif /* _FFR_HOST_SORT_REVERSE */ 50 } 51 52 /* 53 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 54 ** 55 ** The mailer has been noted already as "expensive" for 'xx'. This 56 ** will give a result relative to 'yy'. Expensive mailers get rated 57 ** "greater than" non-expensive mailers because during the delivery phase 58 ** it will get queued -- no use it getting in the way of less expensive 59 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 60 ** expensive since an MX RR lookup happens when extracted from the queue 61 ** later. 62 ** 63 ** Parameters: 64 ** xx -- first ADDRESS 65 ** yy -- second ADDRESS 66 ** 67 ** Returns: 68 ** <0 when xx->q_host is less than yy->q_host and both are 69 ** expensive 70 ** >0 when xx->q_host is greater than yy->q_host, or when 71 ** 'yy' is non-expensive 72 ** 0 when equal (by expense and q_host) 73 */ 74 75 static int 76 sortexpensive(xx, yy) 77 ADDRESS *xx; 78 ADDRESS *yy; 79 { 80 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 81 return 1; /* xx should go later */ 82 #if _FFR_HOST_SORT_REVERSE 83 /* XXX maybe compare hostnames from the end? */ 84 return sm_strrevcasecmp(xx->q_host, yy->q_host); 85 #else /* _FFR_HOST_SORT_REVERSE */ 86 return sm_strcasecmp(xx->q_host, yy->q_host); 87 #endif /* _FFR_HOST_SORT_REVERSE */ 88 } 89 90 /* 91 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 92 ** 93 ** Parameters: 94 ** xx -- first ADDRESS 95 ** yy -- second ADDRESS 96 ** 97 ** Returns: 98 ** 0 when the "signature"'s are same 99 ** <0 when xx->q_signature is less than yy->q_signature 100 ** >0 when xx->q_signature is greater than yy->q_signature 101 ** 102 ** Side Effect: 103 ** May set ADDRESS pointer for q_signature if not already set. 104 */ 105 106 static int 107 sortbysignature(xx, yy) 108 ADDRESS *xx; 109 ADDRESS *yy; 110 { 111 register int ret; 112 113 /* Let's avoid redoing the signature over and over again */ 114 if (xx->q_signature == NULL) 115 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 116 if (yy->q_signature == NULL) 117 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 118 ret = strcmp(xx->q_signature, yy->q_signature); 119 120 /* 121 ** If the two signatures are the same then we will return a sort 122 ** value based on 'q_user'. But note that we have reversed xx and yy 123 ** on purpose. This additional compare helps reduce the number of 124 ** sameaddr() calls and loops in recipient() for the case when 125 ** the rcpt list has been provided already in-order. 126 */ 127 128 if (ret == 0) 129 return strcmp(yy->q_user, xx->q_user); 130 else 131 return ret; 132 } 133 134 /* 135 ** SENDTOLIST -- Designate a send list. 136 ** 137 ** The parameter is a comma-separated list of people to send to. 138 ** This routine arranges to send to all of them. 139 ** 140 ** Parameters: 141 ** list -- the send list. 142 ** ctladdr -- the address template for the person to 143 ** send to -- effective uid/gid are important. 144 ** This is typically the alias that caused this 145 ** expansion. 146 ** sendq -- a pointer to the head of a queue to put 147 ** these people into. 148 ** aliaslevel -- the current alias nesting depth -- to 149 ** diagnose loops. 150 ** e -- the envelope in which to add these recipients. 151 ** 152 ** Returns: 153 ** The number of addresses actually on the list. 154 */ 155 156 /* q_flags bits inherited from ctladdr */ 157 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 158 159 int 160 sendtolist(list, ctladdr, sendq, aliaslevel, e) 161 char *list; 162 ADDRESS *ctladdr; 163 ADDRESS **sendq; 164 int aliaslevel; 165 register ENVELOPE *e; 166 { 167 register char *p; 168 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 169 SM_NONVOLATILE char delimiter; /* the address delimiter */ 170 SM_NONVOLATILE int naddrs; 171 SM_NONVOLATILE int i; 172 char *endp; 173 char *oldto = e->e_to; 174 char *SM_NONVOLATILE bufp; 175 char buf[MAXNAME + 1]; 176 177 if (list == NULL) 178 { 179 syserr("sendtolist: null list"); 180 return 0; 181 } 182 183 if (tTd(25, 1)) 184 { 185 sm_dprintf("sendto: %s\n ctladdr=", list); 186 printaddr(sm_debug_file(), ctladdr, false); 187 } 188 189 /* heuristic to determine old versus new style addresses */ 190 if (ctladdr == NULL && 191 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 192 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 193 e->e_flags &= ~EF_OLDSTYLE; 194 delimiter = ' '; 195 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 196 delimiter = ','; 197 198 al = NULL; 199 naddrs = 0; 200 201 /* make sure we have enough space to copy the string */ 202 i = strlen(list) + 1; 203 if (i <= sizeof buf) 204 { 205 bufp = buf; 206 i = sizeof buf; 207 } 208 else 209 bufp = sm_malloc_x(i); 210 endp = bufp + i; 211 212 SM_TRY 213 { 214 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 215 216 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 217 for (p = bufp; *p != '\0'; ) 218 { 219 auto char *delimptr; 220 register ADDRESS *a; 221 222 SM_ASSERT(p < endp); 223 224 /* parse the address */ 225 while ((isascii(*p) && isspace(*p)) || *p == ',') 226 p++; 227 SM_ASSERT(p < endp); 228 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 229 &delimptr, e, true); 230 p = delimptr; 231 SM_ASSERT(p < endp); 232 if (a == NULL) 233 continue; 234 a->q_next = al; 235 a->q_alias = ctladdr; 236 237 /* arrange to inherit attributes from parent */ 238 if (ctladdr != NULL) 239 { 240 ADDRESS *b; 241 242 /* self reference test */ 243 if (sameaddr(ctladdr, a)) 244 { 245 if (tTd(27, 5)) 246 { 247 sm_dprintf("sendtolist: QSELFREF "); 248 printaddr(sm_debug_file(), ctladdr, false); 249 } 250 ctladdr->q_flags |= QSELFREF; 251 } 252 253 /* check for address loops */ 254 b = self_reference(a); 255 if (b != NULL) 256 { 257 b->q_flags |= QSELFREF; 258 if (tTd(27, 5)) 259 { 260 sm_dprintf("sendtolist: QSELFREF "); 261 printaddr(sm_debug_file(), b, false); 262 } 263 if (a != b) 264 { 265 if (tTd(27, 5)) 266 { 267 sm_dprintf("sendtolist: QS_DONTSEND "); 268 printaddr(sm_debug_file(), a, false); 269 } 270 a->q_state = QS_DONTSEND; 271 b->q_flags |= a->q_flags & QNOTREMOTE; 272 continue; 273 } 274 } 275 276 /* full name */ 277 if (a->q_fullname == NULL) 278 a->q_fullname = ctladdr->q_fullname; 279 280 /* various flag bits */ 281 a->q_flags &= ~QINHERITEDBITS; 282 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 283 284 /* DSN recipient information */ 285 a->q_finalrcpt = ctladdr->q_finalrcpt; 286 a->q_orcpt = ctladdr->q_orcpt; 287 } 288 289 al = a; 290 } 291 292 /* arrange to send to everyone on the local send list */ 293 while (al != NULL) 294 { 295 register ADDRESS *a = al; 296 297 al = a->q_next; 298 a = recipient(a, sendq, aliaslevel, e); 299 naddrs++; 300 } 301 } 302 SM_FINALLY 303 { 304 e->e_to = oldto; 305 if (bufp != buf) 306 sm_free(bufp); 307 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 308 } 309 SM_END_TRY 310 return naddrs; 311 } 312 #if MILTER 313 /* 314 ** REMOVEFROMLIST -- Remove addresses from a send list. 315 ** 316 ** The parameter is a comma-separated list of recipients to remove. 317 ** Note that it only deletes matching addresses. If those addresses 318 ** have been expanded already in the sendq, it won't mark the 319 ** expanded recipients as QS_REMOVED. 320 ** 321 ** Parameters: 322 ** list -- the list to remove. 323 ** sendq -- a pointer to the head of a queue to remove 324 ** these addresses from. 325 ** e -- the envelope in which to remove these recipients. 326 ** 327 ** Returns: 328 ** The number of addresses removed from the list. 329 ** 330 */ 331 332 int 333 removefromlist(list, sendq, e) 334 char *list; 335 ADDRESS **sendq; 336 ENVELOPE *e; 337 { 338 SM_NONVOLATILE char delimiter; /* the address delimiter */ 339 SM_NONVOLATILE int naddrs; 340 SM_NONVOLATILE int i; 341 char *p; 342 char *oldto = e->e_to; 343 char *SM_NONVOLATILE bufp; 344 char buf[MAXNAME + 1]; 345 346 if (list == NULL) 347 { 348 syserr("removefromlist: null list"); 349 return 0; 350 } 351 352 if (tTd(25, 1)) 353 sm_dprintf("removefromlist: %s\n", list); 354 355 /* heuristic to determine old versus new style addresses */ 356 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 357 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 358 e->e_flags &= ~EF_OLDSTYLE; 359 delimiter = ' '; 360 if (!bitset(EF_OLDSTYLE, e->e_flags)) 361 delimiter = ','; 362 363 naddrs = 0; 364 365 /* make sure we have enough space to copy the string */ 366 i = strlen(list) + 1; 367 if (i <= sizeof buf) 368 { 369 bufp = buf; 370 i = sizeof buf; 371 } 372 else 373 bufp = sm_malloc_x(i); 374 375 SM_TRY 376 { 377 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 378 379 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 380 for (p = bufp; *p != '\0'; ) 381 { 382 ADDRESS a; /* parsed address to be removed */ 383 ADDRESS *q; 384 ADDRESS **pq; 385 char *delimptr; 386 387 /* parse the address */ 388 while ((isascii(*p) && isspace(*p)) || *p == ',') 389 p++; 390 if (parseaddr(p, &a, RF_COPYALL, 391 delimiter, &delimptr, e, true) == NULL) 392 { 393 p = delimptr; 394 continue; 395 } 396 p = delimptr; 397 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 398 { 399 if (!QS_IS_DEAD(q->q_state) && 400 (sameaddr(q, &a) || 401 strcmp(q->q_paddr, a.q_paddr) == 0)) 402 { 403 if (tTd(25, 5)) 404 { 405 sm_dprintf("removefromlist: QS_REMOVED "); 406 printaddr(sm_debug_file(), &a, false); 407 } 408 q->q_state = QS_REMOVED; 409 naddrs++; 410 break; 411 } 412 } 413 } 414 } 415 SM_FINALLY 416 { 417 e->e_to = oldto; 418 if (bufp != buf) 419 sm_free(bufp); 420 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 421 } 422 SM_END_TRY 423 return naddrs; 424 } 425 #endif /* MILTER */ 426 /* 427 ** RECIPIENT -- Designate a message recipient 428 ** 429 ** Saves the named person for future mailing. 430 ** 431 ** Parameters: 432 ** new -- the (preparsed) address header for the recipient. 433 ** sendq -- a pointer to the head of a queue to put the 434 ** recipient in. Duplicate suppression is done 435 ** in this queue. 436 ** aliaslevel -- the current alias nesting depth. 437 ** e -- the current envelope. 438 ** 439 ** Returns: 440 ** The actual address in the queue. This will be "a" if 441 ** the address is not a duplicate, else the original address. 442 ** 443 */ 444 445 ADDRESS * 446 recipient(new, sendq, aliaslevel, e) 447 register ADDRESS *new; 448 register ADDRESS **sendq; 449 int aliaslevel; 450 register ENVELOPE *e; 451 { 452 register ADDRESS *q; 453 ADDRESS **pq; 454 ADDRESS **prev; 455 register struct mailer *m; 456 register char *p; 457 int i, buflen; 458 bool quoted; /* set if the addr has a quote bit */ 459 bool insert; 460 int findusercount; 461 bool initialdontsend; 462 char *buf; 463 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 464 sortfn_t *sortfn; 465 466 p = NULL; 467 quoted = false; 468 insert = false; 469 findusercount = 0; 470 initialdontsend = QS_IS_DEAD(new->q_state); 471 e->e_to = new->q_paddr; 472 m = new->q_mailer; 473 errno = 0; 474 if (aliaslevel == 0) 475 new->q_flags |= QPRIMARY; 476 if (tTd(26, 1)) 477 { 478 sm_dprintf("\nrecipient (%d): ", aliaslevel); 479 printaddr(sm_debug_file(), new, false); 480 } 481 482 /* if this is primary, use it as original recipient */ 483 if (new->q_alias == NULL) 484 { 485 if (e->e_origrcpt == NULL) 486 e->e_origrcpt = new->q_paddr; 487 else if (e->e_origrcpt != new->q_paddr) 488 e->e_origrcpt = ""; 489 } 490 491 /* find parent recipient for finalrcpt and orcpt */ 492 for (q = new; q->q_alias != NULL; q = q->q_alias) 493 continue; 494 495 /* find final recipient DSN address */ 496 if (new->q_finalrcpt == NULL && 497 e->e_from.q_mailer != NULL) 498 { 499 char frbuf[MAXLINE]; 500 501 p = e->e_from.q_mailer->m_addrtype; 502 if (p == NULL) 503 p = "rfc822"; 504 if (sm_strcasecmp(p, "rfc822") != 0) 505 { 506 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 507 q->q_mailer->m_addrtype, 508 q->q_user); 509 } 510 else if (strchr(q->q_user, '@') != NULL) 511 { 512 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 513 p, q->q_user); 514 } 515 else if (strchr(q->q_paddr, '@') != NULL) 516 { 517 char *qp; 518 bool b; 519 520 qp = q->q_paddr; 521 522 /* strip brackets from address */ 523 b = false; 524 if (*qp == '<') 525 { 526 b = qp[strlen(qp) - 1] == '>'; 527 if (b) 528 qp[strlen(qp) - 1] = '\0'; 529 qp++; 530 } 531 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 532 p, qp); 533 534 /* undo damage */ 535 if (b) 536 qp[strlen(qp)] = '>'; 537 } 538 else 539 { 540 (void) sm_snprintf(frbuf, sizeof frbuf, 541 "%s; %.700s@%.100s", 542 p, q->q_user, MyHostName); 543 } 544 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 545 } 546 547 #if _FFR_GEN_ORCPT 548 /* set ORCPT DSN arg if not already set */ 549 if (new->q_orcpt == NULL) 550 { 551 /* check for an existing ORCPT */ 552 if (q->q_orcpt != NULL) 553 new->q_orcpt = q->q_orcpt; 554 else 555 { 556 /* make our own */ 557 bool b = false; 558 char *qp; 559 char obuf[MAXLINE]; 560 561 if (e->e_from.q_mailer != NULL) 562 p = e->e_from.q_mailer->m_addrtype; 563 if (p == NULL) 564 p = "rfc822"; 565 (void) sm_strlcpyn(obuf, sizeof obuf, 2, p, ";"); 566 567 qp = q->q_paddr; 568 569 /* FFR: Needs to strip comments from stdin addrs */ 570 571 /* strip brackets from address */ 572 if (*qp == '<') 573 { 574 b = qp[strlen(qp) - 1] == '>'; 575 if (b) 576 qp[strlen(qp) - 1] = '\0'; 577 qp++; 578 } 579 580 p = xtextify(denlstring(qp, true, false), NULL); 581 582 if (sm_strlcat(obuf, p, sizeof obuf) >= sizeof obuf) 583 { 584 /* if too big, don't use it */ 585 obuf[0] = '\0'; 586 } 587 588 /* undo damage */ 589 if (b) 590 qp[strlen(qp)] = '>'; 591 592 if (obuf[0] != '\0') 593 new->q_orcpt = 594 sm_rpool_strdup_x(e->e_rpool, obuf); 595 } 596 } 597 #endif /* _FFR_GEN_ORCPT */ 598 599 /* break aliasing loops */ 600 if (aliaslevel > MaxAliasRecursion) 601 { 602 new->q_state = QS_BADADDR; 603 new->q_status = "5.4.6"; 604 usrerrenh(new->q_status, 605 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 606 aliaslevel, MaxAliasRecursion); 607 return new; 608 } 609 610 /* 611 ** Finish setting up address structure. 612 */ 613 614 /* get unquoted user for file, program or user.name check */ 615 i = strlen(new->q_user); 616 if (i >= sizeof buf0) 617 { 618 buflen = i + 1; 619 buf = xalloc(buflen); 620 } 621 else 622 { 623 buf = buf0; 624 buflen = sizeof buf0; 625 } 626 (void) sm_strlcpy(buf, new->q_user, buflen); 627 for (p = buf; *p != '\0' && !quoted; p++) 628 { 629 if (*p == '\\') 630 quoted = true; 631 } 632 stripquotes(buf); 633 634 /* check for direct mailing to restricted mailers */ 635 if (m == ProgMailer) 636 { 637 if (new->q_alias == NULL || UseMSP || 638 bitset(EF_UNSAFE, e->e_flags)) 639 { 640 new->q_state = QS_BADADDR; 641 new->q_status = "5.7.1"; 642 usrerrenh(new->q_status, 643 "550 Cannot mail directly to programs"); 644 } 645 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 646 { 647 new->q_state = QS_BADADDR; 648 new->q_status = "5.7.1"; 649 if (new->q_alias->q_ruser == NULL) 650 usrerrenh(new->q_status, 651 "550 UID %d is an unknown user: cannot mail to programs", 652 new->q_alias->q_uid); 653 else 654 usrerrenh(new->q_status, 655 "550 User %s@%s doesn't have a valid shell for mailing to programs", 656 new->q_alias->q_ruser, MyHostName); 657 } 658 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 659 { 660 new->q_state = QS_BADADDR; 661 new->q_status = "5.7.1"; 662 new->q_rstatus = "550 Unsafe for mailing to programs"; 663 usrerrenh(new->q_status, 664 "550 Address %s is unsafe for mailing to programs", 665 new->q_alias->q_paddr); 666 } 667 } 668 669 /* 670 ** Look up this person in the recipient list. 671 ** If they are there already, return, otherwise continue. 672 ** If the list is empty, just add it. Notice the cute 673 ** hack to make from addresses suppress things correctly: 674 ** the QS_DUPLICATE state will be set in the send list. 675 ** [Please note: the emphasis is on "hack."] 676 */ 677 678 prev = NULL; 679 680 /* 681 ** If this message is going to the queue or FastSplit is set 682 ** and it is the first try and the envelope hasn't split, then we 683 ** avoid doing an MX RR lookup now because one will be done when the 684 ** message is extracted from the queue later. It can go to the queue 685 ** because all messages are going to the queue or this mailer of 686 ** the current recipient is marked expensive. 687 */ 688 689 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 690 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 691 FastSplit > 0)) 692 sortfn = sorthost; 693 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 694 sortfn = sortexpensive; 695 else 696 sortfn = sortbysignature; 697 698 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 699 { 700 /* 701 ** If address is "less than" it should be inserted now. 702 ** If address is "greater than" current comparison it'll 703 ** insert later in the list; so loop again (if possible). 704 ** If address is "equal" (different equal than sameaddr() 705 ** call) then check if sameaddr() will be true. 706 ** Because this list is now sorted, it'll mean fewer 707 ** comparisons and fewer loops which is important for more 708 ** recipients. 709 */ 710 711 i = (*sortfn)(new, q); 712 if (i == 0) /* equal */ 713 { 714 /* 715 ** Sortbysignature() has said that the two have 716 ** equal MX RR's and the same user. Calling sameaddr() 717 ** now checks if the two hosts are as identical as the 718 ** MX RR's are (which might not be the case) 719 ** before saying these are the identical addresses. 720 */ 721 722 if (sameaddr(q, new) && 723 (bitset(QRCPTOK, q->q_flags) || 724 !bitset(QPRIMARY, q->q_flags))) 725 { 726 if (tTd(26, 1)) 727 { 728 sm_dprintf("%s in sendq: ", 729 new->q_paddr); 730 printaddr(sm_debug_file(), q, false); 731 } 732 if (!bitset(QPRIMARY, q->q_flags)) 733 { 734 if (!QS_IS_DEAD(new->q_state)) 735 message("duplicate suppressed"); 736 else 737 q->q_state = QS_DUPLICATE; 738 q->q_flags |= new->q_flags; 739 } 740 else if (bitset(QSELFREF, q->q_flags) 741 || q->q_state == QS_REMOVED) 742 { 743 /* 744 ** If an earlier milter removed the 745 ** address, a later one can still add 746 ** it back. 747 */ 748 749 q->q_state = new->q_state; 750 q->q_flags |= new->q_flags; 751 } 752 new = q; 753 goto done; 754 } 755 } 756 else if (i < 0) /* less than */ 757 { 758 insert = true; 759 break; 760 } 761 prev = pq; 762 } 763 764 /* pq should point to an address, never NULL */ 765 SM_ASSERT(pq != NULL); 766 767 /* add address on list */ 768 if (insert) 769 { 770 /* 771 ** insert before 'pq'. Only possible when at least 1 772 ** ADDRESS is in the list already. 773 */ 774 775 new->q_next = *pq; 776 if (prev == NULL) 777 *sendq = new; /* To be the first ADDRESS */ 778 else 779 (*prev)->q_next = new; 780 } 781 else 782 { 783 /* 784 ** Place in list at current 'pq' position. Possible 785 ** when there are 0 or more ADDRESS's in the list. 786 */ 787 788 new->q_next = NULL; 789 *pq = new; 790 } 791 792 /* added a new address: clear split flag */ 793 e->e_flags &= ~EF_SPLIT; 794 795 /* 796 ** Alias the name and handle special mailer types. 797 */ 798 799 trylocaluser: 800 if (tTd(29, 7)) 801 { 802 sm_dprintf("at trylocaluser: "); 803 printaddr(sm_debug_file(), new, false); 804 } 805 806 if (!QS_IS_OK(new->q_state)) 807 { 808 if (QS_IS_UNDELIVERED(new->q_state)) 809 e->e_nrcpts++; 810 goto testselfdestruct; 811 } 812 813 if (m == InclMailer) 814 { 815 new->q_state = QS_INCLUDED; 816 if (new->q_alias == NULL || UseMSP || 817 bitset(EF_UNSAFE, e->e_flags)) 818 { 819 new->q_state = QS_BADADDR; 820 new->q_status = "5.7.1"; 821 usrerrenh(new->q_status, 822 "550 Cannot mail directly to :include:s"); 823 } 824 else 825 { 826 int ret; 827 828 message("including file %s", new->q_user); 829 ret = include(new->q_user, false, new, 830 sendq, aliaslevel, e); 831 if (transienterror(ret)) 832 { 833 if (LogLevel > 2) 834 sm_syslog(LOG_ERR, e->e_id, 835 "include %s: transient error: %s", 836 shortenstring(new->q_user, 837 MAXSHORTSTR), 838 sm_errstring(ret)); 839 new->q_state = QS_QUEUEUP; 840 usrerr("451 4.2.4 Cannot open %s: %s", 841 shortenstring(new->q_user, 842 MAXSHORTSTR), 843 sm_errstring(ret)); 844 } 845 else if (ret != 0) 846 { 847 new->q_state = QS_BADADDR; 848 new->q_status = "5.2.4"; 849 usrerrenh(new->q_status, 850 "550 Cannot open %s: %s", 851 shortenstring(new->q_user, 852 MAXSHORTSTR), 853 sm_errstring(ret)); 854 } 855 } 856 } 857 else if (m == FileMailer) 858 { 859 /* check if allowed */ 860 if (new->q_alias == NULL || UseMSP || 861 bitset(EF_UNSAFE, e->e_flags)) 862 { 863 new->q_state = QS_BADADDR; 864 new->q_status = "5.7.1"; 865 usrerrenh(new->q_status, 866 "550 Cannot mail directly to files"); 867 } 868 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 869 { 870 new->q_state = QS_BADADDR; 871 new->q_status = "5.7.1"; 872 if (new->q_alias->q_ruser == NULL) 873 usrerrenh(new->q_status, 874 "550 UID %d is an unknown user: cannot mail to files", 875 new->q_alias->q_uid); 876 else 877 usrerrenh(new->q_status, 878 "550 User %s@%s doesn't have a valid shell for mailing to files", 879 new->q_alias->q_ruser, MyHostName); 880 } 881 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 882 { 883 new->q_state = QS_BADADDR; 884 new->q_status = "5.7.1"; 885 new->q_rstatus = "550 Unsafe for mailing to files"; 886 usrerrenh(new->q_status, 887 "550 Address %s is unsafe for mailing to files", 888 new->q_alias->q_paddr); 889 } 890 } 891 892 /* try aliasing */ 893 if (!quoted && QS_IS_OK(new->q_state) && 894 bitnset(M_ALIASABLE, m->m_flags)) 895 alias(new, sendq, aliaslevel, e); 896 897 #if USERDB 898 /* if not aliased, look it up in the user database */ 899 if (!bitset(QNOTREMOTE, new->q_flags) && 900 QS_IS_SENDABLE(new->q_state) && 901 bitnset(M_CHECKUDB, m->m_flags)) 902 { 903 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 904 { 905 new->q_state = QS_QUEUEUP; 906 if (e->e_message == NULL) 907 e->e_message = "Deferred: user database error"; 908 if (new->q_message == NULL) 909 new->q_message = "Deferred: user database error"; 910 if (LogLevel > 8) 911 sm_syslog(LOG_INFO, e->e_id, 912 "deferred: udbexpand: %s", 913 sm_errstring(errno)); 914 message("queued (user database error): %s", 915 sm_errstring(errno)); 916 e->e_nrcpts++; 917 goto testselfdestruct; 918 } 919 } 920 #endif /* USERDB */ 921 922 /* 923 ** If we have a level two config file, then pass the name through 924 ** Ruleset 5 before sending it off. Ruleset 5 has the right 925 ** to rewrite it to another mailer. This gives us a hook 926 ** after local aliasing has been done. 927 */ 928 929 if (tTd(29, 5)) 930 { 931 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 932 ConfigLevel, RewriteRules[5]); 933 printaddr(sm_debug_file(), new, false); 934 } 935 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 936 bitnset(M_TRYRULESET5, m->m_flags) && 937 !bitset(QNOTREMOTE, new->q_flags) && 938 QS_IS_OK(new->q_state)) 939 { 940 maplocaluser(new, sendq, aliaslevel + 1, e); 941 } 942 943 /* 944 ** If it didn't get rewritten to another mailer, go ahead 945 ** and deliver it. 946 */ 947 948 if (QS_IS_OK(new->q_state) && 949 bitnset(M_HASPWENT, m->m_flags)) 950 { 951 auto bool fuzzy; 952 SM_MBDB_T user; 953 int status; 954 955 /* warning -- finduser may trash buf */ 956 status = finduser(buf, &fuzzy, &user); 957 switch (status) 958 { 959 case EX_TEMPFAIL: 960 new->q_state = QS_QUEUEUP; 961 new->q_status = "4.5.2"; 962 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 963 new->q_alias, (time_t) 0, e, new); 964 break; 965 default: 966 new->q_state = QS_BADADDR; 967 new->q_status = "5.1.1"; 968 new->q_rstatus = "550 5.1.1 User unknown"; 969 giveresponse(EX_NOUSER, new->q_status, m, NULL, 970 new->q_alias, (time_t) 0, e, new); 971 break; 972 case EX_OK: 973 if (fuzzy) 974 { 975 /* name was a fuzzy match */ 976 new->q_user = sm_rpool_strdup_x(e->e_rpool, 977 user.mbdb_name); 978 if (findusercount++ > 3) 979 { 980 new->q_state = QS_BADADDR; 981 new->q_status = "5.4.6"; 982 usrerrenh(new->q_status, 983 "554 aliasing/forwarding loop for %s broken", 984 user.mbdb_name); 985 goto done; 986 } 987 988 /* see if it aliases */ 989 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 990 goto trylocaluser; 991 } 992 if (*user.mbdb_homedir == '\0') 993 new->q_home = NULL; 994 else if (strcmp(user.mbdb_homedir, "/") == 0) 995 new->q_home = ""; 996 else 997 new->q_home = sm_rpool_strdup_x(e->e_rpool, 998 user.mbdb_homedir); 999 if (user.mbdb_uid != SM_NO_UID) 1000 { 1001 new->q_uid = user.mbdb_uid; 1002 new->q_gid = user.mbdb_gid; 1003 new->q_flags |= QGOODUID; 1004 } 1005 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1006 user.mbdb_name); 1007 if (user.mbdb_fullname[0] != '\0') 1008 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1009 user.mbdb_fullname); 1010 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1011 { 1012 new->q_flags |= QBOGUSSHELL; 1013 } 1014 if (bitset(EF_VRFYONLY, e->e_flags)) 1015 { 1016 /* don't do any more now */ 1017 new->q_state = QS_VERIFIED; 1018 } 1019 else if (!quoted) 1020 forward(new, sendq, aliaslevel, e); 1021 } 1022 } 1023 if (!QS_IS_DEAD(new->q_state)) 1024 e->e_nrcpts++; 1025 1026 testselfdestruct: 1027 new->q_flags |= QTHISPASS; 1028 if (tTd(26, 8)) 1029 { 1030 sm_dprintf("testselfdestruct: "); 1031 printaddr(sm_debug_file(), new, false); 1032 if (tTd(26, 10)) 1033 { 1034 sm_dprintf("SENDQ:\n"); 1035 printaddr(sm_debug_file(), *sendq, true); 1036 sm_dprintf("----\n"); 1037 } 1038 } 1039 if (new->q_alias == NULL && new != &e->e_from && 1040 QS_IS_DEAD(new->q_state)) 1041 { 1042 for (q = *sendq; q != NULL; q = q->q_next) 1043 { 1044 if (!QS_IS_DEAD(q->q_state)) 1045 break; 1046 } 1047 if (q == NULL) 1048 { 1049 new->q_state = QS_BADADDR; 1050 new->q_status = "5.4.6"; 1051 usrerrenh(new->q_status, 1052 "554 aliasing/forwarding loop broken"); 1053 } 1054 } 1055 1056 done: 1057 new->q_flags |= QTHISPASS; 1058 if (buf != buf0) 1059 sm_free(buf); /* XXX leak if above code raises exception */ 1060 1061 /* 1062 ** If we are at the top level, check to see if this has 1063 ** expanded to exactly one address. If so, it can inherit 1064 ** the primaryness of the address. 1065 ** 1066 ** While we're at it, clear the QTHISPASS bits. 1067 */ 1068 1069 if (aliaslevel == 0) 1070 { 1071 int nrcpts = 0; 1072 ADDRESS *only = NULL; 1073 1074 for (q = *sendq; q != NULL; q = q->q_next) 1075 { 1076 if (bitset(QTHISPASS, q->q_flags) && 1077 QS_IS_SENDABLE(q->q_state)) 1078 { 1079 nrcpts++; 1080 only = q; 1081 } 1082 q->q_flags &= ~QTHISPASS; 1083 } 1084 if (nrcpts == 1) 1085 { 1086 /* check to see if this actually got a new owner */ 1087 q = only; 1088 while ((q = q->q_alias) != NULL) 1089 { 1090 if (q->q_owner != NULL) 1091 break; 1092 } 1093 if (q == NULL) 1094 only->q_flags |= QPRIMARY; 1095 } 1096 else if (!initialdontsend && nrcpts > 0) 1097 { 1098 /* arrange for return receipt */ 1099 e->e_flags |= EF_SENDRECEIPT; 1100 new->q_flags |= QEXPANDED; 1101 if (e->e_xfp != NULL && 1102 bitset(QPINGONSUCCESS, new->q_flags)) 1103 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1104 "%s... expanded to multiple addresses\n", 1105 new->q_paddr); 1106 } 1107 } 1108 new->q_flags |= QRCPTOK; 1109 (void) sm_snprintf(buf0, sizeof buf0, "%d", e->e_nrcpts); 1110 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1111 return new; 1112 } 1113 /* 1114 ** FINDUSER -- find the password entry for a user. 1115 ** 1116 ** This looks a lot like getpwnam, except that it may want to 1117 ** do some fancier pattern matching in /etc/passwd. 1118 ** 1119 ** This routine contains most of the time of many sendmail runs. 1120 ** It deserves to be optimized. 1121 ** 1122 ** Parameters: 1123 ** name -- the name to match against. 1124 ** fuzzyp -- an outarg that is set to true if this entry 1125 ** was found using the fuzzy matching algorithm; 1126 ** set to false otherwise. 1127 ** user -- structure to fill in if user is found 1128 ** 1129 ** Returns: 1130 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1131 ** If the user was not found, return EX_NOUSER. 1132 ** On error, return EX_TEMPFAIL or EX_OSERR. 1133 ** 1134 ** Side Effects: 1135 ** may modify name. 1136 */ 1137 1138 int 1139 finduser(name, fuzzyp, user) 1140 char *name; 1141 bool *fuzzyp; 1142 SM_MBDB_T *user; 1143 { 1144 #if MATCHGECOS 1145 register struct passwd *pw; 1146 #endif /* MATCHGECOS */ 1147 register char *p; 1148 bool tryagain; 1149 int status; 1150 1151 if (tTd(29, 4)) 1152 sm_dprintf("finduser(%s): ", name); 1153 1154 *fuzzyp = false; 1155 1156 #if HESIOD 1157 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1158 for (p = name; *p != '\0'; p++) 1159 if (!isascii(*p) || !isdigit(*p)) 1160 break; 1161 if (*p == '\0') 1162 { 1163 if (tTd(29, 4)) 1164 sm_dprintf("failed (numeric input)\n"); 1165 return EX_NOUSER; 1166 } 1167 #endif /* HESIOD */ 1168 1169 /* look up this login name using fast path */ 1170 status = sm_mbdb_lookup(name, user); 1171 if (status != EX_NOUSER) 1172 { 1173 if (tTd(29, 4)) 1174 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1175 return status; 1176 } 1177 1178 /* try mapping it to lower case */ 1179 tryagain = false; 1180 for (p = name; *p != '\0'; p++) 1181 { 1182 if (isascii(*p) && isupper(*p)) 1183 { 1184 *p = tolower(*p); 1185 tryagain = true; 1186 } 1187 } 1188 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1189 { 1190 if (tTd(29, 4)) 1191 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1192 *fuzzyp = true; 1193 return status; 1194 } 1195 1196 #if MATCHGECOS 1197 /* see if fuzzy matching allowed */ 1198 if (!MatchGecos) 1199 { 1200 if (tTd(29, 4)) 1201 sm_dprintf("not found (fuzzy disabled)\n"); 1202 return EX_NOUSER; 1203 } 1204 1205 /* search for a matching full name instead */ 1206 for (p = name; *p != '\0'; p++) 1207 { 1208 if (*p == (SpaceSub & 0177) || *p == '_') 1209 *p = ' '; 1210 } 1211 (void) setpwent(); 1212 while ((pw = getpwent()) != NULL) 1213 { 1214 char buf[MAXNAME + 1]; 1215 1216 # if 0 1217 if (sm_strcasecmp(pw->pw_name, name) == 0) 1218 { 1219 if (tTd(29, 4)) 1220 sm_dprintf("found (case wrapped)\n"); 1221 break; 1222 } 1223 # endif /* 0 */ 1224 1225 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof buf); 1226 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1227 { 1228 if (tTd(29, 4)) 1229 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1230 message("sending to login name %s", pw->pw_name); 1231 break; 1232 } 1233 } 1234 if (pw != NULL) 1235 *fuzzyp = true; 1236 else if (tTd(29, 4)) 1237 sm_dprintf("no fuzzy match found\n"); 1238 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1239 endpwent(); 1240 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1241 if (pw == NULL) 1242 return EX_NOUSER; 1243 sm_mbdb_frompw(user, pw); 1244 return EX_OK; 1245 #else /* MATCHGECOS */ 1246 if (tTd(29, 4)) 1247 sm_dprintf("not found (fuzzy disabled)\n"); 1248 return EX_NOUSER; 1249 #endif /* MATCHGECOS */ 1250 } 1251 /* 1252 ** WRITABLE -- predicate returning if the file is writable. 1253 ** 1254 ** This routine must duplicate the algorithm in sys/fio.c. 1255 ** Unfortunately, we cannot use the access call since we 1256 ** won't necessarily be the real uid when we try to 1257 ** actually open the file. 1258 ** 1259 ** Notice that ANY file with ANY execute bit is automatically 1260 ** not writable. This is also enforced by mailfile. 1261 ** 1262 ** Parameters: 1263 ** filename -- the file name to check. 1264 ** ctladdr -- the controlling address for this file. 1265 ** flags -- SFF_* flags to control the function. 1266 ** 1267 ** Returns: 1268 ** true -- if we will be able to write this file. 1269 ** false -- if we cannot write this file. 1270 ** 1271 ** Side Effects: 1272 ** none. 1273 */ 1274 1275 bool 1276 writable(filename, ctladdr, flags) 1277 char *filename; 1278 ADDRESS *ctladdr; 1279 long flags; 1280 { 1281 uid_t euid = 0; 1282 gid_t egid = 0; 1283 char *user = NULL; 1284 1285 if (tTd(44, 5)) 1286 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1287 1288 /* 1289 ** File does exist -- check that it is writable. 1290 */ 1291 1292 if (geteuid() != 0) 1293 { 1294 euid = geteuid(); 1295 egid = getegid(); 1296 user = NULL; 1297 } 1298 else if (ctladdr != NULL) 1299 { 1300 euid = ctladdr->q_uid; 1301 egid = ctladdr->q_gid; 1302 user = ctladdr->q_user; 1303 } 1304 else if (bitset(SFF_RUNASREALUID, flags)) 1305 { 1306 euid = RealUid; 1307 egid = RealGid; 1308 user = RealUserName; 1309 } 1310 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1311 { 1312 if (FileMailer->m_uid == NO_UID) 1313 { 1314 euid = DefUid; 1315 user = DefUser; 1316 } 1317 else 1318 { 1319 euid = FileMailer->m_uid; 1320 user = NULL; 1321 } 1322 if (FileMailer->m_gid == NO_GID) 1323 egid = DefGid; 1324 else 1325 egid = FileMailer->m_gid; 1326 } 1327 else 1328 { 1329 euid = egid = 0; 1330 user = NULL; 1331 } 1332 if (!bitset(SFF_ROOTOK, flags)) 1333 { 1334 if (euid == 0) 1335 { 1336 euid = DefUid; 1337 user = DefUser; 1338 } 1339 if (egid == 0) 1340 egid = DefGid; 1341 } 1342 if (geteuid() == 0 && 1343 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1344 flags |= SFF_SETUIDOK; 1345 1346 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1347 flags |= SFF_NOSLINK; 1348 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1349 flags |= SFF_NOHLINK; 1350 1351 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1352 return errno == 0; 1353 } 1354 /* 1355 ** INCLUDE -- handle :include: specification. 1356 ** 1357 ** Parameters: 1358 ** fname -- filename to include. 1359 ** forwarding -- if true, we are reading a .forward file. 1360 ** if false, it's a :include: file. 1361 ** ctladdr -- address template to use to fill in these 1362 ** addresses -- effective user/group id are 1363 ** the important things. 1364 ** sendq -- a pointer to the head of the send queue 1365 ** to put these addresses in. 1366 ** aliaslevel -- the alias nesting depth. 1367 ** e -- the current envelope. 1368 ** 1369 ** Returns: 1370 ** open error status 1371 ** 1372 ** Side Effects: 1373 ** reads the :include: file and sends to everyone 1374 ** listed in that file. 1375 ** 1376 ** Security Note: 1377 ** If you have restricted chown (that is, you can't 1378 ** give a file away), it is reasonable to allow programs 1379 ** and files called from this :include: file to be to be 1380 ** run as the owner of the :include: file. This is bogus 1381 ** if there is any chance of someone giving away a file. 1382 ** We assume that pre-POSIX systems can give away files. 1383 ** 1384 ** There is an additional restriction that if you 1385 ** forward to a :include: file, it will not take on 1386 ** the ownership of the :include: file. This may not 1387 ** be necessary, but shouldn't hurt. 1388 */ 1389 1390 static jmp_buf CtxIncludeTimeout; 1391 1392 int 1393 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1394 char *fname; 1395 bool forwarding; 1396 ADDRESS *ctladdr; 1397 ADDRESS **sendq; 1398 int aliaslevel; 1399 ENVELOPE *e; 1400 { 1401 SM_FILE_T *volatile fp = NULL; 1402 char *oldto = e->e_to; 1403 char *oldfilename = FileName; 1404 int oldlinenumber = LineNumber; 1405 register SM_EVENT *ev = NULL; 1406 int nincludes; 1407 int mode; 1408 volatile bool maxreached = false; 1409 register ADDRESS *ca; 1410 volatile uid_t saveduid; 1411 volatile gid_t savedgid; 1412 volatile uid_t uid; 1413 volatile gid_t gid; 1414 char *volatile user; 1415 int rval = 0; 1416 volatile long sfflags = SFF_REGONLY; 1417 register char *p; 1418 bool safechown = false; 1419 volatile bool safedir = false; 1420 struct stat st; 1421 char buf[MAXLINE]; 1422 1423 if (tTd(27, 2)) 1424 sm_dprintf("include(%s)\n", fname); 1425 if (tTd(27, 4)) 1426 sm_dprintf(" ruid=%d euid=%d\n", 1427 (int) getuid(), (int) geteuid()); 1428 if (tTd(27, 14)) 1429 { 1430 sm_dprintf("ctladdr "); 1431 printaddr(sm_debug_file(), ctladdr, false); 1432 } 1433 1434 if (tTd(27, 9)) 1435 sm_dprintf("include: old uid = %d/%d\n", 1436 (int) getuid(), (int) geteuid()); 1437 1438 if (forwarding) 1439 { 1440 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1441 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1442 sfflags |= SFF_NOGWFILES; 1443 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1444 sfflags |= SFF_NOWWFILES; 1445 } 1446 else 1447 { 1448 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1449 sfflags |= SFF_NOGWFILES; 1450 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1451 sfflags |= SFF_NOWWFILES; 1452 } 1453 1454 /* 1455 ** If RunAsUser set, won't be able to run programs as user 1456 ** so mark them as unsafe unless the administrator knows better. 1457 */ 1458 1459 if ((geteuid() != 0 || RunAsUid != 0) && 1460 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1461 { 1462 if (tTd(27, 4)) 1463 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1464 (int) geteuid(), (int) RunAsUid); 1465 ctladdr->q_flags |= QUNSAFEADDR; 1466 } 1467 1468 ca = getctladdr(ctladdr); 1469 if (ca == NULL || 1470 (ca->q_uid == DefUid && ca->q_gid == 0)) 1471 { 1472 uid = DefUid; 1473 gid = DefGid; 1474 user = DefUser; 1475 } 1476 else 1477 { 1478 uid = ca->q_uid; 1479 gid = ca->q_gid; 1480 user = ca->q_user; 1481 } 1482 #if MAILER_SETUID_METHOD != USE_SETUID 1483 saveduid = geteuid(); 1484 savedgid = getegid(); 1485 if (saveduid == 0) 1486 { 1487 if (!DontInitGroups) 1488 { 1489 if (initgroups(user, gid) == -1) 1490 { 1491 rval = EAGAIN; 1492 syserr("include: initgroups(%s, %d) failed", 1493 user, gid); 1494 goto resetuid; 1495 } 1496 } 1497 else 1498 { 1499 GIDSET_T gidset[1]; 1500 1501 gidset[0] = gid; 1502 if (setgroups(1, gidset) == -1) 1503 { 1504 rval = EAGAIN; 1505 syserr("include: setgroups() failed"); 1506 goto resetuid; 1507 } 1508 } 1509 1510 if (gid != 0 && setgid(gid) < -1) 1511 { 1512 rval = EAGAIN; 1513 syserr("setgid(%d) failure", gid); 1514 goto resetuid; 1515 } 1516 if (uid != 0) 1517 { 1518 # if MAILER_SETUID_METHOD == USE_SETEUID 1519 if (seteuid(uid) < 0) 1520 { 1521 rval = EAGAIN; 1522 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1523 uid, (int) getuid(), (int) geteuid()); 1524 goto resetuid; 1525 } 1526 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1527 # if MAILER_SETUID_METHOD == USE_SETREUID 1528 if (setreuid(0, uid) < 0) 1529 { 1530 rval = EAGAIN; 1531 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1532 uid, (int) getuid(), (int) geteuid()); 1533 goto resetuid; 1534 } 1535 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1536 } 1537 } 1538 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1539 1540 if (tTd(27, 9)) 1541 sm_dprintf("include: new uid = %d/%d\n", 1542 (int) getuid(), (int) geteuid()); 1543 1544 /* 1545 ** If home directory is remote mounted but server is down, 1546 ** this can hang or give errors; use a timeout to avoid this 1547 */ 1548 1549 if (setjmp(CtxIncludeTimeout) != 0) 1550 { 1551 ctladdr->q_state = QS_QUEUEUP; 1552 errno = 0; 1553 1554 /* return pseudo-error code */ 1555 rval = E_SM_OPENTIMEOUT; 1556 goto resetuid; 1557 } 1558 if (TimeOuts.to_fileopen > 0) 1559 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1560 else 1561 ev = NULL; 1562 1563 1564 /* check for writable parent directory */ 1565 p = strrchr(fname, '/'); 1566 if (p != NULL) 1567 { 1568 int ret; 1569 1570 *p = '\0'; 1571 ret = safedirpath(fname, uid, gid, user, 1572 sfflags|SFF_SAFEDIRPATH, 0, 0); 1573 if (ret == 0) 1574 { 1575 /* in safe directory: relax chown & link rules */ 1576 safedir = true; 1577 sfflags |= SFF_NOPATHCHECK; 1578 } 1579 else 1580 { 1581 if (bitnset((forwarding ? 1582 DBS_FORWARDFILEINUNSAFEDIRPATH : 1583 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1584 DontBlameSendmail)) 1585 sfflags |= SFF_NOPATHCHECK; 1586 else if (bitnset((forwarding ? 1587 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1588 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1589 DontBlameSendmail) && 1590 ret == E_SM_GWDIR) 1591 { 1592 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1593 DontBlameSendmail); 1594 ret = safedirpath(fname, uid, gid, user, 1595 sfflags|SFF_SAFEDIRPATH, 1596 0, 0); 1597 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1598 DontBlameSendmail); 1599 if (ret == 0) 1600 sfflags |= SFF_NOPATHCHECK; 1601 else 1602 sfflags |= SFF_SAFEDIRPATH; 1603 } 1604 else 1605 sfflags |= SFF_SAFEDIRPATH; 1606 if (ret > E_PSEUDOBASE && 1607 !bitnset((forwarding ? 1608 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1609 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1610 DontBlameSendmail)) 1611 { 1612 if (LogLevel > 11) 1613 sm_syslog(LOG_INFO, e->e_id, 1614 "%s: unsafe directory path, marked unsafe", 1615 shortenstring(fname, MAXSHORTSTR)); 1616 ctladdr->q_flags |= QUNSAFEADDR; 1617 } 1618 } 1619 *p = '/'; 1620 } 1621 1622 /* allow links only in unwritable directories */ 1623 if (!safedir && 1624 !bitnset((forwarding ? 1625 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1626 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1627 DontBlameSendmail)) 1628 sfflags |= SFF_NOLINK; 1629 1630 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1631 if (rval != 0) 1632 { 1633 /* don't use this :include: file */ 1634 if (tTd(27, 4)) 1635 sm_dprintf("include: not safe (uid=%d): %s\n", 1636 (int) uid, sm_errstring(rval)); 1637 } 1638 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1639 SM_IO_RDONLY, NULL)) == NULL) 1640 { 1641 rval = errno; 1642 if (tTd(27, 4)) 1643 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1644 } 1645 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1646 { 1647 rval = E_SM_FILECHANGE; 1648 if (tTd(27, 4)) 1649 sm_dprintf("include: file changed after open\n"); 1650 } 1651 if (ev != NULL) 1652 sm_clrevent(ev); 1653 1654 resetuid: 1655 1656 #if HASSETREUID || USESETEUID 1657 if (saveduid == 0) 1658 { 1659 if (uid != 0) 1660 { 1661 # if USESETEUID 1662 if (seteuid(0) < 0) 1663 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1664 (int) getuid(), (int) geteuid()); 1665 # else /* USESETEUID */ 1666 if (setreuid(-1, 0) < 0) 1667 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1668 (int) getuid(), (int) geteuid()); 1669 if (setreuid(RealUid, 0) < 0) 1670 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1671 (int) RealUid, (int) getuid(), 1672 (int) geteuid()); 1673 # endif /* USESETEUID */ 1674 } 1675 if (setgid(savedgid) < 0) 1676 syserr("!setgid(%d) failure (real=%d eff=%d)", 1677 (int) savedgid, (int) getgid(), 1678 (int) getegid()); 1679 } 1680 #endif /* HASSETREUID || USESETEUID */ 1681 1682 if (tTd(27, 9)) 1683 sm_dprintf("include: reset uid = %d/%d\n", 1684 (int) getuid(), (int) geteuid()); 1685 1686 if (rval == E_SM_OPENTIMEOUT) 1687 usrerr("451 4.4.1 open timeout on %s", fname); 1688 1689 if (fp == NULL) 1690 return rval; 1691 1692 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1693 { 1694 rval = errno; 1695 syserr("Cannot fstat %s!", fname); 1696 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1697 return rval; 1698 } 1699 1700 /* if path was writable, check to avoid file giveaway tricks */ 1701 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1702 if (tTd(27, 6)) 1703 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1704 fname, safedir ? "safe" : "dangerous", 1705 safechown ? "" : "un"); 1706 1707 /* if no controlling user or coming from an alias delivery */ 1708 if (safechown && 1709 (ca == NULL || 1710 (ca->q_uid == DefUid && ca->q_gid == 0))) 1711 { 1712 ctladdr->q_uid = st.st_uid; 1713 ctladdr->q_gid = st.st_gid; 1714 ctladdr->q_flags |= QGOODUID; 1715 } 1716 if (ca != NULL && ca->q_uid == st.st_uid) 1717 { 1718 /* optimization -- avoid getpwuid if we already have info */ 1719 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1720 ctladdr->q_ruser = ca->q_ruser; 1721 } 1722 else if (!forwarding) 1723 { 1724 register struct passwd *pw; 1725 1726 pw = sm_getpwuid(st.st_uid); 1727 if (pw == NULL) 1728 { 1729 ctladdr->q_uid = st.st_uid; 1730 ctladdr->q_flags |= QBOGUSSHELL; 1731 } 1732 else 1733 { 1734 char *sh; 1735 1736 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1737 pw->pw_name); 1738 if (safechown) 1739 sh = pw->pw_shell; 1740 else 1741 sh = "/SENDMAIL/ANY/SHELL/"; 1742 if (!usershellok(pw->pw_name, sh)) 1743 { 1744 if (LogLevel > 11) 1745 sm_syslog(LOG_INFO, e->e_id, 1746 "%s: user %s has bad shell %s, marked %s", 1747 shortenstring(fname, 1748 MAXSHORTSTR), 1749 pw->pw_name, sh, 1750 safechown ? "bogus" : "unsafe"); 1751 if (safechown) 1752 ctladdr->q_flags |= QBOGUSSHELL; 1753 else 1754 ctladdr->q_flags |= QUNSAFEADDR; 1755 } 1756 } 1757 } 1758 1759 if (bitset(EF_VRFYONLY, e->e_flags)) 1760 { 1761 /* don't do any more now */ 1762 ctladdr->q_state = QS_VERIFIED; 1763 e->e_nrcpts++; 1764 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1765 return rval; 1766 } 1767 1768 /* 1769 ** Check to see if some bad guy can write this file 1770 ** 1771 ** Group write checking could be more clever, e.g., 1772 ** guessing as to which groups are actually safe ("sys" 1773 ** may be; "user" probably is not). 1774 */ 1775 1776 mode = S_IWOTH; 1777 if (!bitnset((forwarding ? 1778 DBS_GROUPWRITABLEFORWARDFILESAFE : 1779 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1780 DontBlameSendmail)) 1781 mode |= S_IWGRP; 1782 1783 if (bitset(mode, st.st_mode)) 1784 { 1785 if (tTd(27, 6)) 1786 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1787 shortenstring(fname, MAXSHORTSTR), 1788 bitset(S_IWOTH, st.st_mode) ? "world" 1789 : "group"); 1790 if (LogLevel > 11) 1791 sm_syslog(LOG_INFO, e->e_id, 1792 "%s: %s writable %s file, marked unsafe", 1793 shortenstring(fname, MAXSHORTSTR), 1794 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1795 forwarding ? "forward" : ":include:"); 1796 ctladdr->q_flags |= QUNSAFEADDR; 1797 } 1798 1799 /* read the file -- each line is a comma-separated list. */ 1800 FileName = fname; 1801 LineNumber = 0; 1802 ctladdr->q_flags &= ~QSELFREF; 1803 nincludes = 0; 1804 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof buf) != NULL && 1805 !maxreached) 1806 { 1807 fixcrlf(buf, true); 1808 LineNumber++; 1809 if (buf[0] == '#' || buf[0] == '\0') 1810 continue; 1811 1812 /* <sp>#@# introduces a comment anywhere */ 1813 /* for Japanese character sets */ 1814 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1815 { 1816 if (p[1] == '@' && p[2] == '#' && 1817 isascii(p[-1]) && isspace(p[-1]) && 1818 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1819 { 1820 --p; 1821 while (p > buf && isascii(p[-1]) && 1822 isspace(p[-1])) 1823 --p; 1824 p[0] = '\0'; 1825 break; 1826 } 1827 } 1828 if (buf[0] == '\0') 1829 continue; 1830 1831 e->e_to = NULL; 1832 message("%s to %s", 1833 forwarding ? "forwarding" : "sending", buf); 1834 if (forwarding && LogLevel > 10) 1835 sm_syslog(LOG_INFO, e->e_id, 1836 "forward %.200s => %s", 1837 oldto, shortenstring(buf, MAXSHORTSTR)); 1838 1839 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1840 1841 if (forwarding && 1842 MaxForwardEntries > 0 && 1843 nincludes >= MaxForwardEntries) 1844 { 1845 /* just stop reading and processing further entries */ 1846 #if 0 1847 /* additional: (?) */ 1848 ctladdr->q_state = QS_DONTSEND; 1849 #endif /* 0 */ 1850 1851 syserr("Attempt to forward to more than %d addresses (in %s)!", 1852 MaxForwardEntries, fname); 1853 maxreached = true; 1854 } 1855 } 1856 1857 if (sm_io_error(fp) && tTd(27, 3)) 1858 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1859 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1860 { 1861 if (tTd(27, 5)) 1862 { 1863 sm_dprintf("include: QS_DONTSEND "); 1864 printaddr(sm_debug_file(), ctladdr, false); 1865 } 1866 ctladdr->q_state = QS_DONTSEND; 1867 } 1868 1869 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1870 FileName = oldfilename; 1871 LineNumber = oldlinenumber; 1872 e->e_to = oldto; 1873 return rval; 1874 } 1875 1876 static void 1877 includetimeout() 1878 { 1879 /* 1880 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1881 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1882 ** DOING. 1883 */ 1884 1885 errno = ETIMEDOUT; 1886 longjmp(CtxIncludeTimeout, 1); 1887 } 1888 /* 1889 ** SENDTOARGV -- send to an argument vector. 1890 ** 1891 ** Parameters: 1892 ** argv -- argument vector to send to. 1893 ** e -- the current envelope. 1894 ** 1895 ** Returns: 1896 ** none. 1897 ** 1898 ** Side Effects: 1899 ** puts all addresses on the argument vector onto the 1900 ** send queue. 1901 */ 1902 1903 void 1904 sendtoargv(argv, e) 1905 register char **argv; 1906 register ENVELOPE *e; 1907 { 1908 register char *p; 1909 1910 while ((p = *argv++) != NULL) 1911 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1912 } 1913 /* 1914 ** GETCTLADDR -- get controlling address from an address header. 1915 ** 1916 ** If none, get one corresponding to the effective userid. 1917 ** 1918 ** Parameters: 1919 ** a -- the address to find the controller of. 1920 ** 1921 ** Returns: 1922 ** the controlling address. 1923 */ 1924 1925 ADDRESS * 1926 getctladdr(a) 1927 register ADDRESS *a; 1928 { 1929 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1930 a = a->q_alias; 1931 return a; 1932 } 1933 /* 1934 ** SELF_REFERENCE -- check to see if an address references itself 1935 ** 1936 ** The check is done through a chain of aliases. If it is part of 1937 ** a loop, break the loop at the "best" address, that is, the one 1938 ** that exists as a real user. 1939 ** 1940 ** This is to handle the case of: 1941 ** awc: Andrew.Chang 1942 ** Andrew.Chang: awc@mail.server 1943 ** which is a problem only on mail.server. 1944 ** 1945 ** Parameters: 1946 ** a -- the address to check. 1947 ** 1948 ** Returns: 1949 ** The address that should be retained. 1950 */ 1951 1952 static ADDRESS * 1953 self_reference(a) 1954 ADDRESS *a; 1955 { 1956 ADDRESS *b; /* top entry in self ref loop */ 1957 ADDRESS *c; /* entry that point to a real mail box */ 1958 1959 if (tTd(27, 1)) 1960 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1961 1962 for (b = a->q_alias; b != NULL; b = b->q_alias) 1963 { 1964 if (sameaddr(a, b)) 1965 break; 1966 } 1967 1968 if (b == NULL) 1969 { 1970 if (tTd(27, 1)) 1971 sm_dprintf("\t... no self ref\n"); 1972 return NULL; 1973 } 1974 1975 /* 1976 ** Pick the first address that resolved to a real mail box 1977 ** i.e has a mbdb entry. The returned value will be marked 1978 ** QSELFREF in recipient(), which in turn will disable alias() 1979 ** from marking it as QS_IS_DEAD(), which mean it will be used 1980 ** as a deliverable address. 1981 ** 1982 ** The 2 key thing to note here are: 1983 ** 1) we are in a recursive call sequence: 1984 ** alias->sendtolist->recipient->alias 1985 ** 2) normally, when we return back to alias(), the address 1986 ** will be marked QS_EXPANDED, since alias() assumes the 1987 ** expanded form will be used instead of the current address. 1988 ** This behaviour is turned off if the address is marked 1989 ** QSELFREF. We set QSELFREF when we return to recipient(). 1990 */ 1991 1992 c = a; 1993 while (c != NULL) 1994 { 1995 if (tTd(27, 10)) 1996 sm_dprintf(" %s", c->q_user); 1997 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 1998 { 1999 SM_MBDB_T user; 2000 2001 if (tTd(27, 2)) 2002 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2003 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2004 { 2005 if (tTd(27, 2)) 2006 sm_dprintf("found\n"); 2007 2008 /* ought to cache results here */ 2009 if (sameaddr(b, c)) 2010 return b; 2011 else 2012 return c; 2013 } 2014 if (tTd(27, 2)) 2015 sm_dprintf("failed\n"); 2016 } 2017 else 2018 { 2019 /* if local delivery, compare usernames */ 2020 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2021 b->q_mailer == c->q_mailer) 2022 { 2023 if (tTd(27, 2)) 2024 sm_dprintf("\t... local match (%s)\n", 2025 c->q_user); 2026 if (sameaddr(b, c)) 2027 return b; 2028 else 2029 return c; 2030 } 2031 } 2032 if (tTd(27, 10)) 2033 sm_dprintf("\n"); 2034 c = c->q_alias; 2035 } 2036 2037 if (tTd(27, 1)) 2038 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2039 2040 return NULL; 2041 } 2042