1 /* 2 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #include <sendmail.h> 15 16 SM_RCSID("@(#)$Id: recipient.c,v 8.348 2007/03/19 21:33:09 ca Exp $") 17 18 static void includetimeout __P((int)); 19 static ADDRESS *self_reference __P((ADDRESS *)); 20 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 21 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 22 static int sorthost __P((ADDRESS *, ADDRESS *)); 23 24 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 25 26 /* 27 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 28 ** 29 ** Parameters: 30 ** xx -- first ADDRESS 31 ** yy -- second ADDRESS 32 ** 33 ** Returns: 34 ** <0 when xx->q_host is less than yy->q_host 35 ** >0 when xx->q_host is greater than yy->q_host 36 ** 0 when equal 37 */ 38 39 static int 40 sorthost(xx, yy) 41 register ADDRESS *xx; 42 register ADDRESS *yy; 43 { 44 #if _FFR_HOST_SORT_REVERSE 45 /* XXX maybe compare hostnames from the end? */ 46 return sm_strrevcasecmp(xx->q_host, yy->q_host); 47 #else /* _FFR_HOST_SORT_REVERSE */ 48 return sm_strcasecmp(xx->q_host, yy->q_host); 49 #endif /* _FFR_HOST_SORT_REVERSE */ 50 } 51 52 /* 53 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 54 ** 55 ** The mailer has been noted already as "expensive" for 'xx'. This 56 ** will give a result relative to 'yy'. Expensive mailers get rated 57 ** "greater than" non-expensive mailers because during the delivery phase 58 ** it will get queued -- no use it getting in the way of less expensive 59 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 60 ** expensive since an MX RR lookup happens when extracted from the queue 61 ** later. 62 ** 63 ** Parameters: 64 ** xx -- first ADDRESS 65 ** yy -- second ADDRESS 66 ** 67 ** Returns: 68 ** <0 when xx->q_host is less than yy->q_host and both are 69 ** expensive 70 ** >0 when xx->q_host is greater than yy->q_host, or when 71 ** 'yy' is non-expensive 72 ** 0 when equal (by expense and q_host) 73 */ 74 75 static int 76 sortexpensive(xx, yy) 77 ADDRESS *xx; 78 ADDRESS *yy; 79 { 80 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 81 return 1; /* xx should go later */ 82 #if _FFR_HOST_SORT_REVERSE 83 /* XXX maybe compare hostnames from the end? */ 84 return sm_strrevcasecmp(xx->q_host, yy->q_host); 85 #else /* _FFR_HOST_SORT_REVERSE */ 86 return sm_strcasecmp(xx->q_host, yy->q_host); 87 #endif /* _FFR_HOST_SORT_REVERSE */ 88 } 89 90 /* 91 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 92 ** 93 ** Parameters: 94 ** xx -- first ADDRESS 95 ** yy -- second ADDRESS 96 ** 97 ** Returns: 98 ** 0 when the "signature"'s are same 99 ** <0 when xx->q_signature is less than yy->q_signature 100 ** >0 when xx->q_signature is greater than yy->q_signature 101 ** 102 ** Side Effect: 103 ** May set ADDRESS pointer for q_signature if not already set. 104 */ 105 106 static int 107 sortbysignature(xx, yy) 108 ADDRESS *xx; 109 ADDRESS *yy; 110 { 111 register int ret; 112 113 /* Let's avoid redoing the signature over and over again */ 114 if (xx->q_signature == NULL) 115 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 116 if (yy->q_signature == NULL) 117 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 118 ret = strcmp(xx->q_signature, yy->q_signature); 119 120 /* 121 ** If the two signatures are the same then we will return a sort 122 ** value based on 'q_user'. But note that we have reversed xx and yy 123 ** on purpose. This additional compare helps reduce the number of 124 ** sameaddr() calls and loops in recipient() for the case when 125 ** the rcpt list has been provided already in-order. 126 */ 127 128 if (ret == 0) 129 return strcmp(yy->q_user, xx->q_user); 130 else 131 return ret; 132 } 133 134 /* 135 ** SENDTOLIST -- Designate a send list. 136 ** 137 ** The parameter is a comma-separated list of people to send to. 138 ** This routine arranges to send to all of them. 139 ** 140 ** Parameters: 141 ** list -- the send list. 142 ** ctladdr -- the address template for the person to 143 ** send to -- effective uid/gid are important. 144 ** This is typically the alias that caused this 145 ** expansion. 146 ** sendq -- a pointer to the head of a queue to put 147 ** these people into. 148 ** aliaslevel -- the current alias nesting depth -- to 149 ** diagnose loops. 150 ** e -- the envelope in which to add these recipients. 151 ** 152 ** Returns: 153 ** The number of addresses actually on the list. 154 */ 155 156 /* q_flags bits inherited from ctladdr */ 157 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 158 159 int 160 sendtolist(list, ctladdr, sendq, aliaslevel, e) 161 char *list; 162 ADDRESS *ctladdr; 163 ADDRESS **sendq; 164 int aliaslevel; 165 register ENVELOPE *e; 166 { 167 register char *p; 168 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 169 SM_NONVOLATILE char delimiter; /* the address delimiter */ 170 SM_NONVOLATILE int naddrs; 171 SM_NONVOLATILE int i; 172 char *endp; 173 char *oldto = e->e_to; 174 char *SM_NONVOLATILE bufp; 175 char buf[MAXNAME + 1]; 176 177 if (list == NULL) 178 { 179 syserr("sendtolist: null list"); 180 return 0; 181 } 182 183 if (tTd(25, 1)) 184 { 185 sm_dprintf("sendto: %s\n ctladdr=", list); 186 printaddr(sm_debug_file(), ctladdr, false); 187 } 188 189 /* heuristic to determine old versus new style addresses */ 190 if (ctladdr == NULL && 191 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 192 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 193 e->e_flags &= ~EF_OLDSTYLE; 194 delimiter = ' '; 195 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 196 delimiter = ','; 197 198 al = NULL; 199 naddrs = 0; 200 201 /* make sure we have enough space to copy the string */ 202 i = strlen(list) + 1; 203 if (i <= sizeof(buf)) 204 { 205 bufp = buf; 206 i = sizeof(buf); 207 } 208 else 209 bufp = sm_malloc_x(i); 210 endp = bufp + i; 211 212 SM_TRY 213 { 214 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 215 216 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 217 for (p = bufp; *p != '\0'; ) 218 { 219 auto char *delimptr; 220 register ADDRESS *a; 221 222 SM_ASSERT(p < endp); 223 224 /* parse the address */ 225 while ((isascii(*p) && isspace(*p)) || *p == ',') 226 p++; 227 SM_ASSERT(p < endp); 228 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 229 &delimptr, e, true); 230 p = delimptr; 231 SM_ASSERT(p < endp); 232 if (a == NULL) 233 continue; 234 a->q_next = al; 235 a->q_alias = ctladdr; 236 237 /* arrange to inherit attributes from parent */ 238 if (ctladdr != NULL) 239 { 240 ADDRESS *b; 241 242 /* self reference test */ 243 if (sameaddr(ctladdr, a)) 244 { 245 if (tTd(27, 5)) 246 { 247 sm_dprintf("sendtolist: QSELFREF "); 248 printaddr(sm_debug_file(), ctladdr, false); 249 } 250 ctladdr->q_flags |= QSELFREF; 251 } 252 253 /* check for address loops */ 254 b = self_reference(a); 255 if (b != NULL) 256 { 257 b->q_flags |= QSELFREF; 258 if (tTd(27, 5)) 259 { 260 sm_dprintf("sendtolist: QSELFREF "); 261 printaddr(sm_debug_file(), b, false); 262 } 263 if (a != b) 264 { 265 if (tTd(27, 5)) 266 { 267 sm_dprintf("sendtolist: QS_DONTSEND "); 268 printaddr(sm_debug_file(), a, false); 269 } 270 a->q_state = QS_DONTSEND; 271 b->q_flags |= a->q_flags & QNOTREMOTE; 272 continue; 273 } 274 } 275 276 /* full name */ 277 if (a->q_fullname == NULL) 278 a->q_fullname = ctladdr->q_fullname; 279 280 /* various flag bits */ 281 a->q_flags &= ~QINHERITEDBITS; 282 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 283 284 /* DSN recipient information */ 285 a->q_finalrcpt = ctladdr->q_finalrcpt; 286 a->q_orcpt = ctladdr->q_orcpt; 287 } 288 289 al = a; 290 } 291 292 /* arrange to send to everyone on the local send list */ 293 while (al != NULL) 294 { 295 register ADDRESS *a = al; 296 297 al = a->q_next; 298 a = recipient(a, sendq, aliaslevel, e); 299 naddrs++; 300 } 301 } 302 SM_FINALLY 303 { 304 e->e_to = oldto; 305 if (bufp != buf) 306 sm_free(bufp); 307 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 308 } 309 SM_END_TRY 310 return naddrs; 311 } 312 313 #if MILTER 314 /* 315 ** REMOVEFROMLIST -- Remove addresses from a send list. 316 ** 317 ** The parameter is a comma-separated list of recipients to remove. 318 ** Note that it only deletes matching addresses. If those addresses 319 ** have been expanded already in the sendq, it won't mark the 320 ** expanded recipients as QS_REMOVED. 321 ** 322 ** Parameters: 323 ** list -- the list to remove. 324 ** sendq -- a pointer to the head of a queue to remove 325 ** these addresses from. 326 ** e -- the envelope in which to remove these recipients. 327 ** 328 ** Returns: 329 ** The number of addresses removed from the list. 330 ** 331 */ 332 333 int 334 removefromlist(list, sendq, e) 335 char *list; 336 ADDRESS **sendq; 337 ENVELOPE *e; 338 { 339 SM_NONVOLATILE char delimiter; /* the address delimiter */ 340 SM_NONVOLATILE int naddrs; 341 SM_NONVOLATILE int i; 342 char *p; 343 char *oldto = e->e_to; 344 char *SM_NONVOLATILE bufp; 345 char buf[MAXNAME + 1]; 346 347 if (list == NULL) 348 { 349 syserr("removefromlist: null list"); 350 return 0; 351 } 352 353 if (tTd(25, 1)) 354 sm_dprintf("removefromlist: %s\n", list); 355 356 /* heuristic to determine old versus new style addresses */ 357 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 358 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 359 e->e_flags &= ~EF_OLDSTYLE; 360 delimiter = ' '; 361 if (!bitset(EF_OLDSTYLE, e->e_flags)) 362 delimiter = ','; 363 364 naddrs = 0; 365 366 /* make sure we have enough space to copy the string */ 367 i = strlen(list) + 1; 368 if (i <= sizeof(buf)) 369 { 370 bufp = buf; 371 i = sizeof(buf); 372 } 373 else 374 bufp = sm_malloc_x(i); 375 376 SM_TRY 377 { 378 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 379 380 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 381 for (p = bufp; *p != '\0'; ) 382 { 383 ADDRESS a; /* parsed address to be removed */ 384 ADDRESS *q; 385 ADDRESS **pq; 386 char *delimptr; 387 388 /* parse the address */ 389 while ((isascii(*p) && isspace(*p)) || *p == ',') 390 p++; 391 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 392 delimiter, &delimptr, e, true) == NULL) 393 { 394 p = delimptr; 395 continue; 396 } 397 p = delimptr; 398 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 399 { 400 if (!QS_IS_DEAD(q->q_state) && 401 (sameaddr(q, &a) || 402 strcmp(q->q_paddr, a.q_paddr) == 0)) 403 { 404 if (tTd(25, 5)) 405 { 406 sm_dprintf("removefromlist: QS_REMOVED "); 407 printaddr(sm_debug_file(), &a, false); 408 } 409 q->q_state = QS_REMOVED; 410 naddrs++; 411 break; 412 } 413 } 414 } 415 } 416 SM_FINALLY 417 { 418 e->e_to = oldto; 419 if (bufp != buf) 420 sm_free(bufp); 421 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 422 } 423 SM_END_TRY 424 return naddrs; 425 } 426 #endif /* MILTER */ 427 428 /* 429 ** RECIPIENT -- Designate a message recipient 430 ** Saves the named person for future mailing (after some checks). 431 ** 432 ** Parameters: 433 ** new -- the (preparsed) address header for the recipient. 434 ** sendq -- a pointer to the head of a queue to put the 435 ** recipient in. Duplicate suppression is done 436 ** in this queue. 437 ** aliaslevel -- the current alias nesting depth. 438 ** e -- the current envelope. 439 ** 440 ** Returns: 441 ** The actual address in the queue. This will be "a" if 442 ** the address is not a duplicate, else the original address. 443 ** 444 */ 445 446 ADDRESS * 447 recipient(new, sendq, aliaslevel, e) 448 register ADDRESS *new; 449 register ADDRESS **sendq; 450 int aliaslevel; 451 register ENVELOPE *e; 452 { 453 register ADDRESS *q; 454 ADDRESS **pq; 455 ADDRESS **prev; 456 register struct mailer *m; 457 register char *p; 458 int i, buflen; 459 bool quoted; /* set if the addr has a quote bit */ 460 bool insert; 461 int findusercount; 462 bool initialdontsend; 463 char *buf; 464 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 465 sortfn_t *sortfn; 466 467 p = NULL; 468 quoted = false; 469 insert = false; 470 findusercount = 0; 471 initialdontsend = QS_IS_DEAD(new->q_state); 472 e->e_to = new->q_paddr; 473 m = new->q_mailer; 474 errno = 0; 475 if (aliaslevel == 0) 476 new->q_flags |= QPRIMARY; 477 if (tTd(26, 1)) 478 { 479 sm_dprintf("\nrecipient (%d): ", aliaslevel); 480 printaddr(sm_debug_file(), new, false); 481 } 482 483 /* if this is primary, use it as original recipient */ 484 if (new->q_alias == NULL) 485 { 486 if (e->e_origrcpt == NULL) 487 e->e_origrcpt = new->q_paddr; 488 else if (e->e_origrcpt != new->q_paddr) 489 e->e_origrcpt = ""; 490 } 491 492 /* find parent recipient for finalrcpt and orcpt */ 493 for (q = new; q->q_alias != NULL; q = q->q_alias) 494 continue; 495 496 /* find final recipient DSN address */ 497 if (new->q_finalrcpt == NULL && 498 e->e_from.q_mailer != NULL) 499 { 500 char frbuf[MAXLINE]; 501 502 p = e->e_from.q_mailer->m_addrtype; 503 if (p == NULL) 504 p = "rfc822"; 505 if (sm_strcasecmp(p, "rfc822") != 0) 506 { 507 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 508 q->q_mailer->m_addrtype, 509 q->q_user); 510 } 511 else if (strchr(q->q_user, '@') != NULL) 512 { 513 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 514 p, q->q_user); 515 } 516 else if (strchr(q->q_paddr, '@') != NULL) 517 { 518 char *qp; 519 bool b; 520 521 qp = q->q_paddr; 522 523 /* strip brackets from address */ 524 b = false; 525 if (*qp == '<') 526 { 527 b = qp[strlen(qp) - 1] == '>'; 528 if (b) 529 qp[strlen(qp) - 1] = '\0'; 530 qp++; 531 } 532 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 533 p, qp); 534 535 /* undo damage */ 536 if (b) 537 qp[strlen(qp)] = '>'; 538 } 539 else 540 { 541 (void) sm_snprintf(frbuf, sizeof(frbuf), 542 "%s; %.700s@%.100s", 543 p, q->q_user, MyHostName); 544 } 545 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 546 } 547 548 #if _FFR_GEN_ORCPT 549 /* set ORCPT DSN arg if not already set */ 550 if (new->q_orcpt == NULL) 551 { 552 /* check for an existing ORCPT */ 553 if (q->q_orcpt != NULL) 554 new->q_orcpt = q->q_orcpt; 555 else 556 { 557 /* make our own */ 558 bool b = false; 559 char *qp; 560 char obuf[MAXLINE]; 561 562 if (e->e_from.q_mailer != NULL) 563 p = e->e_from.q_mailer->m_addrtype; 564 if (p == NULL) 565 p = "rfc822"; 566 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 567 568 qp = q->q_paddr; 569 570 /* FFR: Needs to strip comments from stdin addrs */ 571 572 /* strip brackets from address */ 573 if (*qp == '<') 574 { 575 b = qp[strlen(qp) - 1] == '>'; 576 if (b) 577 qp[strlen(qp) - 1] = '\0'; 578 qp++; 579 } 580 581 p = xtextify(denlstring(qp, true, false), "="); 582 583 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 584 { 585 /* if too big, don't use it */ 586 obuf[0] = '\0'; 587 } 588 589 /* undo damage */ 590 if (b) 591 qp[strlen(qp)] = '>'; 592 593 if (obuf[0] != '\0') 594 new->q_orcpt = 595 sm_rpool_strdup_x(e->e_rpool, obuf); 596 } 597 } 598 #endif /* _FFR_GEN_ORCPT */ 599 600 /* break aliasing loops */ 601 if (aliaslevel > MaxAliasRecursion) 602 { 603 new->q_state = QS_BADADDR; 604 new->q_status = "5.4.6"; 605 if (new->q_alias != NULL) 606 { 607 new->q_alias->q_state = QS_BADADDR; 608 new->q_alias->q_status = "5.4.6"; 609 } 610 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 611 { 612 sm_syslog(LOG_ERR, e->e_id, 613 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 614 FileName != NULL ? FileName : "", aliaslevel, 615 MaxAliasRecursion); 616 } 617 usrerrenh(new->q_status, 618 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 619 aliaslevel, MaxAliasRecursion); 620 return new; 621 } 622 623 /* 624 ** Finish setting up address structure. 625 */ 626 627 /* get unquoted user for file, program or user.name check */ 628 i = strlen(new->q_user); 629 if (i >= sizeof(buf0)) 630 { 631 buflen = i + 1; 632 buf = xalloc(buflen); 633 } 634 else 635 { 636 buf = buf0; 637 buflen = sizeof(buf0); 638 } 639 (void) sm_strlcpy(buf, new->q_user, buflen); 640 for (p = buf; *p != '\0' && !quoted; p++) 641 { 642 if (*p == '\\') 643 quoted = true; 644 } 645 stripquotes(buf); 646 647 /* check for direct mailing to restricted mailers */ 648 if (m == ProgMailer) 649 { 650 if (new->q_alias == NULL || UseMSP || 651 bitset(EF_UNSAFE, e->e_flags)) 652 { 653 new->q_state = QS_BADADDR; 654 new->q_status = "5.7.1"; 655 usrerrenh(new->q_status, 656 "550 Cannot mail directly to programs"); 657 } 658 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 659 { 660 new->q_state = QS_BADADDR; 661 new->q_status = "5.7.1"; 662 if (new->q_alias->q_ruser == NULL) 663 usrerrenh(new->q_status, 664 "550 UID %d is an unknown user: cannot mail to programs", 665 new->q_alias->q_uid); 666 else 667 usrerrenh(new->q_status, 668 "550 User %s@%s doesn't have a valid shell for mailing to programs", 669 new->q_alias->q_ruser, MyHostName); 670 } 671 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 672 { 673 new->q_state = QS_BADADDR; 674 new->q_status = "5.7.1"; 675 new->q_rstatus = "550 Unsafe for mailing to programs"; 676 usrerrenh(new->q_status, 677 "550 Address %s is unsafe for mailing to programs", 678 new->q_alias->q_paddr); 679 } 680 } 681 682 /* 683 ** Look up this person in the recipient list. 684 ** If they are there already, return, otherwise continue. 685 ** If the list is empty, just add it. Notice the cute 686 ** hack to make from addresses suppress things correctly: 687 ** the QS_DUPLICATE state will be set in the send list. 688 ** [Please note: the emphasis is on "hack."] 689 */ 690 691 prev = NULL; 692 693 /* 694 ** If this message is going to the queue or FastSplit is set 695 ** and it is the first try and the envelope hasn't split, then we 696 ** avoid doing an MX RR lookup now because one will be done when the 697 ** message is extracted from the queue later. It can go to the queue 698 ** because all messages are going to the queue or this mailer of 699 ** the current recipient is marked expensive. 700 */ 701 702 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 703 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 704 FastSplit > 0)) 705 sortfn = sorthost; 706 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 707 sortfn = sortexpensive; 708 else 709 sortfn = sortbysignature; 710 711 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 712 { 713 /* 714 ** If address is "less than" it should be inserted now. 715 ** If address is "greater than" current comparison it'll 716 ** insert later in the list; so loop again (if possible). 717 ** If address is "equal" (different equal than sameaddr() 718 ** call) then check if sameaddr() will be true. 719 ** Because this list is now sorted, it'll mean fewer 720 ** comparisons and fewer loops which is important for more 721 ** recipients. 722 */ 723 724 i = (*sortfn)(new, q); 725 if (i == 0) /* equal */ 726 { 727 /* 728 ** Sortbysignature() has said that the two have 729 ** equal MX RR's and the same user. Calling sameaddr() 730 ** now checks if the two hosts are as identical as the 731 ** MX RR's are (which might not be the case) 732 ** before saying these are the identical addresses. 733 */ 734 735 if (sameaddr(q, new) && 736 (bitset(QRCPTOK, q->q_flags) || 737 !bitset(QPRIMARY, q->q_flags))) 738 { 739 if (tTd(26, 1)) 740 { 741 sm_dprintf("%s in sendq: ", 742 new->q_paddr); 743 printaddr(sm_debug_file(), q, false); 744 } 745 if (!bitset(QPRIMARY, q->q_flags)) 746 { 747 if (!QS_IS_DEAD(new->q_state)) 748 message("duplicate suppressed"); 749 else 750 q->q_state = QS_DUPLICATE; 751 q->q_flags |= new->q_flags; 752 } 753 else if (bitset(QSELFREF, q->q_flags) 754 || q->q_state == QS_REMOVED) 755 { 756 /* 757 ** If an earlier milter removed the 758 ** address, a later one can still add 759 ** it back. 760 */ 761 762 q->q_state = new->q_state; 763 q->q_flags |= new->q_flags; 764 } 765 new = q; 766 goto done; 767 } 768 } 769 else if (i < 0) /* less than */ 770 { 771 insert = true; 772 break; 773 } 774 prev = pq; 775 } 776 777 /* pq should point to an address, never NULL */ 778 SM_ASSERT(pq != NULL); 779 780 /* add address on list */ 781 if (insert) 782 { 783 /* 784 ** insert before 'pq'. Only possible when at least 1 785 ** ADDRESS is in the list already. 786 */ 787 788 new->q_next = *pq; 789 if (prev == NULL) 790 *sendq = new; /* To be the first ADDRESS */ 791 else 792 (*prev)->q_next = new; 793 } 794 else 795 { 796 /* 797 ** Place in list at current 'pq' position. Possible 798 ** when there are 0 or more ADDRESS's in the list. 799 */ 800 801 new->q_next = NULL; 802 *pq = new; 803 } 804 805 /* added a new address: clear split flag */ 806 e->e_flags &= ~EF_SPLIT; 807 808 /* 809 ** Alias the name and handle special mailer types. 810 */ 811 812 trylocaluser: 813 if (tTd(29, 7)) 814 { 815 sm_dprintf("at trylocaluser: "); 816 printaddr(sm_debug_file(), new, false); 817 } 818 819 if (!QS_IS_OK(new->q_state)) 820 { 821 if (QS_IS_UNDELIVERED(new->q_state)) 822 e->e_nrcpts++; 823 goto testselfdestruct; 824 } 825 826 if (m == InclMailer) 827 { 828 new->q_state = QS_INCLUDED; 829 if (new->q_alias == NULL || UseMSP || 830 bitset(EF_UNSAFE, e->e_flags)) 831 { 832 new->q_state = QS_BADADDR; 833 new->q_status = "5.7.1"; 834 usrerrenh(new->q_status, 835 "550 Cannot mail directly to :include:s"); 836 } 837 else 838 { 839 int ret; 840 841 message("including file %s", new->q_user); 842 ret = include(new->q_user, false, new, 843 sendq, aliaslevel, e); 844 if (transienterror(ret)) 845 { 846 if (LogLevel > 2) 847 sm_syslog(LOG_ERR, e->e_id, 848 "include %s: transient error: %s", 849 shortenstring(new->q_user, 850 MAXSHORTSTR), 851 sm_errstring(ret)); 852 new->q_state = QS_QUEUEUP; 853 usrerr("451 4.2.4 Cannot open %s: %s", 854 shortenstring(new->q_user, 855 MAXSHORTSTR), 856 sm_errstring(ret)); 857 } 858 else if (ret != 0) 859 { 860 new->q_state = QS_BADADDR; 861 new->q_status = "5.2.4"; 862 usrerrenh(new->q_status, 863 "550 Cannot open %s: %s", 864 shortenstring(new->q_user, 865 MAXSHORTSTR), 866 sm_errstring(ret)); 867 } 868 } 869 } 870 else if (m == FileMailer) 871 { 872 /* check if allowed */ 873 if (new->q_alias == NULL || UseMSP || 874 bitset(EF_UNSAFE, e->e_flags)) 875 { 876 new->q_state = QS_BADADDR; 877 new->q_status = "5.7.1"; 878 usrerrenh(new->q_status, 879 "550 Cannot mail directly to files"); 880 } 881 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 882 { 883 new->q_state = QS_BADADDR; 884 new->q_status = "5.7.1"; 885 if (new->q_alias->q_ruser == NULL) 886 usrerrenh(new->q_status, 887 "550 UID %d is an unknown user: cannot mail to files", 888 new->q_alias->q_uid); 889 else 890 usrerrenh(new->q_status, 891 "550 User %s@%s doesn't have a valid shell for mailing to files", 892 new->q_alias->q_ruser, MyHostName); 893 } 894 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 895 { 896 new->q_state = QS_BADADDR; 897 new->q_status = "5.7.1"; 898 new->q_rstatus = "550 Unsafe for mailing to files"; 899 usrerrenh(new->q_status, 900 "550 Address %s is unsafe for mailing to files", 901 new->q_alias->q_paddr); 902 } 903 } 904 905 /* try aliasing */ 906 if (!quoted && QS_IS_OK(new->q_state) && 907 bitnset(M_ALIASABLE, m->m_flags)) 908 alias(new, sendq, aliaslevel, e); 909 910 #if USERDB 911 /* if not aliased, look it up in the user database */ 912 if (!bitset(QNOTREMOTE, new->q_flags) && 913 QS_IS_SENDABLE(new->q_state) && 914 bitnset(M_CHECKUDB, m->m_flags)) 915 { 916 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 917 { 918 new->q_state = QS_QUEUEUP; 919 if (e->e_message == NULL) 920 e->e_message = sm_rpool_strdup_x(e->e_rpool, 921 "Deferred: user database error"); 922 if (new->q_message == NULL) 923 new->q_message = "Deferred: user database error"; 924 if (LogLevel > 8) 925 sm_syslog(LOG_INFO, e->e_id, 926 "deferred: udbexpand: %s", 927 sm_errstring(errno)); 928 message("queued (user database error): %s", 929 sm_errstring(errno)); 930 e->e_nrcpts++; 931 goto testselfdestruct; 932 } 933 } 934 #endif /* USERDB */ 935 936 /* 937 ** If we have a level two config file, then pass the name through 938 ** Ruleset 5 before sending it off. Ruleset 5 has the right 939 ** to rewrite it to another mailer. This gives us a hook 940 ** after local aliasing has been done. 941 */ 942 943 if (tTd(29, 5)) 944 { 945 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 946 ConfigLevel, RewriteRules[5]); 947 printaddr(sm_debug_file(), new, false); 948 } 949 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 950 bitnset(M_TRYRULESET5, m->m_flags) && 951 !bitset(QNOTREMOTE, new->q_flags) && 952 QS_IS_OK(new->q_state)) 953 { 954 maplocaluser(new, sendq, aliaslevel + 1, e); 955 } 956 957 /* 958 ** If it didn't get rewritten to another mailer, go ahead 959 ** and deliver it. 960 */ 961 962 if (QS_IS_OK(new->q_state) && 963 bitnset(M_HASPWENT, m->m_flags)) 964 { 965 auto bool fuzzy; 966 SM_MBDB_T user; 967 int status; 968 969 /* warning -- finduser may trash buf */ 970 status = finduser(buf, &fuzzy, &user); 971 switch (status) 972 { 973 case EX_TEMPFAIL: 974 new->q_state = QS_QUEUEUP; 975 new->q_status = "4.5.2"; 976 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 977 new->q_alias, (time_t) 0, e, new); 978 break; 979 default: 980 new->q_state = QS_BADADDR; 981 new->q_status = "5.1.1"; 982 new->q_rstatus = "550 5.1.1 User unknown"; 983 giveresponse(EX_NOUSER, new->q_status, m, NULL, 984 new->q_alias, (time_t) 0, e, new); 985 break; 986 case EX_OK: 987 if (fuzzy) 988 { 989 /* name was a fuzzy match */ 990 new->q_user = sm_rpool_strdup_x(e->e_rpool, 991 user.mbdb_name); 992 if (findusercount++ > 3) 993 { 994 new->q_state = QS_BADADDR; 995 new->q_status = "5.4.6"; 996 usrerrenh(new->q_status, 997 "554 aliasing/forwarding loop for %s broken", 998 user.mbdb_name); 999 goto done; 1000 } 1001 1002 /* see if it aliases */ 1003 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1004 goto trylocaluser; 1005 } 1006 if (*user.mbdb_homedir == '\0') 1007 new->q_home = NULL; 1008 else if (strcmp(user.mbdb_homedir, "/") == 0) 1009 new->q_home = ""; 1010 else 1011 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1012 user.mbdb_homedir); 1013 if (user.mbdb_uid != SM_NO_UID) 1014 { 1015 new->q_uid = user.mbdb_uid; 1016 new->q_gid = user.mbdb_gid; 1017 new->q_flags |= QGOODUID; 1018 } 1019 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1020 user.mbdb_name); 1021 if (user.mbdb_fullname[0] != '\0') 1022 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1023 user.mbdb_fullname); 1024 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1025 { 1026 new->q_flags |= QBOGUSSHELL; 1027 } 1028 if (bitset(EF_VRFYONLY, e->e_flags)) 1029 { 1030 /* don't do any more now */ 1031 new->q_state = QS_VERIFIED; 1032 } 1033 else if (!quoted) 1034 forward(new, sendq, aliaslevel, e); 1035 } 1036 } 1037 if (!QS_IS_DEAD(new->q_state)) 1038 e->e_nrcpts++; 1039 1040 testselfdestruct: 1041 new->q_flags |= QTHISPASS; 1042 if (tTd(26, 8)) 1043 { 1044 sm_dprintf("testselfdestruct: "); 1045 printaddr(sm_debug_file(), new, false); 1046 if (tTd(26, 10)) 1047 { 1048 sm_dprintf("SENDQ:\n"); 1049 printaddr(sm_debug_file(), *sendq, true); 1050 sm_dprintf("----\n"); 1051 } 1052 } 1053 if (new->q_alias == NULL && new != &e->e_from && 1054 QS_IS_DEAD(new->q_state)) 1055 { 1056 for (q = *sendq; q != NULL; q = q->q_next) 1057 { 1058 if (!QS_IS_DEAD(q->q_state)) 1059 break; 1060 } 1061 if (q == NULL) 1062 { 1063 new->q_state = QS_BADADDR; 1064 new->q_status = "5.4.6"; 1065 usrerrenh(new->q_status, 1066 "554 aliasing/forwarding loop broken"); 1067 } 1068 } 1069 1070 done: 1071 new->q_flags |= QTHISPASS; 1072 if (buf != buf0) 1073 sm_free(buf); /* XXX leak if above code raises exception */ 1074 1075 /* 1076 ** If we are at the top level, check to see if this has 1077 ** expanded to exactly one address. If so, it can inherit 1078 ** the primaryness of the address. 1079 ** 1080 ** While we're at it, clear the QTHISPASS bits. 1081 */ 1082 1083 if (aliaslevel == 0) 1084 { 1085 int nrcpts = 0; 1086 ADDRESS *only = NULL; 1087 1088 for (q = *sendq; q != NULL; q = q->q_next) 1089 { 1090 if (bitset(QTHISPASS, q->q_flags) && 1091 QS_IS_SENDABLE(q->q_state)) 1092 { 1093 nrcpts++; 1094 only = q; 1095 } 1096 q->q_flags &= ~QTHISPASS; 1097 } 1098 if (nrcpts == 1) 1099 { 1100 /* check to see if this actually got a new owner */ 1101 q = only; 1102 while ((q = q->q_alias) != NULL) 1103 { 1104 if (q->q_owner != NULL) 1105 break; 1106 } 1107 if (q == NULL) 1108 only->q_flags |= QPRIMARY; 1109 } 1110 else if (!initialdontsend && nrcpts > 0) 1111 { 1112 /* arrange for return receipt */ 1113 e->e_flags |= EF_SENDRECEIPT; 1114 new->q_flags |= QEXPANDED; 1115 if (e->e_xfp != NULL && 1116 bitset(QPINGONSUCCESS, new->q_flags)) 1117 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1118 "%s... expanded to multiple addresses\n", 1119 new->q_paddr); 1120 } 1121 } 1122 new->q_flags |= QRCPTOK; 1123 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1124 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1125 return new; 1126 } 1127 1128 /* 1129 ** FINDUSER -- find the password entry for a user. 1130 ** 1131 ** This looks a lot like getpwnam, except that it may want to 1132 ** do some fancier pattern matching in /etc/passwd. 1133 ** 1134 ** This routine contains most of the time of many sendmail runs. 1135 ** It deserves to be optimized. 1136 ** 1137 ** Parameters: 1138 ** name -- the name to match against. 1139 ** fuzzyp -- an outarg that is set to true if this entry 1140 ** was found using the fuzzy matching algorithm; 1141 ** set to false otherwise. 1142 ** user -- structure to fill in if user is found 1143 ** 1144 ** Returns: 1145 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1146 ** If the user was not found, return EX_NOUSER. 1147 ** On error, return EX_TEMPFAIL or EX_OSERR. 1148 ** 1149 ** Side Effects: 1150 ** may modify name. 1151 */ 1152 1153 int 1154 finduser(name, fuzzyp, user) 1155 char *name; 1156 bool *fuzzyp; 1157 SM_MBDB_T *user; 1158 { 1159 #if MATCHGECOS 1160 register struct passwd *pw; 1161 #endif /* MATCHGECOS */ 1162 register char *p; 1163 bool tryagain; 1164 int status; 1165 1166 if (tTd(29, 4)) 1167 sm_dprintf("finduser(%s): ", name); 1168 1169 *fuzzyp = false; 1170 1171 #if HESIOD 1172 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1173 for (p = name; *p != '\0'; p++) 1174 if (!isascii(*p) || !isdigit(*p)) 1175 break; 1176 if (*p == '\0') 1177 { 1178 if (tTd(29, 4)) 1179 sm_dprintf("failed (numeric input)\n"); 1180 return EX_NOUSER; 1181 } 1182 #endif /* HESIOD */ 1183 1184 /* look up this login name using fast path */ 1185 status = sm_mbdb_lookup(name, user); 1186 if (status != EX_NOUSER) 1187 { 1188 if (tTd(29, 4)) 1189 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1190 return status; 1191 } 1192 1193 /* try mapping it to lower case */ 1194 tryagain = false; 1195 for (p = name; *p != '\0'; p++) 1196 { 1197 if (isascii(*p) && isupper(*p)) 1198 { 1199 *p = tolower(*p); 1200 tryagain = true; 1201 } 1202 } 1203 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1204 { 1205 if (tTd(29, 4)) 1206 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1207 *fuzzyp = true; 1208 return status; 1209 } 1210 1211 #if MATCHGECOS 1212 /* see if fuzzy matching allowed */ 1213 if (!MatchGecos) 1214 { 1215 if (tTd(29, 4)) 1216 sm_dprintf("not found (fuzzy disabled)\n"); 1217 return EX_NOUSER; 1218 } 1219 1220 /* search for a matching full name instead */ 1221 for (p = name; *p != '\0'; p++) 1222 { 1223 if (*p == (SpaceSub & 0177) || *p == '_') 1224 *p = ' '; 1225 } 1226 (void) setpwent(); 1227 while ((pw = getpwent()) != NULL) 1228 { 1229 char buf[MAXNAME + 1]; 1230 1231 # if 0 1232 if (sm_strcasecmp(pw->pw_name, name) == 0) 1233 { 1234 if (tTd(29, 4)) 1235 sm_dprintf("found (case wrapped)\n"); 1236 break; 1237 } 1238 # endif /* 0 */ 1239 1240 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1241 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1242 { 1243 if (tTd(29, 4)) 1244 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1245 message("sending to login name %s", pw->pw_name); 1246 break; 1247 } 1248 } 1249 if (pw != NULL) 1250 *fuzzyp = true; 1251 else if (tTd(29, 4)) 1252 sm_dprintf("no fuzzy match found\n"); 1253 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1254 endpwent(); 1255 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1256 if (pw == NULL) 1257 return EX_NOUSER; 1258 sm_mbdb_frompw(user, pw); 1259 return EX_OK; 1260 #else /* MATCHGECOS */ 1261 if (tTd(29, 4)) 1262 sm_dprintf("not found (fuzzy disabled)\n"); 1263 return EX_NOUSER; 1264 #endif /* MATCHGECOS */ 1265 } 1266 1267 /* 1268 ** WRITABLE -- predicate returning if the file is writable. 1269 ** 1270 ** This routine must duplicate the algorithm in sys/fio.c. 1271 ** Unfortunately, we cannot use the access call since we 1272 ** won't necessarily be the real uid when we try to 1273 ** actually open the file. 1274 ** 1275 ** Notice that ANY file with ANY execute bit is automatically 1276 ** not writable. This is also enforced by mailfile. 1277 ** 1278 ** Parameters: 1279 ** filename -- the file name to check. 1280 ** ctladdr -- the controlling address for this file. 1281 ** flags -- SFF_* flags to control the function. 1282 ** 1283 ** Returns: 1284 ** true -- if we will be able to write this file. 1285 ** false -- if we cannot write this file. 1286 ** 1287 ** Side Effects: 1288 ** none. 1289 */ 1290 1291 bool 1292 writable(filename, ctladdr, flags) 1293 char *filename; 1294 ADDRESS *ctladdr; 1295 long flags; 1296 { 1297 uid_t euid = 0; 1298 gid_t egid = 0; 1299 char *user = NULL; 1300 1301 if (tTd(44, 5)) 1302 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1303 1304 /* 1305 ** File does exist -- check that it is writable. 1306 */ 1307 1308 if (geteuid() != 0) 1309 { 1310 euid = geteuid(); 1311 egid = getegid(); 1312 user = NULL; 1313 } 1314 else if (ctladdr != NULL) 1315 { 1316 euid = ctladdr->q_uid; 1317 egid = ctladdr->q_gid; 1318 user = ctladdr->q_user; 1319 } 1320 else if (bitset(SFF_RUNASREALUID, flags)) 1321 { 1322 euid = RealUid; 1323 egid = RealGid; 1324 user = RealUserName; 1325 } 1326 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1327 { 1328 if (FileMailer->m_uid == NO_UID) 1329 { 1330 euid = DefUid; 1331 user = DefUser; 1332 } 1333 else 1334 { 1335 euid = FileMailer->m_uid; 1336 user = NULL; 1337 } 1338 if (FileMailer->m_gid == NO_GID) 1339 egid = DefGid; 1340 else 1341 egid = FileMailer->m_gid; 1342 } 1343 else 1344 { 1345 euid = egid = 0; 1346 user = NULL; 1347 } 1348 if (!bitset(SFF_ROOTOK, flags)) 1349 { 1350 if (euid == 0) 1351 { 1352 euid = DefUid; 1353 user = DefUser; 1354 } 1355 if (egid == 0) 1356 egid = DefGid; 1357 } 1358 if (geteuid() == 0 && 1359 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1360 flags |= SFF_SETUIDOK; 1361 1362 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1363 flags |= SFF_NOSLINK; 1364 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1365 flags |= SFF_NOHLINK; 1366 1367 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1368 return errno == 0; 1369 } 1370 1371 /* 1372 ** INCLUDE -- handle :include: specification. 1373 ** 1374 ** Parameters: 1375 ** fname -- filename to include. 1376 ** forwarding -- if true, we are reading a .forward file. 1377 ** if false, it's a :include: file. 1378 ** ctladdr -- address template to use to fill in these 1379 ** addresses -- effective user/group id are 1380 ** the important things. 1381 ** sendq -- a pointer to the head of the send queue 1382 ** to put these addresses in. 1383 ** aliaslevel -- the alias nesting depth. 1384 ** e -- the current envelope. 1385 ** 1386 ** Returns: 1387 ** open error status 1388 ** 1389 ** Side Effects: 1390 ** reads the :include: file and sends to everyone 1391 ** listed in that file. 1392 ** 1393 ** Security Note: 1394 ** If you have restricted chown (that is, you can't 1395 ** give a file away), it is reasonable to allow programs 1396 ** and files called from this :include: file to be to be 1397 ** run as the owner of the :include: file. This is bogus 1398 ** if there is any chance of someone giving away a file. 1399 ** We assume that pre-POSIX systems can give away files. 1400 ** 1401 ** There is an additional restriction that if you 1402 ** forward to a :include: file, it will not take on 1403 ** the ownership of the :include: file. This may not 1404 ** be necessary, but shouldn't hurt. 1405 */ 1406 1407 static jmp_buf CtxIncludeTimeout; 1408 1409 int 1410 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1411 char *fname; 1412 bool forwarding; 1413 ADDRESS *ctladdr; 1414 ADDRESS **sendq; 1415 int aliaslevel; 1416 ENVELOPE *e; 1417 { 1418 SM_FILE_T *volatile fp = NULL; 1419 char *oldto = e->e_to; 1420 char *oldfilename = FileName; 1421 int oldlinenumber = LineNumber; 1422 register SM_EVENT *ev = NULL; 1423 int nincludes; 1424 int mode; 1425 volatile bool maxreached = false; 1426 register ADDRESS *ca; 1427 volatile uid_t saveduid; 1428 volatile gid_t savedgid; 1429 volatile uid_t uid; 1430 volatile gid_t gid; 1431 char *volatile user; 1432 int rval = 0; 1433 volatile long sfflags = SFF_REGONLY; 1434 register char *p; 1435 bool safechown = false; 1436 volatile bool safedir = false; 1437 struct stat st; 1438 char buf[MAXLINE]; 1439 1440 if (tTd(27, 2)) 1441 sm_dprintf("include(%s)\n", fname); 1442 if (tTd(27, 4)) 1443 sm_dprintf(" ruid=%d euid=%d\n", 1444 (int) getuid(), (int) geteuid()); 1445 if (tTd(27, 14)) 1446 { 1447 sm_dprintf("ctladdr "); 1448 printaddr(sm_debug_file(), ctladdr, false); 1449 } 1450 1451 if (tTd(27, 9)) 1452 sm_dprintf("include: old uid = %d/%d\n", 1453 (int) getuid(), (int) geteuid()); 1454 1455 if (forwarding) 1456 { 1457 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1458 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1459 sfflags |= SFF_NOGWFILES; 1460 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1461 sfflags |= SFF_NOWWFILES; 1462 } 1463 else 1464 { 1465 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1466 sfflags |= SFF_NOGWFILES; 1467 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1468 sfflags |= SFF_NOWWFILES; 1469 } 1470 1471 /* 1472 ** If RunAsUser set, won't be able to run programs as user 1473 ** so mark them as unsafe unless the administrator knows better. 1474 */ 1475 1476 if ((geteuid() != 0 || RunAsUid != 0) && 1477 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1478 { 1479 if (tTd(27, 4)) 1480 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1481 (int) geteuid(), (int) RunAsUid); 1482 ctladdr->q_flags |= QUNSAFEADDR; 1483 } 1484 1485 ca = getctladdr(ctladdr); 1486 if (ca == NULL || 1487 (ca->q_uid == DefUid && ca->q_gid == 0)) 1488 { 1489 uid = DefUid; 1490 gid = DefGid; 1491 user = DefUser; 1492 } 1493 else 1494 { 1495 uid = ca->q_uid; 1496 gid = ca->q_gid; 1497 user = ca->q_user; 1498 } 1499 #if MAILER_SETUID_METHOD != USE_SETUID 1500 saveduid = geteuid(); 1501 savedgid = getegid(); 1502 if (saveduid == 0) 1503 { 1504 if (!DontInitGroups) 1505 { 1506 if (initgroups(user, gid) == -1) 1507 { 1508 rval = EAGAIN; 1509 syserr("include: initgroups(%s, %d) failed", 1510 user, gid); 1511 goto resetuid; 1512 } 1513 } 1514 else 1515 { 1516 GIDSET_T gidset[1]; 1517 1518 gidset[0] = gid; 1519 if (setgroups(1, gidset) == -1) 1520 { 1521 rval = EAGAIN; 1522 syserr("include: setgroups() failed"); 1523 goto resetuid; 1524 } 1525 } 1526 1527 if (gid != 0 && setgid(gid) < -1) 1528 { 1529 rval = EAGAIN; 1530 syserr("setgid(%d) failure", gid); 1531 goto resetuid; 1532 } 1533 if (uid != 0) 1534 { 1535 # if MAILER_SETUID_METHOD == USE_SETEUID 1536 if (seteuid(uid) < 0) 1537 { 1538 rval = EAGAIN; 1539 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1540 uid, (int) getuid(), (int) geteuid()); 1541 goto resetuid; 1542 } 1543 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1544 # if MAILER_SETUID_METHOD == USE_SETREUID 1545 if (setreuid(0, uid) < 0) 1546 { 1547 rval = EAGAIN; 1548 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1549 uid, (int) getuid(), (int) geteuid()); 1550 goto resetuid; 1551 } 1552 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1553 } 1554 } 1555 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1556 1557 if (tTd(27, 9)) 1558 sm_dprintf("include: new uid = %d/%d\n", 1559 (int) getuid(), (int) geteuid()); 1560 1561 /* 1562 ** If home directory is remote mounted but server is down, 1563 ** this can hang or give errors; use a timeout to avoid this 1564 */ 1565 1566 if (setjmp(CtxIncludeTimeout) != 0) 1567 { 1568 ctladdr->q_state = QS_QUEUEUP; 1569 errno = 0; 1570 1571 /* return pseudo-error code */ 1572 rval = E_SM_OPENTIMEOUT; 1573 goto resetuid; 1574 } 1575 if (TimeOuts.to_fileopen > 0) 1576 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1577 else 1578 ev = NULL; 1579 1580 1581 /* check for writable parent directory */ 1582 p = strrchr(fname, '/'); 1583 if (p != NULL) 1584 { 1585 int ret; 1586 1587 *p = '\0'; 1588 ret = safedirpath(fname, uid, gid, user, 1589 sfflags|SFF_SAFEDIRPATH, 0, 0); 1590 if (ret == 0) 1591 { 1592 /* in safe directory: relax chown & link rules */ 1593 safedir = true; 1594 sfflags |= SFF_NOPATHCHECK; 1595 } 1596 else 1597 { 1598 if (bitnset((forwarding ? 1599 DBS_FORWARDFILEINUNSAFEDIRPATH : 1600 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1601 DontBlameSendmail)) 1602 sfflags |= SFF_NOPATHCHECK; 1603 else if (bitnset((forwarding ? 1604 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1605 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1606 DontBlameSendmail) && 1607 ret == E_SM_GWDIR) 1608 { 1609 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1610 DontBlameSendmail); 1611 ret = safedirpath(fname, uid, gid, user, 1612 sfflags|SFF_SAFEDIRPATH, 1613 0, 0); 1614 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1615 DontBlameSendmail); 1616 if (ret == 0) 1617 sfflags |= SFF_NOPATHCHECK; 1618 else 1619 sfflags |= SFF_SAFEDIRPATH; 1620 } 1621 else 1622 sfflags |= SFF_SAFEDIRPATH; 1623 if (ret > E_PSEUDOBASE && 1624 !bitnset((forwarding ? 1625 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1626 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1627 DontBlameSendmail)) 1628 { 1629 if (LogLevel > 11) 1630 sm_syslog(LOG_INFO, e->e_id, 1631 "%s: unsafe directory path, marked unsafe", 1632 shortenstring(fname, MAXSHORTSTR)); 1633 ctladdr->q_flags |= QUNSAFEADDR; 1634 } 1635 } 1636 *p = '/'; 1637 } 1638 1639 /* allow links only in unwritable directories */ 1640 if (!safedir && 1641 !bitnset((forwarding ? 1642 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1643 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1644 DontBlameSendmail)) 1645 sfflags |= SFF_NOLINK; 1646 1647 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1648 if (rval != 0) 1649 { 1650 /* don't use this :include: file */ 1651 if (tTd(27, 4)) 1652 sm_dprintf("include: not safe (uid=%d): %s\n", 1653 (int) uid, sm_errstring(rval)); 1654 } 1655 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1656 SM_IO_RDONLY, NULL)) == NULL) 1657 { 1658 rval = errno; 1659 if (tTd(27, 4)) 1660 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1661 } 1662 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1663 { 1664 rval = E_SM_FILECHANGE; 1665 if (tTd(27, 4)) 1666 sm_dprintf("include: file changed after open\n"); 1667 } 1668 if (ev != NULL) 1669 sm_clrevent(ev); 1670 1671 resetuid: 1672 1673 #if HASSETREUID || USESETEUID 1674 if (saveduid == 0) 1675 { 1676 if (uid != 0) 1677 { 1678 # if USESETEUID 1679 if (seteuid(0) < 0) 1680 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1681 (int) getuid(), (int) geteuid()); 1682 # else /* USESETEUID */ 1683 if (setreuid(-1, 0) < 0) 1684 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1685 (int) getuid(), (int) geteuid()); 1686 if (setreuid(RealUid, 0) < 0) 1687 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1688 (int) RealUid, (int) getuid(), 1689 (int) geteuid()); 1690 # endif /* USESETEUID */ 1691 } 1692 if (setgid(savedgid) < 0) 1693 syserr("!setgid(%d) failure (real=%d eff=%d)", 1694 (int) savedgid, (int) getgid(), 1695 (int) getegid()); 1696 } 1697 #endif /* HASSETREUID || USESETEUID */ 1698 1699 if (tTd(27, 9)) 1700 sm_dprintf("include: reset uid = %d/%d\n", 1701 (int) getuid(), (int) geteuid()); 1702 1703 if (rval == E_SM_OPENTIMEOUT) 1704 usrerr("451 4.4.1 open timeout on %s", fname); 1705 1706 if (fp == NULL) 1707 return rval; 1708 1709 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1710 { 1711 rval = errno; 1712 syserr("Cannot fstat %s!", fname); 1713 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1714 return rval; 1715 } 1716 1717 /* if path was writable, check to avoid file giveaway tricks */ 1718 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1719 if (tTd(27, 6)) 1720 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1721 fname, safedir ? "safe" : "dangerous", 1722 safechown ? "" : "un"); 1723 1724 /* if no controlling user or coming from an alias delivery */ 1725 if (safechown && 1726 (ca == NULL || 1727 (ca->q_uid == DefUid && ca->q_gid == 0))) 1728 { 1729 ctladdr->q_uid = st.st_uid; 1730 ctladdr->q_gid = st.st_gid; 1731 ctladdr->q_flags |= QGOODUID; 1732 } 1733 if (ca != NULL && ca->q_uid == st.st_uid) 1734 { 1735 /* optimization -- avoid getpwuid if we already have info */ 1736 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1737 ctladdr->q_ruser = ca->q_ruser; 1738 } 1739 else if (!forwarding) 1740 { 1741 register struct passwd *pw; 1742 1743 pw = sm_getpwuid(st.st_uid); 1744 if (pw == NULL) 1745 { 1746 ctladdr->q_uid = st.st_uid; 1747 ctladdr->q_flags |= QBOGUSSHELL; 1748 } 1749 else 1750 { 1751 char *sh; 1752 1753 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1754 pw->pw_name); 1755 if (safechown) 1756 sh = pw->pw_shell; 1757 else 1758 sh = "/SENDMAIL/ANY/SHELL/"; 1759 if (!usershellok(pw->pw_name, sh)) 1760 { 1761 if (LogLevel > 11) 1762 sm_syslog(LOG_INFO, e->e_id, 1763 "%s: user %s has bad shell %s, marked %s", 1764 shortenstring(fname, 1765 MAXSHORTSTR), 1766 pw->pw_name, sh, 1767 safechown ? "bogus" : "unsafe"); 1768 if (safechown) 1769 ctladdr->q_flags |= QBOGUSSHELL; 1770 else 1771 ctladdr->q_flags |= QUNSAFEADDR; 1772 } 1773 } 1774 } 1775 1776 if (bitset(EF_VRFYONLY, e->e_flags)) 1777 { 1778 /* don't do any more now */ 1779 ctladdr->q_state = QS_VERIFIED; 1780 e->e_nrcpts++; 1781 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1782 return rval; 1783 } 1784 1785 /* 1786 ** Check to see if some bad guy can write this file 1787 ** 1788 ** Group write checking could be more clever, e.g., 1789 ** guessing as to which groups are actually safe ("sys" 1790 ** may be; "user" probably is not). 1791 */ 1792 1793 mode = S_IWOTH; 1794 if (!bitnset((forwarding ? 1795 DBS_GROUPWRITABLEFORWARDFILESAFE : 1796 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1797 DontBlameSendmail)) 1798 mode |= S_IWGRP; 1799 1800 if (bitset(mode, st.st_mode)) 1801 { 1802 if (tTd(27, 6)) 1803 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1804 shortenstring(fname, MAXSHORTSTR), 1805 bitset(S_IWOTH, st.st_mode) ? "world" 1806 : "group"); 1807 if (LogLevel > 11) 1808 sm_syslog(LOG_INFO, e->e_id, 1809 "%s: %s writable %s file, marked unsafe", 1810 shortenstring(fname, MAXSHORTSTR), 1811 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1812 forwarding ? "forward" : ":include:"); 1813 ctladdr->q_flags |= QUNSAFEADDR; 1814 } 1815 1816 /* read the file -- each line is a comma-separated list. */ 1817 FileName = fname; 1818 LineNumber = 0; 1819 ctladdr->q_flags &= ~QSELFREF; 1820 nincludes = 0; 1821 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL && 1822 !maxreached) 1823 { 1824 fixcrlf(buf, true); 1825 LineNumber++; 1826 if (buf[0] == '#' || buf[0] == '\0') 1827 continue; 1828 1829 /* <sp>#@# introduces a comment anywhere */ 1830 /* for Japanese character sets */ 1831 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1832 { 1833 if (p[1] == '@' && p[2] == '#' && 1834 isascii(p[-1]) && isspace(p[-1]) && 1835 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1836 { 1837 --p; 1838 while (p > buf && isascii(p[-1]) && 1839 isspace(p[-1])) 1840 --p; 1841 p[0] = '\0'; 1842 break; 1843 } 1844 } 1845 if (buf[0] == '\0') 1846 continue; 1847 1848 e->e_to = NULL; 1849 message("%s to %s", 1850 forwarding ? "forwarding" : "sending", buf); 1851 if (forwarding && LogLevel > 10) 1852 sm_syslog(LOG_INFO, e->e_id, 1853 "forward %.200s => %s", 1854 oldto, shortenstring(buf, MAXSHORTSTR)); 1855 1856 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1857 1858 if (forwarding && 1859 MaxForwardEntries > 0 && 1860 nincludes >= MaxForwardEntries) 1861 { 1862 /* just stop reading and processing further entries */ 1863 #if 0 1864 /* additional: (?) */ 1865 ctladdr->q_state = QS_DONTSEND; 1866 #endif /* 0 */ 1867 1868 syserr("Attempt to forward to more than %d addresses (in %s)!", 1869 MaxForwardEntries, fname); 1870 maxreached = true; 1871 } 1872 } 1873 1874 if (sm_io_error(fp) && tTd(27, 3)) 1875 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1876 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1877 { 1878 if (aliaslevel <= MaxAliasRecursion || 1879 ctladdr->q_state != QS_BADADDR) 1880 { 1881 ctladdr->q_state = QS_DONTSEND; 1882 if (tTd(27, 5)) 1883 { 1884 sm_dprintf("include: QS_DONTSEND "); 1885 printaddr(sm_debug_file(), ctladdr, false); 1886 } 1887 } 1888 } 1889 1890 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1891 FileName = oldfilename; 1892 LineNumber = oldlinenumber; 1893 e->e_to = oldto; 1894 return rval; 1895 } 1896 1897 static void 1898 includetimeout(ignore) 1899 int ignore; 1900 { 1901 /* 1902 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1903 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1904 ** DOING. 1905 */ 1906 1907 errno = ETIMEDOUT; 1908 longjmp(CtxIncludeTimeout, 1); 1909 } 1910 1911 /* 1912 ** SENDTOARGV -- send to an argument vector. 1913 ** 1914 ** Parameters: 1915 ** argv -- argument vector to send to. 1916 ** e -- the current envelope. 1917 ** 1918 ** Returns: 1919 ** none. 1920 ** 1921 ** Side Effects: 1922 ** puts all addresses on the argument vector onto the 1923 ** send queue. 1924 */ 1925 1926 void 1927 sendtoargv(argv, e) 1928 register char **argv; 1929 register ENVELOPE *e; 1930 { 1931 register char *p; 1932 1933 while ((p = *argv++) != NULL) 1934 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1935 } 1936 1937 /* 1938 ** GETCTLADDR -- get controlling address from an address header. 1939 ** 1940 ** If none, get one corresponding to the effective userid. 1941 ** 1942 ** Parameters: 1943 ** a -- the address to find the controller of. 1944 ** 1945 ** Returns: 1946 ** the controlling address. 1947 */ 1948 1949 ADDRESS * 1950 getctladdr(a) 1951 register ADDRESS *a; 1952 { 1953 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1954 a = a->q_alias; 1955 return a; 1956 } 1957 1958 /* 1959 ** SELF_REFERENCE -- check to see if an address references itself 1960 ** 1961 ** The check is done through a chain of aliases. If it is part of 1962 ** a loop, break the loop at the "best" address, that is, the one 1963 ** that exists as a real user. 1964 ** 1965 ** This is to handle the case of: 1966 ** awc: Andrew.Chang 1967 ** Andrew.Chang: awc@mail.server 1968 ** which is a problem only on mail.server. 1969 ** 1970 ** Parameters: 1971 ** a -- the address to check. 1972 ** 1973 ** Returns: 1974 ** The address that should be retained. 1975 */ 1976 1977 static ADDRESS * 1978 self_reference(a) 1979 ADDRESS *a; 1980 { 1981 ADDRESS *b; /* top entry in self ref loop */ 1982 ADDRESS *c; /* entry that point to a real mail box */ 1983 1984 if (tTd(27, 1)) 1985 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1986 1987 for (b = a->q_alias; b != NULL; b = b->q_alias) 1988 { 1989 if (sameaddr(a, b)) 1990 break; 1991 } 1992 1993 if (b == NULL) 1994 { 1995 if (tTd(27, 1)) 1996 sm_dprintf("\t... no self ref\n"); 1997 return NULL; 1998 } 1999 2000 /* 2001 ** Pick the first address that resolved to a real mail box 2002 ** i.e has a mbdb entry. The returned value will be marked 2003 ** QSELFREF in recipient(), which in turn will disable alias() 2004 ** from marking it as QS_IS_DEAD(), which mean it will be used 2005 ** as a deliverable address. 2006 ** 2007 ** The 2 key thing to note here are: 2008 ** 1) we are in a recursive call sequence: 2009 ** alias->sendtolist->recipient->alias 2010 ** 2) normally, when we return back to alias(), the address 2011 ** will be marked QS_EXPANDED, since alias() assumes the 2012 ** expanded form will be used instead of the current address. 2013 ** This behaviour is turned off if the address is marked 2014 ** QSELFREF. We set QSELFREF when we return to recipient(). 2015 */ 2016 2017 c = a; 2018 while (c != NULL) 2019 { 2020 if (tTd(27, 10)) 2021 sm_dprintf(" %s", c->q_user); 2022 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2023 { 2024 SM_MBDB_T user; 2025 2026 if (tTd(27, 2)) 2027 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2028 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2029 { 2030 if (tTd(27, 2)) 2031 sm_dprintf("found\n"); 2032 2033 /* ought to cache results here */ 2034 if (sameaddr(b, c)) 2035 return b; 2036 else 2037 return c; 2038 } 2039 if (tTd(27, 2)) 2040 sm_dprintf("failed\n"); 2041 } 2042 else 2043 { 2044 /* if local delivery, compare usernames */ 2045 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2046 b->q_mailer == c->q_mailer) 2047 { 2048 if (tTd(27, 2)) 2049 sm_dprintf("\t... local match (%s)\n", 2050 c->q_user); 2051 if (sameaddr(b, c)) 2052 return b; 2053 else 2054 return c; 2055 } 2056 } 2057 if (tTd(27, 10)) 2058 sm_dprintf("\n"); 2059 c = c->q_alias; 2060 } 2061 2062 if (tTd(27, 1)) 2063 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2064 2065 return NULL; 2066 } 2067