1 /* 2 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #pragma ident "%Z%%M% %I% %E% SMI" 15 16 #include <sendmail.h> 17 18 SM_RCSID("@(#)$Id: recipient.c,v 8.344 2007/02/01 05:12:14 ca Exp $") 19 20 static void includetimeout __P((int)); 21 static ADDRESS *self_reference __P((ADDRESS *)); 22 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 23 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 24 static int sorthost __P((ADDRESS *, ADDRESS *)); 25 26 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 27 28 /* 29 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 30 ** 31 ** Parameters: 32 ** xx -- first ADDRESS 33 ** yy -- second ADDRESS 34 ** 35 ** Returns: 36 ** <0 when xx->q_host is less than yy->q_host 37 ** >0 when xx->q_host is greater than yy->q_host 38 ** 0 when equal 39 */ 40 41 static int 42 sorthost(xx, yy) 43 register ADDRESS *xx; 44 register ADDRESS *yy; 45 { 46 #if _FFR_HOST_SORT_REVERSE 47 /* XXX maybe compare hostnames from the end? */ 48 return sm_strrevcasecmp(xx->q_host, yy->q_host); 49 #else /* _FFR_HOST_SORT_REVERSE */ 50 return sm_strcasecmp(xx->q_host, yy->q_host); 51 #endif /* _FFR_HOST_SORT_REVERSE */ 52 } 53 54 /* 55 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 56 ** 57 ** The mailer has been noted already as "expensive" for 'xx'. This 58 ** will give a result relative to 'yy'. Expensive mailers get rated 59 ** "greater than" non-expensive mailers because during the delivery phase 60 ** it will get queued -- no use it getting in the way of less expensive 61 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 62 ** expensive since an MX RR lookup happens when extracted from the queue 63 ** later. 64 ** 65 ** Parameters: 66 ** xx -- first ADDRESS 67 ** yy -- second ADDRESS 68 ** 69 ** Returns: 70 ** <0 when xx->q_host is less than yy->q_host and both are 71 ** expensive 72 ** >0 when xx->q_host is greater than yy->q_host, or when 73 ** 'yy' is non-expensive 74 ** 0 when equal (by expense and q_host) 75 */ 76 77 static int 78 sortexpensive(xx, yy) 79 ADDRESS *xx; 80 ADDRESS *yy; 81 { 82 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 83 return 1; /* xx should go later */ 84 #if _FFR_HOST_SORT_REVERSE 85 /* XXX maybe compare hostnames from the end? */ 86 return sm_strrevcasecmp(xx->q_host, yy->q_host); 87 #else /* _FFR_HOST_SORT_REVERSE */ 88 return sm_strcasecmp(xx->q_host, yy->q_host); 89 #endif /* _FFR_HOST_SORT_REVERSE */ 90 } 91 92 /* 93 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 94 ** 95 ** Parameters: 96 ** xx -- first ADDRESS 97 ** yy -- second ADDRESS 98 ** 99 ** Returns: 100 ** 0 when the "signature"'s are same 101 ** <0 when xx->q_signature is less than yy->q_signature 102 ** >0 when xx->q_signature is greater than yy->q_signature 103 ** 104 ** Side Effect: 105 ** May set ADDRESS pointer for q_signature if not already set. 106 */ 107 108 static int 109 sortbysignature(xx, yy) 110 ADDRESS *xx; 111 ADDRESS *yy; 112 { 113 register int ret; 114 115 /* Let's avoid redoing the signature over and over again */ 116 if (xx->q_signature == NULL) 117 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 118 if (yy->q_signature == NULL) 119 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 120 ret = strcmp(xx->q_signature, yy->q_signature); 121 122 /* 123 ** If the two signatures are the same then we will return a sort 124 ** value based on 'q_user'. But note that we have reversed xx and yy 125 ** on purpose. This additional compare helps reduce the number of 126 ** sameaddr() calls and loops in recipient() for the case when 127 ** the rcpt list has been provided already in-order. 128 */ 129 130 if (ret == 0) 131 return strcmp(yy->q_user, xx->q_user); 132 else 133 return ret; 134 } 135 136 /* 137 ** SENDTOLIST -- Designate a send list. 138 ** 139 ** The parameter is a comma-separated list of people to send to. 140 ** This routine arranges to send to all of them. 141 ** 142 ** Parameters: 143 ** list -- the send list. 144 ** ctladdr -- the address template for the person to 145 ** send to -- effective uid/gid are important. 146 ** This is typically the alias that caused this 147 ** expansion. 148 ** sendq -- a pointer to the head of a queue to put 149 ** these people into. 150 ** aliaslevel -- the current alias nesting depth -- to 151 ** diagnose loops. 152 ** e -- the envelope in which to add these recipients. 153 ** 154 ** Returns: 155 ** The number of addresses actually on the list. 156 */ 157 158 /* q_flags bits inherited from ctladdr */ 159 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 160 161 int 162 sendtolist(list, ctladdr, sendq, aliaslevel, e) 163 char *list; 164 ADDRESS *ctladdr; 165 ADDRESS **sendq; 166 int aliaslevel; 167 register ENVELOPE *e; 168 { 169 register char *p; 170 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 171 SM_NONVOLATILE char delimiter; /* the address delimiter */ 172 SM_NONVOLATILE int naddrs; 173 SM_NONVOLATILE int i; 174 char *endp; 175 char *oldto = e->e_to; 176 char *SM_NONVOLATILE bufp; 177 char buf[MAXNAME + 1]; 178 179 if (list == NULL) 180 { 181 syserr("sendtolist: null list"); 182 return 0; 183 } 184 185 if (tTd(25, 1)) 186 { 187 sm_dprintf("sendto: %s\n ctladdr=", list); 188 printaddr(sm_debug_file(), ctladdr, false); 189 } 190 191 /* heuristic to determine old versus new style addresses */ 192 if (ctladdr == NULL && 193 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 194 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 195 e->e_flags &= ~EF_OLDSTYLE; 196 delimiter = ' '; 197 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 198 delimiter = ','; 199 200 al = NULL; 201 naddrs = 0; 202 203 /* make sure we have enough space to copy the string */ 204 i = strlen(list) + 1; 205 if (i <= sizeof(buf)) 206 { 207 bufp = buf; 208 i = sizeof(buf); 209 } 210 else 211 bufp = sm_malloc_x(i); 212 endp = bufp + i; 213 214 SM_TRY 215 { 216 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 217 218 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 219 for (p = bufp; *p != '\0'; ) 220 { 221 auto char *delimptr; 222 register ADDRESS *a; 223 224 SM_ASSERT(p < endp); 225 226 /* parse the address */ 227 while ((isascii(*p) && isspace(*p)) || *p == ',') 228 p++; 229 SM_ASSERT(p < endp); 230 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 231 &delimptr, e, true); 232 p = delimptr; 233 SM_ASSERT(p < endp); 234 if (a == NULL) 235 continue; 236 a->q_next = al; 237 a->q_alias = ctladdr; 238 239 /* arrange to inherit attributes from parent */ 240 if (ctladdr != NULL) 241 { 242 ADDRESS *b; 243 244 /* self reference test */ 245 if (sameaddr(ctladdr, a)) 246 { 247 if (tTd(27, 5)) 248 { 249 sm_dprintf("sendtolist: QSELFREF "); 250 printaddr(sm_debug_file(), ctladdr, false); 251 } 252 ctladdr->q_flags |= QSELFREF; 253 } 254 255 /* check for address loops */ 256 b = self_reference(a); 257 if (b != NULL) 258 { 259 b->q_flags |= QSELFREF; 260 if (tTd(27, 5)) 261 { 262 sm_dprintf("sendtolist: QSELFREF "); 263 printaddr(sm_debug_file(), b, false); 264 } 265 if (a != b) 266 { 267 if (tTd(27, 5)) 268 { 269 sm_dprintf("sendtolist: QS_DONTSEND "); 270 printaddr(sm_debug_file(), a, false); 271 } 272 a->q_state = QS_DONTSEND; 273 b->q_flags |= a->q_flags & QNOTREMOTE; 274 continue; 275 } 276 } 277 278 /* full name */ 279 if (a->q_fullname == NULL) 280 a->q_fullname = ctladdr->q_fullname; 281 282 /* various flag bits */ 283 a->q_flags &= ~QINHERITEDBITS; 284 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 285 286 /* DSN recipient information */ 287 a->q_finalrcpt = ctladdr->q_finalrcpt; 288 a->q_orcpt = ctladdr->q_orcpt; 289 } 290 291 al = a; 292 } 293 294 /* arrange to send to everyone on the local send list */ 295 while (al != NULL) 296 { 297 register ADDRESS *a = al; 298 299 al = a->q_next; 300 a = recipient(a, sendq, aliaslevel, e); 301 naddrs++; 302 } 303 } 304 SM_FINALLY 305 { 306 e->e_to = oldto; 307 if (bufp != buf) 308 sm_free(bufp); 309 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 310 } 311 SM_END_TRY 312 return naddrs; 313 } 314 315 #if MILTER 316 /* 317 ** REMOVEFROMLIST -- Remove addresses from a send list. 318 ** 319 ** The parameter is a comma-separated list of recipients to remove. 320 ** Note that it only deletes matching addresses. If those addresses 321 ** have been expanded already in the sendq, it won't mark the 322 ** expanded recipients as QS_REMOVED. 323 ** 324 ** Parameters: 325 ** list -- the list to remove. 326 ** sendq -- a pointer to the head of a queue to remove 327 ** these addresses from. 328 ** e -- the envelope in which to remove these recipients. 329 ** 330 ** Returns: 331 ** The number of addresses removed from the list. 332 ** 333 */ 334 335 int 336 removefromlist(list, sendq, e) 337 char *list; 338 ADDRESS **sendq; 339 ENVELOPE *e; 340 { 341 SM_NONVOLATILE char delimiter; /* the address delimiter */ 342 SM_NONVOLATILE int naddrs; 343 SM_NONVOLATILE int i; 344 char *p; 345 char *oldto = e->e_to; 346 char *SM_NONVOLATILE bufp; 347 char buf[MAXNAME + 1]; 348 349 if (list == NULL) 350 { 351 syserr("removefromlist: null list"); 352 return 0; 353 } 354 355 if (tTd(25, 1)) 356 sm_dprintf("removefromlist: %s\n", list); 357 358 /* heuristic to determine old versus new style addresses */ 359 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 360 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 361 e->e_flags &= ~EF_OLDSTYLE; 362 delimiter = ' '; 363 if (!bitset(EF_OLDSTYLE, e->e_flags)) 364 delimiter = ','; 365 366 naddrs = 0; 367 368 /* make sure we have enough space to copy the string */ 369 i = strlen(list) + 1; 370 if (i <= sizeof(buf)) 371 { 372 bufp = buf; 373 i = sizeof(buf); 374 } 375 else 376 bufp = sm_malloc_x(i); 377 378 SM_TRY 379 { 380 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 381 382 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 383 for (p = bufp; *p != '\0'; ) 384 { 385 ADDRESS a; /* parsed address to be removed */ 386 ADDRESS *q; 387 ADDRESS **pq; 388 char *delimptr; 389 390 /* parse the address */ 391 while ((isascii(*p) && isspace(*p)) || *p == ',') 392 p++; 393 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 394 delimiter, &delimptr, e, true) == NULL) 395 { 396 p = delimptr; 397 continue; 398 } 399 p = delimptr; 400 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 401 { 402 if (!QS_IS_DEAD(q->q_state) && 403 (sameaddr(q, &a) || 404 strcmp(q->q_paddr, a.q_paddr) == 0)) 405 { 406 if (tTd(25, 5)) 407 { 408 sm_dprintf("removefromlist: QS_REMOVED "); 409 printaddr(sm_debug_file(), &a, false); 410 } 411 q->q_state = QS_REMOVED; 412 naddrs++; 413 break; 414 } 415 } 416 } 417 } 418 SM_FINALLY 419 { 420 e->e_to = oldto; 421 if (bufp != buf) 422 sm_free(bufp); 423 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 424 } 425 SM_END_TRY 426 return naddrs; 427 } 428 #endif /* MILTER */ 429 430 /* 431 ** RECIPIENT -- Designate a message recipient 432 ** 433 ** Saves the named person for future mailing. 434 ** 435 ** Parameters: 436 ** new -- the (preparsed) address header for the recipient. 437 ** sendq -- a pointer to the head of a queue to put the 438 ** recipient in. Duplicate suppression is done 439 ** in this queue. 440 ** aliaslevel -- the current alias nesting depth. 441 ** e -- the current envelope. 442 ** 443 ** Returns: 444 ** The actual address in the queue. This will be "a" if 445 ** the address is not a duplicate, else the original address. 446 ** 447 */ 448 449 ADDRESS * 450 recipient(new, sendq, aliaslevel, e) 451 register ADDRESS *new; 452 register ADDRESS **sendq; 453 int aliaslevel; 454 register ENVELOPE *e; 455 { 456 register ADDRESS *q; 457 ADDRESS **pq; 458 ADDRESS **prev; 459 register struct mailer *m; 460 register char *p; 461 int i, buflen; 462 bool quoted; /* set if the addr has a quote bit */ 463 bool insert; 464 int findusercount; 465 bool initialdontsend; 466 char *buf; 467 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 468 sortfn_t *sortfn; 469 470 p = NULL; 471 quoted = false; 472 insert = false; 473 findusercount = 0; 474 initialdontsend = QS_IS_DEAD(new->q_state); 475 e->e_to = new->q_paddr; 476 m = new->q_mailer; 477 errno = 0; 478 if (aliaslevel == 0) 479 new->q_flags |= QPRIMARY; 480 if (tTd(26, 1)) 481 { 482 sm_dprintf("\nrecipient (%d): ", aliaslevel); 483 printaddr(sm_debug_file(), new, false); 484 } 485 486 /* if this is primary, use it as original recipient */ 487 if (new->q_alias == NULL) 488 { 489 if (e->e_origrcpt == NULL) 490 e->e_origrcpt = new->q_paddr; 491 else if (e->e_origrcpt != new->q_paddr) 492 e->e_origrcpt = ""; 493 } 494 495 /* find parent recipient for finalrcpt and orcpt */ 496 for (q = new; q->q_alias != NULL; q = q->q_alias) 497 continue; 498 499 /* find final recipient DSN address */ 500 if (new->q_finalrcpt == NULL && 501 e->e_from.q_mailer != NULL) 502 { 503 char frbuf[MAXLINE]; 504 505 p = e->e_from.q_mailer->m_addrtype; 506 if (p == NULL) 507 p = "rfc822"; 508 if (sm_strcasecmp(p, "rfc822") != 0) 509 { 510 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 511 q->q_mailer->m_addrtype, 512 q->q_user); 513 } 514 else if (strchr(q->q_user, '@') != NULL) 515 { 516 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 517 p, q->q_user); 518 } 519 else if (strchr(q->q_paddr, '@') != NULL) 520 { 521 char *qp; 522 bool b; 523 524 qp = q->q_paddr; 525 526 /* strip brackets from address */ 527 b = false; 528 if (*qp == '<') 529 { 530 b = qp[strlen(qp) - 1] == '>'; 531 if (b) 532 qp[strlen(qp) - 1] = '\0'; 533 qp++; 534 } 535 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 536 p, qp); 537 538 /* undo damage */ 539 if (b) 540 qp[strlen(qp)] = '>'; 541 } 542 else 543 { 544 (void) sm_snprintf(frbuf, sizeof(frbuf), 545 "%s; %.700s@%.100s", 546 p, q->q_user, MyHostName); 547 } 548 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 549 } 550 551 #if _FFR_GEN_ORCPT 552 /* set ORCPT DSN arg if not already set */ 553 if (new->q_orcpt == NULL) 554 { 555 /* check for an existing ORCPT */ 556 if (q->q_orcpt != NULL) 557 new->q_orcpt = q->q_orcpt; 558 else 559 { 560 /* make our own */ 561 bool b = false; 562 char *qp; 563 char obuf[MAXLINE]; 564 565 if (e->e_from.q_mailer != NULL) 566 p = e->e_from.q_mailer->m_addrtype; 567 if (p == NULL) 568 p = "rfc822"; 569 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 570 571 qp = q->q_paddr; 572 573 /* FFR: Needs to strip comments from stdin addrs */ 574 575 /* strip brackets from address */ 576 if (*qp == '<') 577 { 578 b = qp[strlen(qp) - 1] == '>'; 579 if (b) 580 qp[strlen(qp) - 1] = '\0'; 581 qp++; 582 } 583 584 p = xtextify(denlstring(qp, true, false), "="); 585 586 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 587 { 588 /* if too big, don't use it */ 589 obuf[0] = '\0'; 590 } 591 592 /* undo damage */ 593 if (b) 594 qp[strlen(qp)] = '>'; 595 596 if (obuf[0] != '\0') 597 new->q_orcpt = 598 sm_rpool_strdup_x(e->e_rpool, obuf); 599 } 600 } 601 #endif /* _FFR_GEN_ORCPT */ 602 603 /* break aliasing loops */ 604 if (aliaslevel > MaxAliasRecursion) 605 { 606 new->q_state = QS_BADADDR; 607 new->q_status = "5.4.6"; 608 if (new->q_alias != NULL) 609 { 610 new->q_alias->q_state = QS_BADADDR; 611 new->q_alias->q_status = "5.4.6"; 612 } 613 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 614 { 615 sm_syslog(LOG_ERR, e->e_id, 616 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 617 FileName != NULL ? FileName : "", aliaslevel, 618 MaxAliasRecursion); 619 } 620 usrerrenh(new->q_status, 621 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 622 aliaslevel, MaxAliasRecursion); 623 return new; 624 } 625 626 /* 627 ** Finish setting up address structure. 628 */ 629 630 /* get unquoted user for file, program or user.name check */ 631 i = strlen(new->q_user); 632 if (i >= sizeof(buf0)) 633 { 634 buflen = i + 1; 635 buf = xalloc(buflen); 636 } 637 else 638 { 639 buf = buf0; 640 buflen = sizeof(buf0); 641 } 642 (void) sm_strlcpy(buf, new->q_user, buflen); 643 for (p = buf; *p != '\0' && !quoted; p++) 644 { 645 if (*p == '\\') 646 quoted = true; 647 } 648 stripquotes(buf); 649 650 /* check for direct mailing to restricted mailers */ 651 if (m == ProgMailer) 652 { 653 if (new->q_alias == NULL || UseMSP || 654 bitset(EF_UNSAFE, e->e_flags)) 655 { 656 new->q_state = QS_BADADDR; 657 new->q_status = "5.7.1"; 658 usrerrenh(new->q_status, 659 "550 Cannot mail directly to programs"); 660 } 661 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 662 { 663 new->q_state = QS_BADADDR; 664 new->q_status = "5.7.1"; 665 if (new->q_alias->q_ruser == NULL) 666 usrerrenh(new->q_status, 667 "550 UID %d is an unknown user: cannot mail to programs", 668 new->q_alias->q_uid); 669 else 670 usrerrenh(new->q_status, 671 "550 User %s@%s doesn't have a valid shell for mailing to programs", 672 new->q_alias->q_ruser, MyHostName); 673 } 674 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 675 { 676 new->q_state = QS_BADADDR; 677 new->q_status = "5.7.1"; 678 new->q_rstatus = "550 Unsafe for mailing to programs"; 679 usrerrenh(new->q_status, 680 "550 Address %s is unsafe for mailing to programs", 681 new->q_alias->q_paddr); 682 } 683 } 684 685 /* 686 ** Look up this person in the recipient list. 687 ** If they are there already, return, otherwise continue. 688 ** If the list is empty, just add it. Notice the cute 689 ** hack to make from addresses suppress things correctly: 690 ** the QS_DUPLICATE state will be set in the send list. 691 ** [Please note: the emphasis is on "hack."] 692 */ 693 694 prev = NULL; 695 696 /* 697 ** If this message is going to the queue or FastSplit is set 698 ** and it is the first try and the envelope hasn't split, then we 699 ** avoid doing an MX RR lookup now because one will be done when the 700 ** message is extracted from the queue later. It can go to the queue 701 ** because all messages are going to the queue or this mailer of 702 ** the current recipient is marked expensive. 703 */ 704 705 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 706 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 707 FastSplit > 0)) 708 sortfn = sorthost; 709 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 710 sortfn = sortexpensive; 711 else 712 sortfn = sortbysignature; 713 714 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 715 { 716 /* 717 ** If address is "less than" it should be inserted now. 718 ** If address is "greater than" current comparison it'll 719 ** insert later in the list; so loop again (if possible). 720 ** If address is "equal" (different equal than sameaddr() 721 ** call) then check if sameaddr() will be true. 722 ** Because this list is now sorted, it'll mean fewer 723 ** comparisons and fewer loops which is important for more 724 ** recipients. 725 */ 726 727 i = (*sortfn)(new, q); 728 if (i == 0) /* equal */ 729 { 730 /* 731 ** Sortbysignature() has said that the two have 732 ** equal MX RR's and the same user. Calling sameaddr() 733 ** now checks if the two hosts are as identical as the 734 ** MX RR's are (which might not be the case) 735 ** before saying these are the identical addresses. 736 */ 737 738 if (sameaddr(q, new) && 739 (bitset(QRCPTOK, q->q_flags) || 740 !bitset(QPRIMARY, q->q_flags))) 741 { 742 if (tTd(26, 1)) 743 { 744 sm_dprintf("%s in sendq: ", 745 new->q_paddr); 746 printaddr(sm_debug_file(), q, false); 747 } 748 if (!bitset(QPRIMARY, q->q_flags)) 749 { 750 if (!QS_IS_DEAD(new->q_state)) 751 message("duplicate suppressed"); 752 else 753 q->q_state = QS_DUPLICATE; 754 q->q_flags |= new->q_flags; 755 } 756 else if (bitset(QSELFREF, q->q_flags) 757 || q->q_state == QS_REMOVED) 758 { 759 /* 760 ** If an earlier milter removed the 761 ** address, a later one can still add 762 ** it back. 763 */ 764 765 q->q_state = new->q_state; 766 q->q_flags |= new->q_flags; 767 } 768 new = q; 769 goto done; 770 } 771 } 772 else if (i < 0) /* less than */ 773 { 774 insert = true; 775 break; 776 } 777 prev = pq; 778 } 779 780 /* pq should point to an address, never NULL */ 781 SM_ASSERT(pq != NULL); 782 783 /* add address on list */ 784 if (insert) 785 { 786 /* 787 ** insert before 'pq'. Only possible when at least 1 788 ** ADDRESS is in the list already. 789 */ 790 791 new->q_next = *pq; 792 if (prev == NULL) 793 *sendq = new; /* To be the first ADDRESS */ 794 else 795 (*prev)->q_next = new; 796 } 797 else 798 { 799 /* 800 ** Place in list at current 'pq' position. Possible 801 ** when there are 0 or more ADDRESS's in the list. 802 */ 803 804 new->q_next = NULL; 805 *pq = new; 806 } 807 808 /* added a new address: clear split flag */ 809 e->e_flags &= ~EF_SPLIT; 810 811 /* 812 ** Alias the name and handle special mailer types. 813 */ 814 815 trylocaluser: 816 if (tTd(29, 7)) 817 { 818 sm_dprintf("at trylocaluser: "); 819 printaddr(sm_debug_file(), new, false); 820 } 821 822 if (!QS_IS_OK(new->q_state)) 823 { 824 if (QS_IS_UNDELIVERED(new->q_state)) 825 e->e_nrcpts++; 826 goto testselfdestruct; 827 } 828 829 if (m == InclMailer) 830 { 831 new->q_state = QS_INCLUDED; 832 if (new->q_alias == NULL || UseMSP || 833 bitset(EF_UNSAFE, e->e_flags)) 834 { 835 new->q_state = QS_BADADDR; 836 new->q_status = "5.7.1"; 837 usrerrenh(new->q_status, 838 "550 Cannot mail directly to :include:s"); 839 } 840 else 841 { 842 int ret; 843 844 message("including file %s", new->q_user); 845 ret = include(new->q_user, false, new, 846 sendq, aliaslevel, e); 847 if (transienterror(ret)) 848 { 849 if (LogLevel > 2) 850 sm_syslog(LOG_ERR, e->e_id, 851 "include %s: transient error: %s", 852 shortenstring(new->q_user, 853 MAXSHORTSTR), 854 sm_errstring(ret)); 855 new->q_state = QS_QUEUEUP; 856 usrerr("451 4.2.4 Cannot open %s: %s", 857 shortenstring(new->q_user, 858 MAXSHORTSTR), 859 sm_errstring(ret)); 860 } 861 else if (ret != 0) 862 { 863 new->q_state = QS_BADADDR; 864 new->q_status = "5.2.4"; 865 usrerrenh(new->q_status, 866 "550 Cannot open %s: %s", 867 shortenstring(new->q_user, 868 MAXSHORTSTR), 869 sm_errstring(ret)); 870 } 871 } 872 } 873 else if (m == FileMailer) 874 { 875 /* check if allowed */ 876 if (new->q_alias == NULL || UseMSP || 877 bitset(EF_UNSAFE, e->e_flags)) 878 { 879 new->q_state = QS_BADADDR; 880 new->q_status = "5.7.1"; 881 usrerrenh(new->q_status, 882 "550 Cannot mail directly to files"); 883 } 884 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 885 { 886 new->q_state = QS_BADADDR; 887 new->q_status = "5.7.1"; 888 if (new->q_alias->q_ruser == NULL) 889 usrerrenh(new->q_status, 890 "550 UID %d is an unknown user: cannot mail to files", 891 new->q_alias->q_uid); 892 else 893 usrerrenh(new->q_status, 894 "550 User %s@%s doesn't have a valid shell for mailing to files", 895 new->q_alias->q_ruser, MyHostName); 896 } 897 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 898 { 899 new->q_state = QS_BADADDR; 900 new->q_status = "5.7.1"; 901 new->q_rstatus = "550 Unsafe for mailing to files"; 902 usrerrenh(new->q_status, 903 "550 Address %s is unsafe for mailing to files", 904 new->q_alias->q_paddr); 905 } 906 } 907 908 /* try aliasing */ 909 if (!quoted && QS_IS_OK(new->q_state) && 910 bitnset(M_ALIASABLE, m->m_flags)) 911 alias(new, sendq, aliaslevel, e); 912 913 #if USERDB 914 /* if not aliased, look it up in the user database */ 915 if (!bitset(QNOTREMOTE, new->q_flags) && 916 QS_IS_SENDABLE(new->q_state) && 917 bitnset(M_CHECKUDB, m->m_flags)) 918 { 919 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 920 { 921 new->q_state = QS_QUEUEUP; 922 if (e->e_message == NULL) 923 e->e_message = sm_rpool_strdup_x(e->e_rpool, 924 "Deferred: user database error"); 925 if (new->q_message == NULL) 926 new->q_message = "Deferred: user database error"; 927 if (LogLevel > 8) 928 sm_syslog(LOG_INFO, e->e_id, 929 "deferred: udbexpand: %s", 930 sm_errstring(errno)); 931 message("queued (user database error): %s", 932 sm_errstring(errno)); 933 e->e_nrcpts++; 934 goto testselfdestruct; 935 } 936 } 937 #endif /* USERDB */ 938 939 /* 940 ** If we have a level two config file, then pass the name through 941 ** Ruleset 5 before sending it off. Ruleset 5 has the right 942 ** to rewrite it to another mailer. This gives us a hook 943 ** after local aliasing has been done. 944 */ 945 946 if (tTd(29, 5)) 947 { 948 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 949 ConfigLevel, RewriteRules[5]); 950 printaddr(sm_debug_file(), new, false); 951 } 952 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 953 bitnset(M_TRYRULESET5, m->m_flags) && 954 !bitset(QNOTREMOTE, new->q_flags) && 955 QS_IS_OK(new->q_state)) 956 { 957 maplocaluser(new, sendq, aliaslevel + 1, e); 958 } 959 960 /* 961 ** If it didn't get rewritten to another mailer, go ahead 962 ** and deliver it. 963 */ 964 965 if (QS_IS_OK(new->q_state) && 966 bitnset(M_HASPWENT, m->m_flags)) 967 { 968 auto bool fuzzy; 969 SM_MBDB_T user; 970 int status; 971 972 /* warning -- finduser may trash buf */ 973 status = finduser(buf, &fuzzy, &user); 974 switch (status) 975 { 976 case EX_TEMPFAIL: 977 new->q_state = QS_QUEUEUP; 978 new->q_status = "4.5.2"; 979 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 980 new->q_alias, (time_t) 0, e, new); 981 break; 982 default: 983 new->q_state = QS_BADADDR; 984 new->q_status = "5.1.1"; 985 new->q_rstatus = "550 5.1.1 User unknown"; 986 giveresponse(EX_NOUSER, new->q_status, m, NULL, 987 new->q_alias, (time_t) 0, e, new); 988 break; 989 case EX_OK: 990 if (fuzzy) 991 { 992 /* name was a fuzzy match */ 993 new->q_user = sm_rpool_strdup_x(e->e_rpool, 994 user.mbdb_name); 995 if (findusercount++ > 3) 996 { 997 new->q_state = QS_BADADDR; 998 new->q_status = "5.4.6"; 999 usrerrenh(new->q_status, 1000 "554 aliasing/forwarding loop for %s broken", 1001 user.mbdb_name); 1002 goto done; 1003 } 1004 1005 /* see if it aliases */ 1006 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1007 goto trylocaluser; 1008 } 1009 if (*user.mbdb_homedir == '\0') 1010 new->q_home = NULL; 1011 else if (strcmp(user.mbdb_homedir, "/") == 0) 1012 new->q_home = ""; 1013 else 1014 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1015 user.mbdb_homedir); 1016 if (user.mbdb_uid != SM_NO_UID) 1017 { 1018 new->q_uid = user.mbdb_uid; 1019 new->q_gid = user.mbdb_gid; 1020 new->q_flags |= QGOODUID; 1021 } 1022 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1023 user.mbdb_name); 1024 if (user.mbdb_fullname[0] != '\0') 1025 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1026 user.mbdb_fullname); 1027 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1028 { 1029 new->q_flags |= QBOGUSSHELL; 1030 } 1031 if (bitset(EF_VRFYONLY, e->e_flags)) 1032 { 1033 /* don't do any more now */ 1034 new->q_state = QS_VERIFIED; 1035 } 1036 else if (!quoted) 1037 forward(new, sendq, aliaslevel, e); 1038 } 1039 } 1040 if (!QS_IS_DEAD(new->q_state)) 1041 e->e_nrcpts++; 1042 1043 testselfdestruct: 1044 new->q_flags |= QTHISPASS; 1045 if (tTd(26, 8)) 1046 { 1047 sm_dprintf("testselfdestruct: "); 1048 printaddr(sm_debug_file(), new, false); 1049 if (tTd(26, 10)) 1050 { 1051 sm_dprintf("SENDQ:\n"); 1052 printaddr(sm_debug_file(), *sendq, true); 1053 sm_dprintf("----\n"); 1054 } 1055 } 1056 if (new->q_alias == NULL && new != &e->e_from && 1057 QS_IS_DEAD(new->q_state)) 1058 { 1059 for (q = *sendq; q != NULL; q = q->q_next) 1060 { 1061 if (!QS_IS_DEAD(q->q_state)) 1062 break; 1063 } 1064 if (q == NULL) 1065 { 1066 new->q_state = QS_BADADDR; 1067 new->q_status = "5.4.6"; 1068 usrerrenh(new->q_status, 1069 "554 aliasing/forwarding loop broken"); 1070 } 1071 } 1072 1073 done: 1074 new->q_flags |= QTHISPASS; 1075 if (buf != buf0) 1076 sm_free(buf); /* XXX leak if above code raises exception */ 1077 1078 /* 1079 ** If we are at the top level, check to see if this has 1080 ** expanded to exactly one address. If so, it can inherit 1081 ** the primaryness of the address. 1082 ** 1083 ** While we're at it, clear the QTHISPASS bits. 1084 */ 1085 1086 if (aliaslevel == 0) 1087 { 1088 int nrcpts = 0; 1089 ADDRESS *only = NULL; 1090 1091 for (q = *sendq; q != NULL; q = q->q_next) 1092 { 1093 if (bitset(QTHISPASS, q->q_flags) && 1094 QS_IS_SENDABLE(q->q_state)) 1095 { 1096 nrcpts++; 1097 only = q; 1098 } 1099 q->q_flags &= ~QTHISPASS; 1100 } 1101 if (nrcpts == 1) 1102 { 1103 /* check to see if this actually got a new owner */ 1104 q = only; 1105 while ((q = q->q_alias) != NULL) 1106 { 1107 if (q->q_owner != NULL) 1108 break; 1109 } 1110 if (q == NULL) 1111 only->q_flags |= QPRIMARY; 1112 } 1113 else if (!initialdontsend && nrcpts > 0) 1114 { 1115 /* arrange for return receipt */ 1116 e->e_flags |= EF_SENDRECEIPT; 1117 new->q_flags |= QEXPANDED; 1118 if (e->e_xfp != NULL && 1119 bitset(QPINGONSUCCESS, new->q_flags)) 1120 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1121 "%s... expanded to multiple addresses\n", 1122 new->q_paddr); 1123 } 1124 } 1125 new->q_flags |= QRCPTOK; 1126 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1127 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1128 return new; 1129 } 1130 1131 /* 1132 ** FINDUSER -- find the password entry for a user. 1133 ** 1134 ** This looks a lot like getpwnam, except that it may want to 1135 ** do some fancier pattern matching in /etc/passwd. 1136 ** 1137 ** This routine contains most of the time of many sendmail runs. 1138 ** It deserves to be optimized. 1139 ** 1140 ** Parameters: 1141 ** name -- the name to match against. 1142 ** fuzzyp -- an outarg that is set to true if this entry 1143 ** was found using the fuzzy matching algorithm; 1144 ** set to false otherwise. 1145 ** user -- structure to fill in if user is found 1146 ** 1147 ** Returns: 1148 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1149 ** If the user was not found, return EX_NOUSER. 1150 ** On error, return EX_TEMPFAIL or EX_OSERR. 1151 ** 1152 ** Side Effects: 1153 ** may modify name. 1154 */ 1155 1156 int 1157 finduser(name, fuzzyp, user) 1158 char *name; 1159 bool *fuzzyp; 1160 SM_MBDB_T *user; 1161 { 1162 #if MATCHGECOS 1163 register struct passwd *pw; 1164 #endif /* MATCHGECOS */ 1165 register char *p; 1166 bool tryagain; 1167 int status; 1168 1169 if (tTd(29, 4)) 1170 sm_dprintf("finduser(%s): ", name); 1171 1172 *fuzzyp = false; 1173 1174 #if HESIOD 1175 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1176 for (p = name; *p != '\0'; p++) 1177 if (!isascii(*p) || !isdigit(*p)) 1178 break; 1179 if (*p == '\0') 1180 { 1181 if (tTd(29, 4)) 1182 sm_dprintf("failed (numeric input)\n"); 1183 return EX_NOUSER; 1184 } 1185 #endif /* HESIOD */ 1186 1187 /* look up this login name using fast path */ 1188 status = sm_mbdb_lookup(name, user); 1189 if (status != EX_NOUSER) 1190 { 1191 if (tTd(29, 4)) 1192 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1193 return status; 1194 } 1195 1196 /* try mapping it to lower case */ 1197 tryagain = false; 1198 for (p = name; *p != '\0'; p++) 1199 { 1200 if (isascii(*p) && isupper(*p)) 1201 { 1202 *p = tolower(*p); 1203 tryagain = true; 1204 } 1205 } 1206 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1207 { 1208 if (tTd(29, 4)) 1209 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1210 *fuzzyp = true; 1211 return status; 1212 } 1213 1214 #if MATCHGECOS 1215 /* see if fuzzy matching allowed */ 1216 if (!MatchGecos) 1217 { 1218 if (tTd(29, 4)) 1219 sm_dprintf("not found (fuzzy disabled)\n"); 1220 return EX_NOUSER; 1221 } 1222 1223 /* search for a matching full name instead */ 1224 for (p = name; *p != '\0'; p++) 1225 { 1226 if (*p == (SpaceSub & 0177) || *p == '_') 1227 *p = ' '; 1228 } 1229 (void) setpwent(); 1230 while ((pw = getpwent()) != NULL) 1231 { 1232 char buf[MAXNAME + 1]; 1233 1234 # if 0 1235 if (sm_strcasecmp(pw->pw_name, name) == 0) 1236 { 1237 if (tTd(29, 4)) 1238 sm_dprintf("found (case wrapped)\n"); 1239 break; 1240 } 1241 # endif /* 0 */ 1242 1243 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1244 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1245 { 1246 if (tTd(29, 4)) 1247 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1248 message("sending to login name %s", pw->pw_name); 1249 break; 1250 } 1251 } 1252 if (pw != NULL) 1253 *fuzzyp = true; 1254 else if (tTd(29, 4)) 1255 sm_dprintf("no fuzzy match found\n"); 1256 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1257 endpwent(); 1258 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1259 if (pw == NULL) 1260 return EX_NOUSER; 1261 sm_mbdb_frompw(user, pw); 1262 return EX_OK; 1263 #else /* MATCHGECOS */ 1264 if (tTd(29, 4)) 1265 sm_dprintf("not found (fuzzy disabled)\n"); 1266 return EX_NOUSER; 1267 #endif /* MATCHGECOS */ 1268 } 1269 1270 /* 1271 ** WRITABLE -- predicate returning if the file is writable. 1272 ** 1273 ** This routine must duplicate the algorithm in sys/fio.c. 1274 ** Unfortunately, we cannot use the access call since we 1275 ** won't necessarily be the real uid when we try to 1276 ** actually open the file. 1277 ** 1278 ** Notice that ANY file with ANY execute bit is automatically 1279 ** not writable. This is also enforced by mailfile. 1280 ** 1281 ** Parameters: 1282 ** filename -- the file name to check. 1283 ** ctladdr -- the controlling address for this file. 1284 ** flags -- SFF_* flags to control the function. 1285 ** 1286 ** Returns: 1287 ** true -- if we will be able to write this file. 1288 ** false -- if we cannot write this file. 1289 ** 1290 ** Side Effects: 1291 ** none. 1292 */ 1293 1294 bool 1295 writable(filename, ctladdr, flags) 1296 char *filename; 1297 ADDRESS *ctladdr; 1298 long flags; 1299 { 1300 uid_t euid = 0; 1301 gid_t egid = 0; 1302 char *user = NULL; 1303 1304 if (tTd(44, 5)) 1305 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1306 1307 /* 1308 ** File does exist -- check that it is writable. 1309 */ 1310 1311 if (geteuid() != 0) 1312 { 1313 euid = geteuid(); 1314 egid = getegid(); 1315 user = NULL; 1316 } 1317 else if (ctladdr != NULL) 1318 { 1319 euid = ctladdr->q_uid; 1320 egid = ctladdr->q_gid; 1321 user = ctladdr->q_user; 1322 } 1323 else if (bitset(SFF_RUNASREALUID, flags)) 1324 { 1325 euid = RealUid; 1326 egid = RealGid; 1327 user = RealUserName; 1328 } 1329 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1330 { 1331 if (FileMailer->m_uid == NO_UID) 1332 { 1333 euid = DefUid; 1334 user = DefUser; 1335 } 1336 else 1337 { 1338 euid = FileMailer->m_uid; 1339 user = NULL; 1340 } 1341 if (FileMailer->m_gid == NO_GID) 1342 egid = DefGid; 1343 else 1344 egid = FileMailer->m_gid; 1345 } 1346 else 1347 { 1348 euid = egid = 0; 1349 user = NULL; 1350 } 1351 if (!bitset(SFF_ROOTOK, flags)) 1352 { 1353 if (euid == 0) 1354 { 1355 euid = DefUid; 1356 user = DefUser; 1357 } 1358 if (egid == 0) 1359 egid = DefGid; 1360 } 1361 if (geteuid() == 0 && 1362 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1363 flags |= SFF_SETUIDOK; 1364 1365 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1366 flags |= SFF_NOSLINK; 1367 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1368 flags |= SFF_NOHLINK; 1369 1370 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1371 return errno == 0; 1372 } 1373 1374 /* 1375 ** INCLUDE -- handle :include: specification. 1376 ** 1377 ** Parameters: 1378 ** fname -- filename to include. 1379 ** forwarding -- if true, we are reading a .forward file. 1380 ** if false, it's a :include: file. 1381 ** ctladdr -- address template to use to fill in these 1382 ** addresses -- effective user/group id are 1383 ** the important things. 1384 ** sendq -- a pointer to the head of the send queue 1385 ** to put these addresses in. 1386 ** aliaslevel -- the alias nesting depth. 1387 ** e -- the current envelope. 1388 ** 1389 ** Returns: 1390 ** open error status 1391 ** 1392 ** Side Effects: 1393 ** reads the :include: file and sends to everyone 1394 ** listed in that file. 1395 ** 1396 ** Security Note: 1397 ** If you have restricted chown (that is, you can't 1398 ** give a file away), it is reasonable to allow programs 1399 ** and files called from this :include: file to be to be 1400 ** run as the owner of the :include: file. This is bogus 1401 ** if there is any chance of someone giving away a file. 1402 ** We assume that pre-POSIX systems can give away files. 1403 ** 1404 ** There is an additional restriction that if you 1405 ** forward to a :include: file, it will not take on 1406 ** the ownership of the :include: file. This may not 1407 ** be necessary, but shouldn't hurt. 1408 */ 1409 1410 static jmp_buf CtxIncludeTimeout; 1411 1412 int 1413 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1414 char *fname; 1415 bool forwarding; 1416 ADDRESS *ctladdr; 1417 ADDRESS **sendq; 1418 int aliaslevel; 1419 ENVELOPE *e; 1420 { 1421 SM_FILE_T *volatile fp = NULL; 1422 char *oldto = e->e_to; 1423 char *oldfilename = FileName; 1424 int oldlinenumber = LineNumber; 1425 register SM_EVENT *ev = NULL; 1426 int nincludes; 1427 int mode; 1428 volatile bool maxreached = false; 1429 register ADDRESS *ca; 1430 volatile uid_t saveduid; 1431 volatile gid_t savedgid; 1432 volatile uid_t uid; 1433 volatile gid_t gid; 1434 char *volatile user; 1435 int rval = 0; 1436 volatile long sfflags = SFF_REGONLY; 1437 register char *p; 1438 bool safechown = false; 1439 volatile bool safedir = false; 1440 struct stat st; 1441 char buf[MAXLINE]; 1442 1443 if (tTd(27, 2)) 1444 sm_dprintf("include(%s)\n", fname); 1445 if (tTd(27, 4)) 1446 sm_dprintf(" ruid=%d euid=%d\n", 1447 (int) getuid(), (int) geteuid()); 1448 if (tTd(27, 14)) 1449 { 1450 sm_dprintf("ctladdr "); 1451 printaddr(sm_debug_file(), ctladdr, false); 1452 } 1453 1454 if (tTd(27, 9)) 1455 sm_dprintf("include: old uid = %d/%d\n", 1456 (int) getuid(), (int) geteuid()); 1457 1458 if (forwarding) 1459 { 1460 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1461 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1462 sfflags |= SFF_NOGWFILES; 1463 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1464 sfflags |= SFF_NOWWFILES; 1465 } 1466 else 1467 { 1468 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1469 sfflags |= SFF_NOGWFILES; 1470 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1471 sfflags |= SFF_NOWWFILES; 1472 } 1473 1474 /* 1475 ** If RunAsUser set, won't be able to run programs as user 1476 ** so mark them as unsafe unless the administrator knows better. 1477 */ 1478 1479 if ((geteuid() != 0 || RunAsUid != 0) && 1480 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1481 { 1482 if (tTd(27, 4)) 1483 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1484 (int) geteuid(), (int) RunAsUid); 1485 ctladdr->q_flags |= QUNSAFEADDR; 1486 } 1487 1488 ca = getctladdr(ctladdr); 1489 if (ca == NULL || 1490 (ca->q_uid == DefUid && ca->q_gid == 0)) 1491 { 1492 uid = DefUid; 1493 gid = DefGid; 1494 user = DefUser; 1495 } 1496 else 1497 { 1498 uid = ca->q_uid; 1499 gid = ca->q_gid; 1500 user = ca->q_user; 1501 } 1502 #if MAILER_SETUID_METHOD != USE_SETUID 1503 saveduid = geteuid(); 1504 savedgid = getegid(); 1505 if (saveduid == 0) 1506 { 1507 if (!DontInitGroups) 1508 { 1509 if (initgroups(user, gid) == -1) 1510 { 1511 rval = EAGAIN; 1512 syserr("include: initgroups(%s, %d) failed", 1513 user, gid); 1514 goto resetuid; 1515 } 1516 } 1517 else 1518 { 1519 GIDSET_T gidset[1]; 1520 1521 gidset[0] = gid; 1522 if (setgroups(1, gidset) == -1) 1523 { 1524 rval = EAGAIN; 1525 syserr("include: setgroups() failed"); 1526 goto resetuid; 1527 } 1528 } 1529 1530 if (gid != 0 && setgid(gid) < -1) 1531 { 1532 rval = EAGAIN; 1533 syserr("setgid(%d) failure", gid); 1534 goto resetuid; 1535 } 1536 if (uid != 0) 1537 { 1538 # if MAILER_SETUID_METHOD == USE_SETEUID 1539 if (seteuid(uid) < 0) 1540 { 1541 rval = EAGAIN; 1542 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1543 uid, (int) getuid(), (int) geteuid()); 1544 goto resetuid; 1545 } 1546 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1547 # if MAILER_SETUID_METHOD == USE_SETREUID 1548 if (setreuid(0, uid) < 0) 1549 { 1550 rval = EAGAIN; 1551 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1552 uid, (int) getuid(), (int) geteuid()); 1553 goto resetuid; 1554 } 1555 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1556 } 1557 } 1558 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1559 1560 if (tTd(27, 9)) 1561 sm_dprintf("include: new uid = %d/%d\n", 1562 (int) getuid(), (int) geteuid()); 1563 1564 /* 1565 ** If home directory is remote mounted but server is down, 1566 ** this can hang or give errors; use a timeout to avoid this 1567 */ 1568 1569 if (setjmp(CtxIncludeTimeout) != 0) 1570 { 1571 ctladdr->q_state = QS_QUEUEUP; 1572 errno = 0; 1573 1574 /* return pseudo-error code */ 1575 rval = E_SM_OPENTIMEOUT; 1576 goto resetuid; 1577 } 1578 if (TimeOuts.to_fileopen > 0) 1579 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1580 else 1581 ev = NULL; 1582 1583 1584 /* check for writable parent directory */ 1585 p = strrchr(fname, '/'); 1586 if (p != NULL) 1587 { 1588 int ret; 1589 1590 *p = '\0'; 1591 ret = safedirpath(fname, uid, gid, user, 1592 sfflags|SFF_SAFEDIRPATH, 0, 0); 1593 if (ret == 0) 1594 { 1595 /* in safe directory: relax chown & link rules */ 1596 safedir = true; 1597 sfflags |= SFF_NOPATHCHECK; 1598 } 1599 else 1600 { 1601 if (bitnset((forwarding ? 1602 DBS_FORWARDFILEINUNSAFEDIRPATH : 1603 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1604 DontBlameSendmail)) 1605 sfflags |= SFF_NOPATHCHECK; 1606 else if (bitnset((forwarding ? 1607 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1608 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1609 DontBlameSendmail) && 1610 ret == E_SM_GWDIR) 1611 { 1612 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1613 DontBlameSendmail); 1614 ret = safedirpath(fname, uid, gid, user, 1615 sfflags|SFF_SAFEDIRPATH, 1616 0, 0); 1617 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1618 DontBlameSendmail); 1619 if (ret == 0) 1620 sfflags |= SFF_NOPATHCHECK; 1621 else 1622 sfflags |= SFF_SAFEDIRPATH; 1623 } 1624 else 1625 sfflags |= SFF_SAFEDIRPATH; 1626 if (ret > E_PSEUDOBASE && 1627 !bitnset((forwarding ? 1628 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1629 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1630 DontBlameSendmail)) 1631 { 1632 if (LogLevel > 11) 1633 sm_syslog(LOG_INFO, e->e_id, 1634 "%s: unsafe directory path, marked unsafe", 1635 shortenstring(fname, MAXSHORTSTR)); 1636 ctladdr->q_flags |= QUNSAFEADDR; 1637 } 1638 } 1639 *p = '/'; 1640 } 1641 1642 /* allow links only in unwritable directories */ 1643 if (!safedir && 1644 !bitnset((forwarding ? 1645 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1646 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1647 DontBlameSendmail)) 1648 sfflags |= SFF_NOLINK; 1649 1650 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1651 if (rval != 0) 1652 { 1653 /* don't use this :include: file */ 1654 if (tTd(27, 4)) 1655 sm_dprintf("include: not safe (uid=%d): %s\n", 1656 (int) uid, sm_errstring(rval)); 1657 } 1658 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1659 SM_IO_RDONLY, NULL)) == NULL) 1660 { 1661 rval = errno; 1662 if (tTd(27, 4)) 1663 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1664 } 1665 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1666 { 1667 rval = E_SM_FILECHANGE; 1668 if (tTd(27, 4)) 1669 sm_dprintf("include: file changed after open\n"); 1670 } 1671 if (ev != NULL) 1672 sm_clrevent(ev); 1673 1674 resetuid: 1675 1676 #if HASSETREUID || USESETEUID 1677 if (saveduid == 0) 1678 { 1679 if (uid != 0) 1680 { 1681 # if USESETEUID 1682 if (seteuid(0) < 0) 1683 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1684 (int) getuid(), (int) geteuid()); 1685 # else /* USESETEUID */ 1686 if (setreuid(-1, 0) < 0) 1687 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1688 (int) getuid(), (int) geteuid()); 1689 if (setreuid(RealUid, 0) < 0) 1690 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1691 (int) RealUid, (int) getuid(), 1692 (int) geteuid()); 1693 # endif /* USESETEUID */ 1694 } 1695 if (setgid(savedgid) < 0) 1696 syserr("!setgid(%d) failure (real=%d eff=%d)", 1697 (int) savedgid, (int) getgid(), 1698 (int) getegid()); 1699 } 1700 #endif /* HASSETREUID || USESETEUID */ 1701 1702 if (tTd(27, 9)) 1703 sm_dprintf("include: reset uid = %d/%d\n", 1704 (int) getuid(), (int) geteuid()); 1705 1706 if (rval == E_SM_OPENTIMEOUT) 1707 usrerr("451 4.4.1 open timeout on %s", fname); 1708 1709 if (fp == NULL) 1710 return rval; 1711 1712 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1713 { 1714 rval = errno; 1715 syserr("Cannot fstat %s!", fname); 1716 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1717 return rval; 1718 } 1719 1720 /* if path was writable, check to avoid file giveaway tricks */ 1721 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1722 if (tTd(27, 6)) 1723 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1724 fname, safedir ? "safe" : "dangerous", 1725 safechown ? "" : "un"); 1726 1727 /* if no controlling user or coming from an alias delivery */ 1728 if (safechown && 1729 (ca == NULL || 1730 (ca->q_uid == DefUid && ca->q_gid == 0))) 1731 { 1732 ctladdr->q_uid = st.st_uid; 1733 ctladdr->q_gid = st.st_gid; 1734 ctladdr->q_flags |= QGOODUID; 1735 } 1736 if (ca != NULL && ca->q_uid == st.st_uid) 1737 { 1738 /* optimization -- avoid getpwuid if we already have info */ 1739 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1740 ctladdr->q_ruser = ca->q_ruser; 1741 } 1742 else if (!forwarding) 1743 { 1744 register struct passwd *pw; 1745 1746 pw = sm_getpwuid(st.st_uid); 1747 if (pw == NULL) 1748 { 1749 ctladdr->q_uid = st.st_uid; 1750 ctladdr->q_flags |= QBOGUSSHELL; 1751 } 1752 else 1753 { 1754 char *sh; 1755 1756 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1757 pw->pw_name); 1758 if (safechown) 1759 sh = pw->pw_shell; 1760 else 1761 sh = "/SENDMAIL/ANY/SHELL/"; 1762 if (!usershellok(pw->pw_name, sh)) 1763 { 1764 if (LogLevel > 11) 1765 sm_syslog(LOG_INFO, e->e_id, 1766 "%s: user %s has bad shell %s, marked %s", 1767 shortenstring(fname, 1768 MAXSHORTSTR), 1769 pw->pw_name, sh, 1770 safechown ? "bogus" : "unsafe"); 1771 if (safechown) 1772 ctladdr->q_flags |= QBOGUSSHELL; 1773 else 1774 ctladdr->q_flags |= QUNSAFEADDR; 1775 } 1776 } 1777 } 1778 1779 if (bitset(EF_VRFYONLY, e->e_flags)) 1780 { 1781 /* don't do any more now */ 1782 ctladdr->q_state = QS_VERIFIED; 1783 e->e_nrcpts++; 1784 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1785 return rval; 1786 } 1787 1788 /* 1789 ** Check to see if some bad guy can write this file 1790 ** 1791 ** Group write checking could be more clever, e.g., 1792 ** guessing as to which groups are actually safe ("sys" 1793 ** may be; "user" probably is not). 1794 */ 1795 1796 mode = S_IWOTH; 1797 if (!bitnset((forwarding ? 1798 DBS_GROUPWRITABLEFORWARDFILESAFE : 1799 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1800 DontBlameSendmail)) 1801 mode |= S_IWGRP; 1802 1803 if (bitset(mode, st.st_mode)) 1804 { 1805 if (tTd(27, 6)) 1806 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1807 shortenstring(fname, MAXSHORTSTR), 1808 bitset(S_IWOTH, st.st_mode) ? "world" 1809 : "group"); 1810 if (LogLevel > 11) 1811 sm_syslog(LOG_INFO, e->e_id, 1812 "%s: %s writable %s file, marked unsafe", 1813 shortenstring(fname, MAXSHORTSTR), 1814 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1815 forwarding ? "forward" : ":include:"); 1816 ctladdr->q_flags |= QUNSAFEADDR; 1817 } 1818 1819 /* read the file -- each line is a comma-separated list. */ 1820 FileName = fname; 1821 LineNumber = 0; 1822 ctladdr->q_flags &= ~QSELFREF; 1823 nincludes = 0; 1824 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL && 1825 !maxreached) 1826 { 1827 fixcrlf(buf, true); 1828 LineNumber++; 1829 if (buf[0] == '#' || buf[0] == '\0') 1830 continue; 1831 1832 /* <sp>#@# introduces a comment anywhere */ 1833 /* for Japanese character sets */ 1834 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1835 { 1836 if (p[1] == '@' && p[2] == '#' && 1837 isascii(p[-1]) && isspace(p[-1]) && 1838 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1839 { 1840 --p; 1841 while (p > buf && isascii(p[-1]) && 1842 isspace(p[-1])) 1843 --p; 1844 p[0] = '\0'; 1845 break; 1846 } 1847 } 1848 if (buf[0] == '\0') 1849 continue; 1850 1851 e->e_to = NULL; 1852 message("%s to %s", 1853 forwarding ? "forwarding" : "sending", buf); 1854 if (forwarding && LogLevel > 10) 1855 sm_syslog(LOG_INFO, e->e_id, 1856 "forward %.200s => %s", 1857 oldto, shortenstring(buf, MAXSHORTSTR)); 1858 1859 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1860 1861 if (forwarding && 1862 MaxForwardEntries > 0 && 1863 nincludes >= MaxForwardEntries) 1864 { 1865 /* just stop reading and processing further entries */ 1866 #if 0 1867 /* additional: (?) */ 1868 ctladdr->q_state = QS_DONTSEND; 1869 #endif /* 0 */ 1870 1871 syserr("Attempt to forward to more than %d addresses (in %s)!", 1872 MaxForwardEntries, fname); 1873 maxreached = true; 1874 } 1875 } 1876 1877 if (sm_io_error(fp) && tTd(27, 3)) 1878 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1879 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1880 { 1881 if (tTd(27, 5)) 1882 { 1883 sm_dprintf("include: QS_DONTSEND "); 1884 printaddr(sm_debug_file(), ctladdr, false); 1885 } 1886 ctladdr->q_state = QS_DONTSEND; 1887 } 1888 1889 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1890 FileName = oldfilename; 1891 LineNumber = oldlinenumber; 1892 e->e_to = oldto; 1893 return rval; 1894 } 1895 1896 static void 1897 includetimeout(ignore) 1898 int ignore; 1899 { 1900 /* 1901 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1902 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1903 ** DOING. 1904 */ 1905 1906 errno = ETIMEDOUT; 1907 longjmp(CtxIncludeTimeout, 1); 1908 } 1909 1910 /* 1911 ** SENDTOARGV -- send to an argument vector. 1912 ** 1913 ** Parameters: 1914 ** argv -- argument vector to send to. 1915 ** e -- the current envelope. 1916 ** 1917 ** Returns: 1918 ** none. 1919 ** 1920 ** Side Effects: 1921 ** puts all addresses on the argument vector onto the 1922 ** send queue. 1923 */ 1924 1925 void 1926 sendtoargv(argv, e) 1927 register char **argv; 1928 register ENVELOPE *e; 1929 { 1930 register char *p; 1931 1932 while ((p = *argv++) != NULL) 1933 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1934 } 1935 1936 /* 1937 ** GETCTLADDR -- get controlling address from an address header. 1938 ** 1939 ** If none, get one corresponding to the effective userid. 1940 ** 1941 ** Parameters: 1942 ** a -- the address to find the controller of. 1943 ** 1944 ** Returns: 1945 ** the controlling address. 1946 */ 1947 1948 ADDRESS * 1949 getctladdr(a) 1950 register ADDRESS *a; 1951 { 1952 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1953 a = a->q_alias; 1954 return a; 1955 } 1956 1957 /* 1958 ** SELF_REFERENCE -- check to see if an address references itself 1959 ** 1960 ** The check is done through a chain of aliases. If it is part of 1961 ** a loop, break the loop at the "best" address, that is, the one 1962 ** that exists as a real user. 1963 ** 1964 ** This is to handle the case of: 1965 ** awc: Andrew.Chang 1966 ** Andrew.Chang: awc@mail.server 1967 ** which is a problem only on mail.server. 1968 ** 1969 ** Parameters: 1970 ** a -- the address to check. 1971 ** 1972 ** Returns: 1973 ** The address that should be retained. 1974 */ 1975 1976 static ADDRESS * 1977 self_reference(a) 1978 ADDRESS *a; 1979 { 1980 ADDRESS *b; /* top entry in self ref loop */ 1981 ADDRESS *c; /* entry that point to a real mail box */ 1982 1983 if (tTd(27, 1)) 1984 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1985 1986 for (b = a->q_alias; b != NULL; b = b->q_alias) 1987 { 1988 if (sameaddr(a, b)) 1989 break; 1990 } 1991 1992 if (b == NULL) 1993 { 1994 if (tTd(27, 1)) 1995 sm_dprintf("\t... no self ref\n"); 1996 return NULL; 1997 } 1998 1999 /* 2000 ** Pick the first address that resolved to a real mail box 2001 ** i.e has a mbdb entry. The returned value will be marked 2002 ** QSELFREF in recipient(), which in turn will disable alias() 2003 ** from marking it as QS_IS_DEAD(), which mean it will be used 2004 ** as a deliverable address. 2005 ** 2006 ** The 2 key thing to note here are: 2007 ** 1) we are in a recursive call sequence: 2008 ** alias->sendtolist->recipient->alias 2009 ** 2) normally, when we return back to alias(), the address 2010 ** will be marked QS_EXPANDED, since alias() assumes the 2011 ** expanded form will be used instead of the current address. 2012 ** This behaviour is turned off if the address is marked 2013 ** QSELFREF. We set QSELFREF when we return to recipient(). 2014 */ 2015 2016 c = a; 2017 while (c != NULL) 2018 { 2019 if (tTd(27, 10)) 2020 sm_dprintf(" %s", c->q_user); 2021 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2022 { 2023 SM_MBDB_T user; 2024 2025 if (tTd(27, 2)) 2026 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2027 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2028 { 2029 if (tTd(27, 2)) 2030 sm_dprintf("found\n"); 2031 2032 /* ought to cache results here */ 2033 if (sameaddr(b, c)) 2034 return b; 2035 else 2036 return c; 2037 } 2038 if (tTd(27, 2)) 2039 sm_dprintf("failed\n"); 2040 } 2041 else 2042 { 2043 /* if local delivery, compare usernames */ 2044 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2045 b->q_mailer == c->q_mailer) 2046 { 2047 if (tTd(27, 2)) 2048 sm_dprintf("\t... local match (%s)\n", 2049 c->q_user); 2050 if (sameaddr(b, c)) 2051 return b; 2052 else 2053 return c; 2054 } 2055 } 2056 if (tTd(27, 10)) 2057 sm_dprintf("\n"); 2058 c = c->q_alias; 2059 } 2060 2061 if (tTd(27, 1)) 2062 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2063 2064 return NULL; 2065 } 2066