1 /* 2 * Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #pragma ident "%Z%%M% %I% %E% SMI" 15 16 #include <sendmail.h> 17 18 SM_RCSID("@(#)$Id: recipient.c,v 8.337 2004/08/03 19:57:23 ca Exp $") 19 20 static void includetimeout __P((int)); 21 static ADDRESS *self_reference __P((ADDRESS *)); 22 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 23 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 24 static int sorthost __P((ADDRESS *, ADDRESS *)); 25 26 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 27 28 /* 29 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 30 ** 31 ** Parameters: 32 ** xx -- first ADDRESS 33 ** yy -- second ADDRESS 34 ** 35 ** Returns: 36 ** <0 when xx->q_host is less than yy->q_host 37 ** >0 when xx->q_host is greater than yy->q_host 38 ** 0 when equal 39 */ 40 41 static int 42 sorthost(xx, yy) 43 register ADDRESS *xx; 44 register ADDRESS *yy; 45 { 46 #if _FFR_HOST_SORT_REVERSE 47 /* XXX maybe compare hostnames from the end? */ 48 return sm_strrevcasecmp(xx->q_host, yy->q_host); 49 #else /* _FFR_HOST_SORT_REVERSE */ 50 return sm_strcasecmp(xx->q_host, yy->q_host); 51 #endif /* _FFR_HOST_SORT_REVERSE */ 52 } 53 54 /* 55 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 56 ** 57 ** The mailer has been noted already as "expensive" for 'xx'. This 58 ** will give a result relative to 'yy'. Expensive mailers get rated 59 ** "greater than" non-expensive mailers because during the delivery phase 60 ** it will get queued -- no use it getting in the way of less expensive 61 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 62 ** expensive since an MX RR lookup happens when extracted from the queue 63 ** later. 64 ** 65 ** Parameters: 66 ** xx -- first ADDRESS 67 ** yy -- second ADDRESS 68 ** 69 ** Returns: 70 ** <0 when xx->q_host is less than yy->q_host and both are 71 ** expensive 72 ** >0 when xx->q_host is greater than yy->q_host, or when 73 ** 'yy' is non-expensive 74 ** 0 when equal (by expense and q_host) 75 */ 76 77 static int 78 sortexpensive(xx, yy) 79 ADDRESS *xx; 80 ADDRESS *yy; 81 { 82 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 83 return 1; /* xx should go later */ 84 #if _FFR_HOST_SORT_REVERSE 85 /* XXX maybe compare hostnames from the end? */ 86 return sm_strrevcasecmp(xx->q_host, yy->q_host); 87 #else /* _FFR_HOST_SORT_REVERSE */ 88 return sm_strcasecmp(xx->q_host, yy->q_host); 89 #endif /* _FFR_HOST_SORT_REVERSE */ 90 } 91 92 /* 93 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 94 ** 95 ** Parameters: 96 ** xx -- first ADDRESS 97 ** yy -- second ADDRESS 98 ** 99 ** Returns: 100 ** 0 when the "signature"'s are same 101 ** <0 when xx->q_signature is less than yy->q_signature 102 ** >0 when xx->q_signature is greater than yy->q_signature 103 ** 104 ** Side Effect: 105 ** May set ADDRESS pointer for q_signature if not already set. 106 */ 107 108 static int 109 sortbysignature(xx, yy) 110 ADDRESS *xx; 111 ADDRESS *yy; 112 { 113 register int ret; 114 115 /* Let's avoid redoing the signature over and over again */ 116 if (xx->q_signature == NULL) 117 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 118 if (yy->q_signature == NULL) 119 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 120 ret = strcmp(xx->q_signature, yy->q_signature); 121 122 /* 123 ** If the two signatures are the same then we will return a sort 124 ** value based on 'q_user'. But note that we have reversed xx and yy 125 ** on purpose. This additional compare helps reduce the number of 126 ** sameaddr() calls and loops in recipient() for the case when 127 ** the rcpt list has been provided already in-order. 128 */ 129 130 if (ret == 0) 131 return strcmp(yy->q_user, xx->q_user); 132 else 133 return ret; 134 } 135 136 /* 137 ** SENDTOLIST -- Designate a send list. 138 ** 139 ** The parameter is a comma-separated list of people to send to. 140 ** This routine arranges to send to all of them. 141 ** 142 ** Parameters: 143 ** list -- the send list. 144 ** ctladdr -- the address template for the person to 145 ** send to -- effective uid/gid are important. 146 ** This is typically the alias that caused this 147 ** expansion. 148 ** sendq -- a pointer to the head of a queue to put 149 ** these people into. 150 ** aliaslevel -- the current alias nesting depth -- to 151 ** diagnose loops. 152 ** e -- the envelope in which to add these recipients. 153 ** 154 ** Returns: 155 ** The number of addresses actually on the list. 156 */ 157 158 /* q_flags bits inherited from ctladdr */ 159 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 160 161 int 162 sendtolist(list, ctladdr, sendq, aliaslevel, e) 163 char *list; 164 ADDRESS *ctladdr; 165 ADDRESS **sendq; 166 int aliaslevel; 167 register ENVELOPE *e; 168 { 169 register char *p; 170 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 171 SM_NONVOLATILE char delimiter; /* the address delimiter */ 172 SM_NONVOLATILE int naddrs; 173 SM_NONVOLATILE int i; 174 char *endp; 175 char *oldto = e->e_to; 176 char *SM_NONVOLATILE bufp; 177 char buf[MAXNAME + 1]; 178 179 if (list == NULL) 180 { 181 syserr("sendtolist: null list"); 182 return 0; 183 } 184 185 if (tTd(25, 1)) 186 { 187 sm_dprintf("sendto: %s\n ctladdr=", list); 188 printaddr(sm_debug_file(), ctladdr, false); 189 } 190 191 /* heuristic to determine old versus new style addresses */ 192 if (ctladdr == NULL && 193 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 194 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 195 e->e_flags &= ~EF_OLDSTYLE; 196 delimiter = ' '; 197 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 198 delimiter = ','; 199 200 al = NULL; 201 naddrs = 0; 202 203 /* make sure we have enough space to copy the string */ 204 i = strlen(list) + 1; 205 if (i <= sizeof buf) 206 { 207 bufp = buf; 208 i = sizeof buf; 209 } 210 else 211 bufp = sm_malloc_x(i); 212 endp = bufp + i; 213 214 SM_TRY 215 { 216 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 217 218 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 219 for (p = bufp; *p != '\0'; ) 220 { 221 auto char *delimptr; 222 register ADDRESS *a; 223 224 SM_ASSERT(p < endp); 225 226 /* parse the address */ 227 while ((isascii(*p) && isspace(*p)) || *p == ',') 228 p++; 229 SM_ASSERT(p < endp); 230 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 231 &delimptr, e, true); 232 p = delimptr; 233 SM_ASSERT(p < endp); 234 if (a == NULL) 235 continue; 236 a->q_next = al; 237 a->q_alias = ctladdr; 238 239 /* arrange to inherit attributes from parent */ 240 if (ctladdr != NULL) 241 { 242 ADDRESS *b; 243 244 /* self reference test */ 245 if (sameaddr(ctladdr, a)) 246 { 247 if (tTd(27, 5)) 248 { 249 sm_dprintf("sendtolist: QSELFREF "); 250 printaddr(sm_debug_file(), ctladdr, false); 251 } 252 ctladdr->q_flags |= QSELFREF; 253 } 254 255 /* check for address loops */ 256 b = self_reference(a); 257 if (b != NULL) 258 { 259 b->q_flags |= QSELFREF; 260 if (tTd(27, 5)) 261 { 262 sm_dprintf("sendtolist: QSELFREF "); 263 printaddr(sm_debug_file(), b, false); 264 } 265 if (a != b) 266 { 267 if (tTd(27, 5)) 268 { 269 sm_dprintf("sendtolist: QS_DONTSEND "); 270 printaddr(sm_debug_file(), a, false); 271 } 272 a->q_state = QS_DONTSEND; 273 b->q_flags |= a->q_flags & QNOTREMOTE; 274 continue; 275 } 276 } 277 278 /* full name */ 279 if (a->q_fullname == NULL) 280 a->q_fullname = ctladdr->q_fullname; 281 282 /* various flag bits */ 283 a->q_flags &= ~QINHERITEDBITS; 284 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 285 286 /* DSN recipient information */ 287 a->q_finalrcpt = ctladdr->q_finalrcpt; 288 a->q_orcpt = ctladdr->q_orcpt; 289 } 290 291 al = a; 292 } 293 294 /* arrange to send to everyone on the local send list */ 295 while (al != NULL) 296 { 297 register ADDRESS *a = al; 298 299 al = a->q_next; 300 a = recipient(a, sendq, aliaslevel, e); 301 naddrs++; 302 } 303 } 304 SM_FINALLY 305 { 306 e->e_to = oldto; 307 if (bufp != buf) 308 sm_free(bufp); 309 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 310 } 311 SM_END_TRY 312 return naddrs; 313 } 314 #if MILTER 315 /* 316 ** REMOVEFROMLIST -- Remove addresses from a send list. 317 ** 318 ** The parameter is a comma-separated list of recipients to remove. 319 ** Note that it only deletes matching addresses. If those addresses 320 ** have been expanded already in the sendq, it won't mark the 321 ** expanded recipients as QS_REMOVED. 322 ** 323 ** Parameters: 324 ** list -- the list to remove. 325 ** sendq -- a pointer to the head of a queue to remove 326 ** these addresses from. 327 ** e -- the envelope in which to remove these recipients. 328 ** 329 ** Returns: 330 ** The number of addresses removed from the list. 331 ** 332 */ 333 334 int 335 removefromlist(list, sendq, e) 336 char *list; 337 ADDRESS **sendq; 338 ENVELOPE *e; 339 { 340 SM_NONVOLATILE char delimiter; /* the address delimiter */ 341 SM_NONVOLATILE int naddrs; 342 SM_NONVOLATILE int i; 343 char *p; 344 char *oldto = e->e_to; 345 char *SM_NONVOLATILE bufp; 346 char buf[MAXNAME + 1]; 347 348 if (list == NULL) 349 { 350 syserr("removefromlist: null list"); 351 return 0; 352 } 353 354 if (tTd(25, 1)) 355 sm_dprintf("removefromlist: %s\n", list); 356 357 /* heuristic to determine old versus new style addresses */ 358 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 359 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 360 e->e_flags &= ~EF_OLDSTYLE; 361 delimiter = ' '; 362 if (!bitset(EF_OLDSTYLE, e->e_flags)) 363 delimiter = ','; 364 365 naddrs = 0; 366 367 /* make sure we have enough space to copy the string */ 368 i = strlen(list) + 1; 369 if (i <= sizeof buf) 370 { 371 bufp = buf; 372 i = sizeof buf; 373 } 374 else 375 bufp = sm_malloc_x(i); 376 377 SM_TRY 378 { 379 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 380 381 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 382 for (p = bufp; *p != '\0'; ) 383 { 384 ADDRESS a; /* parsed address to be removed */ 385 ADDRESS *q; 386 ADDRESS **pq; 387 char *delimptr; 388 389 /* parse the address */ 390 while ((isascii(*p) && isspace(*p)) || *p == ',') 391 p++; 392 if (parseaddr(p, &a, RF_COPYALL, 393 delimiter, &delimptr, e, true) == NULL) 394 { 395 p = delimptr; 396 continue; 397 } 398 p = delimptr; 399 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 400 { 401 if (!QS_IS_DEAD(q->q_state) && 402 (sameaddr(q, &a) || 403 strcmp(q->q_paddr, a.q_paddr) == 0)) 404 { 405 if (tTd(25, 5)) 406 { 407 sm_dprintf("removefromlist: QS_REMOVED "); 408 printaddr(sm_debug_file(), &a, false); 409 } 410 q->q_state = QS_REMOVED; 411 naddrs++; 412 break; 413 } 414 } 415 } 416 } 417 SM_FINALLY 418 { 419 e->e_to = oldto; 420 if (bufp != buf) 421 sm_free(bufp); 422 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 423 } 424 SM_END_TRY 425 return naddrs; 426 } 427 #endif /* MILTER */ 428 /* 429 ** RECIPIENT -- Designate a message recipient 430 ** 431 ** Saves the named person for future mailing. 432 ** 433 ** Parameters: 434 ** new -- the (preparsed) address header for the recipient. 435 ** sendq -- a pointer to the head of a queue to put the 436 ** recipient in. Duplicate suppression is done 437 ** in this queue. 438 ** aliaslevel -- the current alias nesting depth. 439 ** e -- the current envelope. 440 ** 441 ** Returns: 442 ** The actual address in the queue. This will be "a" if 443 ** the address is not a duplicate, else the original address. 444 ** 445 */ 446 447 ADDRESS * 448 recipient(new, sendq, aliaslevel, e) 449 register ADDRESS *new; 450 register ADDRESS **sendq; 451 int aliaslevel; 452 register ENVELOPE *e; 453 { 454 register ADDRESS *q; 455 ADDRESS **pq; 456 ADDRESS **prev; 457 register struct mailer *m; 458 register char *p; 459 int i, buflen; 460 bool quoted; /* set if the addr has a quote bit */ 461 bool insert; 462 int findusercount; 463 bool initialdontsend; 464 char *buf; 465 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 466 sortfn_t *sortfn; 467 468 p = NULL; 469 quoted = false; 470 insert = false; 471 findusercount = 0; 472 initialdontsend = QS_IS_DEAD(new->q_state); 473 e->e_to = new->q_paddr; 474 m = new->q_mailer; 475 errno = 0; 476 if (aliaslevel == 0) 477 new->q_flags |= QPRIMARY; 478 if (tTd(26, 1)) 479 { 480 sm_dprintf("\nrecipient (%d): ", aliaslevel); 481 printaddr(sm_debug_file(), new, false); 482 } 483 484 /* if this is primary, use it as original recipient */ 485 if (new->q_alias == NULL) 486 { 487 if (e->e_origrcpt == NULL) 488 e->e_origrcpt = new->q_paddr; 489 else if (e->e_origrcpt != new->q_paddr) 490 e->e_origrcpt = ""; 491 } 492 493 /* find parent recipient for finalrcpt and orcpt */ 494 for (q = new; q->q_alias != NULL; q = q->q_alias) 495 continue; 496 497 /* find final recipient DSN address */ 498 if (new->q_finalrcpt == NULL && 499 e->e_from.q_mailer != NULL) 500 { 501 char frbuf[MAXLINE]; 502 503 p = e->e_from.q_mailer->m_addrtype; 504 if (p == NULL) 505 p = "rfc822"; 506 if (sm_strcasecmp(p, "rfc822") != 0) 507 { 508 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 509 q->q_mailer->m_addrtype, 510 q->q_user); 511 } 512 else if (strchr(q->q_user, '@') != NULL) 513 { 514 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 515 p, q->q_user); 516 } 517 else if (strchr(q->q_paddr, '@') != NULL) 518 { 519 char *qp; 520 bool b; 521 522 qp = q->q_paddr; 523 524 /* strip brackets from address */ 525 b = false; 526 if (*qp == '<') 527 { 528 b = qp[strlen(qp) - 1] == '>'; 529 if (b) 530 qp[strlen(qp) - 1] = '\0'; 531 qp++; 532 } 533 (void) sm_snprintf(frbuf, sizeof frbuf, "%s; %.800s", 534 p, qp); 535 536 /* undo damage */ 537 if (b) 538 qp[strlen(qp)] = '>'; 539 } 540 else 541 { 542 (void) sm_snprintf(frbuf, sizeof frbuf, 543 "%s; %.700s@%.100s", 544 p, q->q_user, MyHostName); 545 } 546 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 547 } 548 549 #if _FFR_GEN_ORCPT 550 /* set ORCPT DSN arg if not already set */ 551 if (new->q_orcpt == NULL) 552 { 553 /* check for an existing ORCPT */ 554 if (q->q_orcpt != NULL) 555 new->q_orcpt = q->q_orcpt; 556 else 557 { 558 /* make our own */ 559 bool b = false; 560 char *qp; 561 char obuf[MAXLINE]; 562 563 if (e->e_from.q_mailer != NULL) 564 p = e->e_from.q_mailer->m_addrtype; 565 if (p == NULL) 566 p = "rfc822"; 567 (void) sm_strlcpyn(obuf, sizeof obuf, 2, p, ";"); 568 569 qp = q->q_paddr; 570 571 /* FFR: Needs to strip comments from stdin addrs */ 572 573 /* strip brackets from address */ 574 if (*qp == '<') 575 { 576 b = qp[strlen(qp) - 1] == '>'; 577 if (b) 578 qp[strlen(qp) - 1] = '\0'; 579 qp++; 580 } 581 582 p = xtextify(denlstring(qp, true, false), NULL); 583 584 if (sm_strlcat(obuf, p, sizeof obuf) >= sizeof obuf) 585 { 586 /* if too big, don't use it */ 587 obuf[0] = '\0'; 588 } 589 590 /* undo damage */ 591 if (b) 592 qp[strlen(qp)] = '>'; 593 594 if (obuf[0] != '\0') 595 new->q_orcpt = 596 sm_rpool_strdup_x(e->e_rpool, obuf); 597 } 598 } 599 #endif /* _FFR_GEN_ORCPT */ 600 601 /* break aliasing loops */ 602 if (aliaslevel > MaxAliasRecursion) 603 { 604 new->q_state = QS_BADADDR; 605 new->q_status = "5.4.6"; 606 usrerrenh(new->q_status, 607 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 608 aliaslevel, MaxAliasRecursion); 609 return new; 610 } 611 612 /* 613 ** Finish setting up address structure. 614 */ 615 616 /* get unquoted user for file, program or user.name check */ 617 i = strlen(new->q_user); 618 if (i >= sizeof buf0) 619 { 620 buflen = i + 1; 621 buf = xalloc(buflen); 622 } 623 else 624 { 625 buf = buf0; 626 buflen = sizeof buf0; 627 } 628 (void) sm_strlcpy(buf, new->q_user, buflen); 629 for (p = buf; *p != '\0' && !quoted; p++) 630 { 631 if (*p == '\\') 632 quoted = true; 633 } 634 stripquotes(buf); 635 636 /* check for direct mailing to restricted mailers */ 637 if (m == ProgMailer) 638 { 639 if (new->q_alias == NULL || UseMSP || 640 bitset(EF_UNSAFE, e->e_flags)) 641 { 642 new->q_state = QS_BADADDR; 643 new->q_status = "5.7.1"; 644 usrerrenh(new->q_status, 645 "550 Cannot mail directly to programs"); 646 } 647 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 648 { 649 new->q_state = QS_BADADDR; 650 new->q_status = "5.7.1"; 651 if (new->q_alias->q_ruser == NULL) 652 usrerrenh(new->q_status, 653 "550 UID %d is an unknown user: cannot mail to programs", 654 new->q_alias->q_uid); 655 else 656 usrerrenh(new->q_status, 657 "550 User %s@%s doesn't have a valid shell for mailing to programs", 658 new->q_alias->q_ruser, MyHostName); 659 } 660 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 661 { 662 new->q_state = QS_BADADDR; 663 new->q_status = "5.7.1"; 664 new->q_rstatus = "550 Unsafe for mailing to programs"; 665 usrerrenh(new->q_status, 666 "550 Address %s is unsafe for mailing to programs", 667 new->q_alias->q_paddr); 668 } 669 } 670 671 /* 672 ** Look up this person in the recipient list. 673 ** If they are there already, return, otherwise continue. 674 ** If the list is empty, just add it. Notice the cute 675 ** hack to make from addresses suppress things correctly: 676 ** the QS_DUPLICATE state will be set in the send list. 677 ** [Please note: the emphasis is on "hack."] 678 */ 679 680 prev = NULL; 681 682 /* 683 ** If this message is going to the queue or FastSplit is set 684 ** and it is the first try and the envelope hasn't split, then we 685 ** avoid doing an MX RR lookup now because one will be done when the 686 ** message is extracted from the queue later. It can go to the queue 687 ** because all messages are going to the queue or this mailer of 688 ** the current recipient is marked expensive. 689 */ 690 691 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 692 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 693 FastSplit > 0)) 694 sortfn = sorthost; 695 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 696 sortfn = sortexpensive; 697 else 698 sortfn = sortbysignature; 699 700 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 701 { 702 /* 703 ** If address is "less than" it should be inserted now. 704 ** If address is "greater than" current comparison it'll 705 ** insert later in the list; so loop again (if possible). 706 ** If address is "equal" (different equal than sameaddr() 707 ** call) then check if sameaddr() will be true. 708 ** Because this list is now sorted, it'll mean fewer 709 ** comparisons and fewer loops which is important for more 710 ** recipients. 711 */ 712 713 i = (*sortfn)(new, q); 714 if (i == 0) /* equal */ 715 { 716 /* 717 ** Sortbysignature() has said that the two have 718 ** equal MX RR's and the same user. Calling sameaddr() 719 ** now checks if the two hosts are as identical as the 720 ** MX RR's are (which might not be the case) 721 ** before saying these are the identical addresses. 722 */ 723 724 if (sameaddr(q, new) && 725 (bitset(QRCPTOK, q->q_flags) || 726 !bitset(QPRIMARY, q->q_flags))) 727 { 728 if (tTd(26, 1)) 729 { 730 sm_dprintf("%s in sendq: ", 731 new->q_paddr); 732 printaddr(sm_debug_file(), q, false); 733 } 734 if (!bitset(QPRIMARY, q->q_flags)) 735 { 736 if (!QS_IS_DEAD(new->q_state)) 737 message("duplicate suppressed"); 738 else 739 q->q_state = QS_DUPLICATE; 740 q->q_flags |= new->q_flags; 741 } 742 else if (bitset(QSELFREF, q->q_flags) 743 || q->q_state == QS_REMOVED) 744 { 745 /* 746 ** If an earlier milter removed the 747 ** address, a later one can still add 748 ** it back. 749 */ 750 751 q->q_state = new->q_state; 752 q->q_flags |= new->q_flags; 753 } 754 new = q; 755 goto done; 756 } 757 } 758 else if (i < 0) /* less than */ 759 { 760 insert = true; 761 break; 762 } 763 prev = pq; 764 } 765 766 /* pq should point to an address, never NULL */ 767 SM_ASSERT(pq != NULL); 768 769 /* add address on list */ 770 if (insert) 771 { 772 /* 773 ** insert before 'pq'. Only possible when at least 1 774 ** ADDRESS is in the list already. 775 */ 776 777 new->q_next = *pq; 778 if (prev == NULL) 779 *sendq = new; /* To be the first ADDRESS */ 780 else 781 (*prev)->q_next = new; 782 } 783 else 784 { 785 /* 786 ** Place in list at current 'pq' position. Possible 787 ** when there are 0 or more ADDRESS's in the list. 788 */ 789 790 new->q_next = NULL; 791 *pq = new; 792 } 793 794 /* added a new address: clear split flag */ 795 e->e_flags &= ~EF_SPLIT; 796 797 /* 798 ** Alias the name and handle special mailer types. 799 */ 800 801 trylocaluser: 802 if (tTd(29, 7)) 803 { 804 sm_dprintf("at trylocaluser: "); 805 printaddr(sm_debug_file(), new, false); 806 } 807 808 if (!QS_IS_OK(new->q_state)) 809 { 810 if (QS_IS_UNDELIVERED(new->q_state)) 811 e->e_nrcpts++; 812 goto testselfdestruct; 813 } 814 815 if (m == InclMailer) 816 { 817 new->q_state = QS_INCLUDED; 818 if (new->q_alias == NULL || UseMSP || 819 bitset(EF_UNSAFE, e->e_flags)) 820 { 821 new->q_state = QS_BADADDR; 822 new->q_status = "5.7.1"; 823 usrerrenh(new->q_status, 824 "550 Cannot mail directly to :include:s"); 825 } 826 else 827 { 828 int ret; 829 830 message("including file %s", new->q_user); 831 ret = include(new->q_user, false, new, 832 sendq, aliaslevel, e); 833 if (transienterror(ret)) 834 { 835 if (LogLevel > 2) 836 sm_syslog(LOG_ERR, e->e_id, 837 "include %s: transient error: %s", 838 shortenstring(new->q_user, 839 MAXSHORTSTR), 840 sm_errstring(ret)); 841 new->q_state = QS_QUEUEUP; 842 usrerr("451 4.2.4 Cannot open %s: %s", 843 shortenstring(new->q_user, 844 MAXSHORTSTR), 845 sm_errstring(ret)); 846 } 847 else if (ret != 0) 848 { 849 new->q_state = QS_BADADDR; 850 new->q_status = "5.2.4"; 851 usrerrenh(new->q_status, 852 "550 Cannot open %s: %s", 853 shortenstring(new->q_user, 854 MAXSHORTSTR), 855 sm_errstring(ret)); 856 } 857 } 858 } 859 else if (m == FileMailer) 860 { 861 /* check if allowed */ 862 if (new->q_alias == NULL || UseMSP || 863 bitset(EF_UNSAFE, e->e_flags)) 864 { 865 new->q_state = QS_BADADDR; 866 new->q_status = "5.7.1"; 867 usrerrenh(new->q_status, 868 "550 Cannot mail directly to files"); 869 } 870 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 871 { 872 new->q_state = QS_BADADDR; 873 new->q_status = "5.7.1"; 874 if (new->q_alias->q_ruser == NULL) 875 usrerrenh(new->q_status, 876 "550 UID %d is an unknown user: cannot mail to files", 877 new->q_alias->q_uid); 878 else 879 usrerrenh(new->q_status, 880 "550 User %s@%s doesn't have a valid shell for mailing to files", 881 new->q_alias->q_ruser, MyHostName); 882 } 883 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 884 { 885 new->q_state = QS_BADADDR; 886 new->q_status = "5.7.1"; 887 new->q_rstatus = "550 Unsafe for mailing to files"; 888 usrerrenh(new->q_status, 889 "550 Address %s is unsafe for mailing to files", 890 new->q_alias->q_paddr); 891 } 892 } 893 894 /* try aliasing */ 895 if (!quoted && QS_IS_OK(new->q_state) && 896 bitnset(M_ALIASABLE, m->m_flags)) 897 alias(new, sendq, aliaslevel, e); 898 899 #if USERDB 900 /* if not aliased, look it up in the user database */ 901 if (!bitset(QNOTREMOTE, new->q_flags) && 902 QS_IS_SENDABLE(new->q_state) && 903 bitnset(M_CHECKUDB, m->m_flags)) 904 { 905 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 906 { 907 new->q_state = QS_QUEUEUP; 908 if (e->e_message == NULL) 909 e->e_message = "Deferred: user database error"; 910 if (new->q_message == NULL) 911 new->q_message = "Deferred: user database error"; 912 if (LogLevel > 8) 913 sm_syslog(LOG_INFO, e->e_id, 914 "deferred: udbexpand: %s", 915 sm_errstring(errno)); 916 message("queued (user database error): %s", 917 sm_errstring(errno)); 918 e->e_nrcpts++; 919 goto testselfdestruct; 920 } 921 } 922 #endif /* USERDB */ 923 924 /* 925 ** If we have a level two config file, then pass the name through 926 ** Ruleset 5 before sending it off. Ruleset 5 has the right 927 ** to rewrite it to another mailer. This gives us a hook 928 ** after local aliasing has been done. 929 */ 930 931 if (tTd(29, 5)) 932 { 933 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 934 ConfigLevel, RewriteRules[5]); 935 printaddr(sm_debug_file(), new, false); 936 } 937 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 938 bitnset(M_TRYRULESET5, m->m_flags) && 939 !bitset(QNOTREMOTE, new->q_flags) && 940 QS_IS_OK(new->q_state)) 941 { 942 maplocaluser(new, sendq, aliaslevel + 1, e); 943 } 944 945 /* 946 ** If it didn't get rewritten to another mailer, go ahead 947 ** and deliver it. 948 */ 949 950 if (QS_IS_OK(new->q_state) && 951 bitnset(M_HASPWENT, m->m_flags)) 952 { 953 auto bool fuzzy; 954 SM_MBDB_T user; 955 int status; 956 957 /* warning -- finduser may trash buf */ 958 status = finduser(buf, &fuzzy, &user); 959 switch (status) 960 { 961 case EX_TEMPFAIL: 962 new->q_state = QS_QUEUEUP; 963 new->q_status = "4.5.2"; 964 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 965 new->q_alias, (time_t) 0, e, new); 966 break; 967 default: 968 new->q_state = QS_BADADDR; 969 new->q_status = "5.1.1"; 970 new->q_rstatus = "550 5.1.1 User unknown"; 971 giveresponse(EX_NOUSER, new->q_status, m, NULL, 972 new->q_alias, (time_t) 0, e, new); 973 break; 974 case EX_OK: 975 if (fuzzy) 976 { 977 /* name was a fuzzy match */ 978 new->q_user = sm_rpool_strdup_x(e->e_rpool, 979 user.mbdb_name); 980 if (findusercount++ > 3) 981 { 982 new->q_state = QS_BADADDR; 983 new->q_status = "5.4.6"; 984 usrerrenh(new->q_status, 985 "554 aliasing/forwarding loop for %s broken", 986 user.mbdb_name); 987 goto done; 988 } 989 990 /* see if it aliases */ 991 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 992 goto trylocaluser; 993 } 994 if (*user.mbdb_homedir == '\0') 995 new->q_home = NULL; 996 else if (strcmp(user.mbdb_homedir, "/") == 0) 997 new->q_home = ""; 998 else 999 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1000 user.mbdb_homedir); 1001 if (user.mbdb_uid != SM_NO_UID) 1002 { 1003 new->q_uid = user.mbdb_uid; 1004 new->q_gid = user.mbdb_gid; 1005 new->q_flags |= QGOODUID; 1006 } 1007 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1008 user.mbdb_name); 1009 if (user.mbdb_fullname[0] != '\0') 1010 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1011 user.mbdb_fullname); 1012 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1013 { 1014 new->q_flags |= QBOGUSSHELL; 1015 } 1016 if (bitset(EF_VRFYONLY, e->e_flags)) 1017 { 1018 /* don't do any more now */ 1019 new->q_state = QS_VERIFIED; 1020 } 1021 else if (!quoted) 1022 forward(new, sendq, aliaslevel, e); 1023 } 1024 } 1025 if (!QS_IS_DEAD(new->q_state)) 1026 e->e_nrcpts++; 1027 1028 testselfdestruct: 1029 new->q_flags |= QTHISPASS; 1030 if (tTd(26, 8)) 1031 { 1032 sm_dprintf("testselfdestruct: "); 1033 printaddr(sm_debug_file(), new, false); 1034 if (tTd(26, 10)) 1035 { 1036 sm_dprintf("SENDQ:\n"); 1037 printaddr(sm_debug_file(), *sendq, true); 1038 sm_dprintf("----\n"); 1039 } 1040 } 1041 if (new->q_alias == NULL && new != &e->e_from && 1042 QS_IS_DEAD(new->q_state)) 1043 { 1044 for (q = *sendq; q != NULL; q = q->q_next) 1045 { 1046 if (!QS_IS_DEAD(q->q_state)) 1047 break; 1048 } 1049 if (q == NULL) 1050 { 1051 new->q_state = QS_BADADDR; 1052 new->q_status = "5.4.6"; 1053 usrerrenh(new->q_status, 1054 "554 aliasing/forwarding loop broken"); 1055 } 1056 } 1057 1058 done: 1059 new->q_flags |= QTHISPASS; 1060 if (buf != buf0) 1061 sm_free(buf); /* XXX leak if above code raises exception */ 1062 1063 /* 1064 ** If we are at the top level, check to see if this has 1065 ** expanded to exactly one address. If so, it can inherit 1066 ** the primaryness of the address. 1067 ** 1068 ** While we're at it, clear the QTHISPASS bits. 1069 */ 1070 1071 if (aliaslevel == 0) 1072 { 1073 int nrcpts = 0; 1074 ADDRESS *only = NULL; 1075 1076 for (q = *sendq; q != NULL; q = q->q_next) 1077 { 1078 if (bitset(QTHISPASS, q->q_flags) && 1079 QS_IS_SENDABLE(q->q_state)) 1080 { 1081 nrcpts++; 1082 only = q; 1083 } 1084 q->q_flags &= ~QTHISPASS; 1085 } 1086 if (nrcpts == 1) 1087 { 1088 /* check to see if this actually got a new owner */ 1089 q = only; 1090 while ((q = q->q_alias) != NULL) 1091 { 1092 if (q->q_owner != NULL) 1093 break; 1094 } 1095 if (q == NULL) 1096 only->q_flags |= QPRIMARY; 1097 } 1098 else if (!initialdontsend && nrcpts > 0) 1099 { 1100 /* arrange for return receipt */ 1101 e->e_flags |= EF_SENDRECEIPT; 1102 new->q_flags |= QEXPANDED; 1103 if (e->e_xfp != NULL && 1104 bitset(QPINGONSUCCESS, new->q_flags)) 1105 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1106 "%s... expanded to multiple addresses\n", 1107 new->q_paddr); 1108 } 1109 } 1110 new->q_flags |= QRCPTOK; 1111 (void) sm_snprintf(buf0, sizeof buf0, "%d", e->e_nrcpts); 1112 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1113 return new; 1114 } 1115 /* 1116 ** FINDUSER -- find the password entry for a user. 1117 ** 1118 ** This looks a lot like getpwnam, except that it may want to 1119 ** do some fancier pattern matching in /etc/passwd. 1120 ** 1121 ** This routine contains most of the time of many sendmail runs. 1122 ** It deserves to be optimized. 1123 ** 1124 ** Parameters: 1125 ** name -- the name to match against. 1126 ** fuzzyp -- an outarg that is set to true if this entry 1127 ** was found using the fuzzy matching algorithm; 1128 ** set to false otherwise. 1129 ** user -- structure to fill in if user is found 1130 ** 1131 ** Returns: 1132 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1133 ** If the user was not found, return EX_NOUSER. 1134 ** On error, return EX_TEMPFAIL or EX_OSERR. 1135 ** 1136 ** Side Effects: 1137 ** may modify name. 1138 */ 1139 1140 int 1141 finduser(name, fuzzyp, user) 1142 char *name; 1143 bool *fuzzyp; 1144 SM_MBDB_T *user; 1145 { 1146 #if MATCHGECOS 1147 register struct passwd *pw; 1148 #endif /* MATCHGECOS */ 1149 register char *p; 1150 bool tryagain; 1151 int status; 1152 1153 if (tTd(29, 4)) 1154 sm_dprintf("finduser(%s): ", name); 1155 1156 *fuzzyp = false; 1157 1158 #if HESIOD 1159 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1160 for (p = name; *p != '\0'; p++) 1161 if (!isascii(*p) || !isdigit(*p)) 1162 break; 1163 if (*p == '\0') 1164 { 1165 if (tTd(29, 4)) 1166 sm_dprintf("failed (numeric input)\n"); 1167 return EX_NOUSER; 1168 } 1169 #endif /* HESIOD */ 1170 1171 /* look up this login name using fast path */ 1172 status = sm_mbdb_lookup(name, user); 1173 if (status != EX_NOUSER) 1174 { 1175 if (tTd(29, 4)) 1176 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1177 return status; 1178 } 1179 1180 /* try mapping it to lower case */ 1181 tryagain = false; 1182 for (p = name; *p != '\0'; p++) 1183 { 1184 if (isascii(*p) && isupper(*p)) 1185 { 1186 *p = tolower(*p); 1187 tryagain = true; 1188 } 1189 } 1190 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1191 { 1192 if (tTd(29, 4)) 1193 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1194 *fuzzyp = true; 1195 return status; 1196 } 1197 1198 #if MATCHGECOS 1199 /* see if fuzzy matching allowed */ 1200 if (!MatchGecos) 1201 { 1202 if (tTd(29, 4)) 1203 sm_dprintf("not found (fuzzy disabled)\n"); 1204 return EX_NOUSER; 1205 } 1206 1207 /* search for a matching full name instead */ 1208 for (p = name; *p != '\0'; p++) 1209 { 1210 if (*p == (SpaceSub & 0177) || *p == '_') 1211 *p = ' '; 1212 } 1213 (void) setpwent(); 1214 while ((pw = getpwent()) != NULL) 1215 { 1216 char buf[MAXNAME + 1]; 1217 1218 # if 0 1219 if (sm_strcasecmp(pw->pw_name, name) == 0) 1220 { 1221 if (tTd(29, 4)) 1222 sm_dprintf("found (case wrapped)\n"); 1223 break; 1224 } 1225 # endif /* 0 */ 1226 1227 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof buf); 1228 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1229 { 1230 if (tTd(29, 4)) 1231 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1232 message("sending to login name %s", pw->pw_name); 1233 break; 1234 } 1235 } 1236 if (pw != NULL) 1237 *fuzzyp = true; 1238 else if (tTd(29, 4)) 1239 sm_dprintf("no fuzzy match found\n"); 1240 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1241 endpwent(); 1242 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1243 if (pw == NULL) 1244 return EX_NOUSER; 1245 sm_mbdb_frompw(user, pw); 1246 return EX_OK; 1247 #else /* MATCHGECOS */ 1248 if (tTd(29, 4)) 1249 sm_dprintf("not found (fuzzy disabled)\n"); 1250 return EX_NOUSER; 1251 #endif /* MATCHGECOS */ 1252 } 1253 /* 1254 ** WRITABLE -- predicate returning if the file is writable. 1255 ** 1256 ** This routine must duplicate the algorithm in sys/fio.c. 1257 ** Unfortunately, we cannot use the access call since we 1258 ** won't necessarily be the real uid when we try to 1259 ** actually open the file. 1260 ** 1261 ** Notice that ANY file with ANY execute bit is automatically 1262 ** not writable. This is also enforced by mailfile. 1263 ** 1264 ** Parameters: 1265 ** filename -- the file name to check. 1266 ** ctladdr -- the controlling address for this file. 1267 ** flags -- SFF_* flags to control the function. 1268 ** 1269 ** Returns: 1270 ** true -- if we will be able to write this file. 1271 ** false -- if we cannot write this file. 1272 ** 1273 ** Side Effects: 1274 ** none. 1275 */ 1276 1277 bool 1278 writable(filename, ctladdr, flags) 1279 char *filename; 1280 ADDRESS *ctladdr; 1281 long flags; 1282 { 1283 uid_t euid = 0; 1284 gid_t egid = 0; 1285 char *user = NULL; 1286 1287 if (tTd(44, 5)) 1288 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1289 1290 /* 1291 ** File does exist -- check that it is writable. 1292 */ 1293 1294 if (geteuid() != 0) 1295 { 1296 euid = geteuid(); 1297 egid = getegid(); 1298 user = NULL; 1299 } 1300 else if (ctladdr != NULL) 1301 { 1302 euid = ctladdr->q_uid; 1303 egid = ctladdr->q_gid; 1304 user = ctladdr->q_user; 1305 } 1306 else if (bitset(SFF_RUNASREALUID, flags)) 1307 { 1308 euid = RealUid; 1309 egid = RealGid; 1310 user = RealUserName; 1311 } 1312 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1313 { 1314 if (FileMailer->m_uid == NO_UID) 1315 { 1316 euid = DefUid; 1317 user = DefUser; 1318 } 1319 else 1320 { 1321 euid = FileMailer->m_uid; 1322 user = NULL; 1323 } 1324 if (FileMailer->m_gid == NO_GID) 1325 egid = DefGid; 1326 else 1327 egid = FileMailer->m_gid; 1328 } 1329 else 1330 { 1331 euid = egid = 0; 1332 user = NULL; 1333 } 1334 if (!bitset(SFF_ROOTOK, flags)) 1335 { 1336 if (euid == 0) 1337 { 1338 euid = DefUid; 1339 user = DefUser; 1340 } 1341 if (egid == 0) 1342 egid = DefGid; 1343 } 1344 if (geteuid() == 0 && 1345 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1346 flags |= SFF_SETUIDOK; 1347 1348 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1349 flags |= SFF_NOSLINK; 1350 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1351 flags |= SFF_NOHLINK; 1352 1353 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1354 return errno == 0; 1355 } 1356 /* 1357 ** INCLUDE -- handle :include: specification. 1358 ** 1359 ** Parameters: 1360 ** fname -- filename to include. 1361 ** forwarding -- if true, we are reading a .forward file. 1362 ** if false, it's a :include: file. 1363 ** ctladdr -- address template to use to fill in these 1364 ** addresses -- effective user/group id are 1365 ** the important things. 1366 ** sendq -- a pointer to the head of the send queue 1367 ** to put these addresses in. 1368 ** aliaslevel -- the alias nesting depth. 1369 ** e -- the current envelope. 1370 ** 1371 ** Returns: 1372 ** open error status 1373 ** 1374 ** Side Effects: 1375 ** reads the :include: file and sends to everyone 1376 ** listed in that file. 1377 ** 1378 ** Security Note: 1379 ** If you have restricted chown (that is, you can't 1380 ** give a file away), it is reasonable to allow programs 1381 ** and files called from this :include: file to be to be 1382 ** run as the owner of the :include: file. This is bogus 1383 ** if there is any chance of someone giving away a file. 1384 ** We assume that pre-POSIX systems can give away files. 1385 ** 1386 ** There is an additional restriction that if you 1387 ** forward to a :include: file, it will not take on 1388 ** the ownership of the :include: file. This may not 1389 ** be necessary, but shouldn't hurt. 1390 */ 1391 1392 static jmp_buf CtxIncludeTimeout; 1393 1394 int 1395 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1396 char *fname; 1397 bool forwarding; 1398 ADDRESS *ctladdr; 1399 ADDRESS **sendq; 1400 int aliaslevel; 1401 ENVELOPE *e; 1402 { 1403 SM_FILE_T *volatile fp = NULL; 1404 char *oldto = e->e_to; 1405 char *oldfilename = FileName; 1406 int oldlinenumber = LineNumber; 1407 register SM_EVENT *ev = NULL; 1408 int nincludes; 1409 int mode; 1410 volatile bool maxreached = false; 1411 register ADDRESS *ca; 1412 volatile uid_t saveduid; 1413 volatile gid_t savedgid; 1414 volatile uid_t uid; 1415 volatile gid_t gid; 1416 char *volatile user; 1417 int rval = 0; 1418 volatile long sfflags = SFF_REGONLY; 1419 register char *p; 1420 bool safechown = false; 1421 volatile bool safedir = false; 1422 struct stat st; 1423 char buf[MAXLINE]; 1424 1425 if (tTd(27, 2)) 1426 sm_dprintf("include(%s)\n", fname); 1427 if (tTd(27, 4)) 1428 sm_dprintf(" ruid=%d euid=%d\n", 1429 (int) getuid(), (int) geteuid()); 1430 if (tTd(27, 14)) 1431 { 1432 sm_dprintf("ctladdr "); 1433 printaddr(sm_debug_file(), ctladdr, false); 1434 } 1435 1436 if (tTd(27, 9)) 1437 sm_dprintf("include: old uid = %d/%d\n", 1438 (int) getuid(), (int) geteuid()); 1439 1440 if (forwarding) 1441 { 1442 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1443 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1444 sfflags |= SFF_NOGWFILES; 1445 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1446 sfflags |= SFF_NOWWFILES; 1447 } 1448 else 1449 { 1450 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1451 sfflags |= SFF_NOGWFILES; 1452 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1453 sfflags |= SFF_NOWWFILES; 1454 } 1455 1456 /* 1457 ** If RunAsUser set, won't be able to run programs as user 1458 ** so mark them as unsafe unless the administrator knows better. 1459 */ 1460 1461 if ((geteuid() != 0 || RunAsUid != 0) && 1462 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1463 { 1464 if (tTd(27, 4)) 1465 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1466 (int) geteuid(), (int) RunAsUid); 1467 ctladdr->q_flags |= QUNSAFEADDR; 1468 } 1469 1470 ca = getctladdr(ctladdr); 1471 if (ca == NULL || 1472 (ca->q_uid == DefUid && ca->q_gid == 0)) 1473 { 1474 uid = DefUid; 1475 gid = DefGid; 1476 user = DefUser; 1477 } 1478 else 1479 { 1480 uid = ca->q_uid; 1481 gid = ca->q_gid; 1482 user = ca->q_user; 1483 } 1484 #if MAILER_SETUID_METHOD != USE_SETUID 1485 saveduid = geteuid(); 1486 savedgid = getegid(); 1487 if (saveduid == 0) 1488 { 1489 if (!DontInitGroups) 1490 { 1491 if (initgroups(user, gid) == -1) 1492 { 1493 rval = EAGAIN; 1494 syserr("include: initgroups(%s, %d) failed", 1495 user, gid); 1496 goto resetuid; 1497 } 1498 } 1499 else 1500 { 1501 GIDSET_T gidset[1]; 1502 1503 gidset[0] = gid; 1504 if (setgroups(1, gidset) == -1) 1505 { 1506 rval = EAGAIN; 1507 syserr("include: setgroups() failed"); 1508 goto resetuid; 1509 } 1510 } 1511 1512 if (gid != 0 && setgid(gid) < -1) 1513 { 1514 rval = EAGAIN; 1515 syserr("setgid(%d) failure", gid); 1516 goto resetuid; 1517 } 1518 if (uid != 0) 1519 { 1520 # if MAILER_SETUID_METHOD == USE_SETEUID 1521 if (seteuid(uid) < 0) 1522 { 1523 rval = EAGAIN; 1524 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1525 uid, (int) getuid(), (int) geteuid()); 1526 goto resetuid; 1527 } 1528 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1529 # if MAILER_SETUID_METHOD == USE_SETREUID 1530 if (setreuid(0, uid) < 0) 1531 { 1532 rval = EAGAIN; 1533 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1534 uid, (int) getuid(), (int) geteuid()); 1535 goto resetuid; 1536 } 1537 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1538 } 1539 } 1540 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1541 1542 if (tTd(27, 9)) 1543 sm_dprintf("include: new uid = %d/%d\n", 1544 (int) getuid(), (int) geteuid()); 1545 1546 /* 1547 ** If home directory is remote mounted but server is down, 1548 ** this can hang or give errors; use a timeout to avoid this 1549 */ 1550 1551 if (setjmp(CtxIncludeTimeout) != 0) 1552 { 1553 ctladdr->q_state = QS_QUEUEUP; 1554 errno = 0; 1555 1556 /* return pseudo-error code */ 1557 rval = E_SM_OPENTIMEOUT; 1558 goto resetuid; 1559 } 1560 if (TimeOuts.to_fileopen > 0) 1561 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1562 else 1563 ev = NULL; 1564 1565 1566 /* check for writable parent directory */ 1567 p = strrchr(fname, '/'); 1568 if (p != NULL) 1569 { 1570 int ret; 1571 1572 *p = '\0'; 1573 ret = safedirpath(fname, uid, gid, user, 1574 sfflags|SFF_SAFEDIRPATH, 0, 0); 1575 if (ret == 0) 1576 { 1577 /* in safe directory: relax chown & link rules */ 1578 safedir = true; 1579 sfflags |= SFF_NOPATHCHECK; 1580 } 1581 else 1582 { 1583 if (bitnset((forwarding ? 1584 DBS_FORWARDFILEINUNSAFEDIRPATH : 1585 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1586 DontBlameSendmail)) 1587 sfflags |= SFF_NOPATHCHECK; 1588 else if (bitnset((forwarding ? 1589 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1590 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1591 DontBlameSendmail) && 1592 ret == E_SM_GWDIR) 1593 { 1594 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1595 DontBlameSendmail); 1596 ret = safedirpath(fname, uid, gid, user, 1597 sfflags|SFF_SAFEDIRPATH, 1598 0, 0); 1599 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1600 DontBlameSendmail); 1601 if (ret == 0) 1602 sfflags |= SFF_NOPATHCHECK; 1603 else 1604 sfflags |= SFF_SAFEDIRPATH; 1605 } 1606 else 1607 sfflags |= SFF_SAFEDIRPATH; 1608 if (ret > E_PSEUDOBASE && 1609 !bitnset((forwarding ? 1610 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1611 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1612 DontBlameSendmail)) 1613 { 1614 if (LogLevel > 11) 1615 sm_syslog(LOG_INFO, e->e_id, 1616 "%s: unsafe directory path, marked unsafe", 1617 shortenstring(fname, MAXSHORTSTR)); 1618 ctladdr->q_flags |= QUNSAFEADDR; 1619 } 1620 } 1621 *p = '/'; 1622 } 1623 1624 /* allow links only in unwritable directories */ 1625 if (!safedir && 1626 !bitnset((forwarding ? 1627 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1628 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1629 DontBlameSendmail)) 1630 sfflags |= SFF_NOLINK; 1631 1632 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1633 if (rval != 0) 1634 { 1635 /* don't use this :include: file */ 1636 if (tTd(27, 4)) 1637 sm_dprintf("include: not safe (uid=%d): %s\n", 1638 (int) uid, sm_errstring(rval)); 1639 } 1640 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1641 SM_IO_RDONLY, NULL)) == NULL) 1642 { 1643 rval = errno; 1644 if (tTd(27, 4)) 1645 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1646 } 1647 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1648 { 1649 rval = E_SM_FILECHANGE; 1650 if (tTd(27, 4)) 1651 sm_dprintf("include: file changed after open\n"); 1652 } 1653 if (ev != NULL) 1654 sm_clrevent(ev); 1655 1656 resetuid: 1657 1658 #if HASSETREUID || USESETEUID 1659 if (saveduid == 0) 1660 { 1661 if (uid != 0) 1662 { 1663 # if USESETEUID 1664 if (seteuid(0) < 0) 1665 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1666 (int) getuid(), (int) geteuid()); 1667 # else /* USESETEUID */ 1668 if (setreuid(-1, 0) < 0) 1669 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1670 (int) getuid(), (int) geteuid()); 1671 if (setreuid(RealUid, 0) < 0) 1672 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1673 (int) RealUid, (int) getuid(), 1674 (int) geteuid()); 1675 # endif /* USESETEUID */ 1676 } 1677 if (setgid(savedgid) < 0) 1678 syserr("!setgid(%d) failure (real=%d eff=%d)", 1679 (int) savedgid, (int) getgid(), 1680 (int) getegid()); 1681 } 1682 #endif /* HASSETREUID || USESETEUID */ 1683 1684 if (tTd(27, 9)) 1685 sm_dprintf("include: reset uid = %d/%d\n", 1686 (int) getuid(), (int) geteuid()); 1687 1688 if (rval == E_SM_OPENTIMEOUT) 1689 usrerr("451 4.4.1 open timeout on %s", fname); 1690 1691 if (fp == NULL) 1692 return rval; 1693 1694 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1695 { 1696 rval = errno; 1697 syserr("Cannot fstat %s!", fname); 1698 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1699 return rval; 1700 } 1701 1702 /* if path was writable, check to avoid file giveaway tricks */ 1703 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1704 if (tTd(27, 6)) 1705 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1706 fname, safedir ? "safe" : "dangerous", 1707 safechown ? "" : "un"); 1708 1709 /* if no controlling user or coming from an alias delivery */ 1710 if (safechown && 1711 (ca == NULL || 1712 (ca->q_uid == DefUid && ca->q_gid == 0))) 1713 { 1714 ctladdr->q_uid = st.st_uid; 1715 ctladdr->q_gid = st.st_gid; 1716 ctladdr->q_flags |= QGOODUID; 1717 } 1718 if (ca != NULL && ca->q_uid == st.st_uid) 1719 { 1720 /* optimization -- avoid getpwuid if we already have info */ 1721 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1722 ctladdr->q_ruser = ca->q_ruser; 1723 } 1724 else if (!forwarding) 1725 { 1726 register struct passwd *pw; 1727 1728 pw = sm_getpwuid(st.st_uid); 1729 if (pw == NULL) 1730 { 1731 ctladdr->q_uid = st.st_uid; 1732 ctladdr->q_flags |= QBOGUSSHELL; 1733 } 1734 else 1735 { 1736 char *sh; 1737 1738 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1739 pw->pw_name); 1740 if (safechown) 1741 sh = pw->pw_shell; 1742 else 1743 sh = "/SENDMAIL/ANY/SHELL/"; 1744 if (!usershellok(pw->pw_name, sh)) 1745 { 1746 if (LogLevel > 11) 1747 sm_syslog(LOG_INFO, e->e_id, 1748 "%s: user %s has bad shell %s, marked %s", 1749 shortenstring(fname, 1750 MAXSHORTSTR), 1751 pw->pw_name, sh, 1752 safechown ? "bogus" : "unsafe"); 1753 if (safechown) 1754 ctladdr->q_flags |= QBOGUSSHELL; 1755 else 1756 ctladdr->q_flags |= QUNSAFEADDR; 1757 } 1758 } 1759 } 1760 1761 if (bitset(EF_VRFYONLY, e->e_flags)) 1762 { 1763 /* don't do any more now */ 1764 ctladdr->q_state = QS_VERIFIED; 1765 e->e_nrcpts++; 1766 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1767 return rval; 1768 } 1769 1770 /* 1771 ** Check to see if some bad guy can write this file 1772 ** 1773 ** Group write checking could be more clever, e.g., 1774 ** guessing as to which groups are actually safe ("sys" 1775 ** may be; "user" probably is not). 1776 */ 1777 1778 mode = S_IWOTH; 1779 if (!bitnset((forwarding ? 1780 DBS_GROUPWRITABLEFORWARDFILESAFE : 1781 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1782 DontBlameSendmail)) 1783 mode |= S_IWGRP; 1784 1785 if (bitset(mode, st.st_mode)) 1786 { 1787 if (tTd(27, 6)) 1788 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1789 shortenstring(fname, MAXSHORTSTR), 1790 bitset(S_IWOTH, st.st_mode) ? "world" 1791 : "group"); 1792 if (LogLevel > 11) 1793 sm_syslog(LOG_INFO, e->e_id, 1794 "%s: %s writable %s file, marked unsafe", 1795 shortenstring(fname, MAXSHORTSTR), 1796 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1797 forwarding ? "forward" : ":include:"); 1798 ctladdr->q_flags |= QUNSAFEADDR; 1799 } 1800 1801 /* read the file -- each line is a comma-separated list. */ 1802 FileName = fname; 1803 LineNumber = 0; 1804 ctladdr->q_flags &= ~QSELFREF; 1805 nincludes = 0; 1806 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof buf) != NULL && 1807 !maxreached) 1808 { 1809 fixcrlf(buf, true); 1810 LineNumber++; 1811 if (buf[0] == '#' || buf[0] == '\0') 1812 continue; 1813 1814 /* <sp>#@# introduces a comment anywhere */ 1815 /* for Japanese character sets */ 1816 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1817 { 1818 if (p[1] == '@' && p[2] == '#' && 1819 isascii(p[-1]) && isspace(p[-1]) && 1820 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1821 { 1822 --p; 1823 while (p > buf && isascii(p[-1]) && 1824 isspace(p[-1])) 1825 --p; 1826 p[0] = '\0'; 1827 break; 1828 } 1829 } 1830 if (buf[0] == '\0') 1831 continue; 1832 1833 e->e_to = NULL; 1834 message("%s to %s", 1835 forwarding ? "forwarding" : "sending", buf); 1836 if (forwarding && LogLevel > 10) 1837 sm_syslog(LOG_INFO, e->e_id, 1838 "forward %.200s => %s", 1839 oldto, shortenstring(buf, MAXSHORTSTR)); 1840 1841 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1842 1843 if (forwarding && 1844 MaxForwardEntries > 0 && 1845 nincludes >= MaxForwardEntries) 1846 { 1847 /* just stop reading and processing further entries */ 1848 #if 0 1849 /* additional: (?) */ 1850 ctladdr->q_state = QS_DONTSEND; 1851 #endif /* 0 */ 1852 1853 syserr("Attempt to forward to more than %d addresses (in %s)!", 1854 MaxForwardEntries, fname); 1855 maxreached = true; 1856 } 1857 } 1858 1859 if (sm_io_error(fp) && tTd(27, 3)) 1860 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1861 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1862 { 1863 if (tTd(27, 5)) 1864 { 1865 sm_dprintf("include: QS_DONTSEND "); 1866 printaddr(sm_debug_file(), ctladdr, false); 1867 } 1868 ctladdr->q_state = QS_DONTSEND; 1869 } 1870 1871 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1872 FileName = oldfilename; 1873 LineNumber = oldlinenumber; 1874 e->e_to = oldto; 1875 return rval; 1876 } 1877 1878 static void 1879 includetimeout(ignore) 1880 int ignore; 1881 { 1882 /* 1883 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1884 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1885 ** DOING. 1886 */ 1887 1888 errno = ETIMEDOUT; 1889 longjmp(CtxIncludeTimeout, 1); 1890 } 1891 /* 1892 ** SENDTOARGV -- send to an argument vector. 1893 ** 1894 ** Parameters: 1895 ** argv -- argument vector to send to. 1896 ** e -- the current envelope. 1897 ** 1898 ** Returns: 1899 ** none. 1900 ** 1901 ** Side Effects: 1902 ** puts all addresses on the argument vector onto the 1903 ** send queue. 1904 */ 1905 1906 void 1907 sendtoargv(argv, e) 1908 register char **argv; 1909 register ENVELOPE *e; 1910 { 1911 register char *p; 1912 1913 while ((p = *argv++) != NULL) 1914 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1915 } 1916 /* 1917 ** GETCTLADDR -- get controlling address from an address header. 1918 ** 1919 ** If none, get one corresponding to the effective userid. 1920 ** 1921 ** Parameters: 1922 ** a -- the address to find the controller of. 1923 ** 1924 ** Returns: 1925 ** the controlling address. 1926 */ 1927 1928 ADDRESS * 1929 getctladdr(a) 1930 register ADDRESS *a; 1931 { 1932 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1933 a = a->q_alias; 1934 return a; 1935 } 1936 /* 1937 ** SELF_REFERENCE -- check to see if an address references itself 1938 ** 1939 ** The check is done through a chain of aliases. If it is part of 1940 ** a loop, break the loop at the "best" address, that is, the one 1941 ** that exists as a real user. 1942 ** 1943 ** This is to handle the case of: 1944 ** awc: Andrew.Chang 1945 ** Andrew.Chang: awc@mail.server 1946 ** which is a problem only on mail.server. 1947 ** 1948 ** Parameters: 1949 ** a -- the address to check. 1950 ** 1951 ** Returns: 1952 ** The address that should be retained. 1953 */ 1954 1955 static ADDRESS * 1956 self_reference(a) 1957 ADDRESS *a; 1958 { 1959 ADDRESS *b; /* top entry in self ref loop */ 1960 ADDRESS *c; /* entry that point to a real mail box */ 1961 1962 if (tTd(27, 1)) 1963 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1964 1965 for (b = a->q_alias; b != NULL; b = b->q_alias) 1966 { 1967 if (sameaddr(a, b)) 1968 break; 1969 } 1970 1971 if (b == NULL) 1972 { 1973 if (tTd(27, 1)) 1974 sm_dprintf("\t... no self ref\n"); 1975 return NULL; 1976 } 1977 1978 /* 1979 ** Pick the first address that resolved to a real mail box 1980 ** i.e has a mbdb entry. The returned value will be marked 1981 ** QSELFREF in recipient(), which in turn will disable alias() 1982 ** from marking it as QS_IS_DEAD(), which mean it will be used 1983 ** as a deliverable address. 1984 ** 1985 ** The 2 key thing to note here are: 1986 ** 1) we are in a recursive call sequence: 1987 ** alias->sendtolist->recipient->alias 1988 ** 2) normally, when we return back to alias(), the address 1989 ** will be marked QS_EXPANDED, since alias() assumes the 1990 ** expanded form will be used instead of the current address. 1991 ** This behaviour is turned off if the address is marked 1992 ** QSELFREF. We set QSELFREF when we return to recipient(). 1993 */ 1994 1995 c = a; 1996 while (c != NULL) 1997 { 1998 if (tTd(27, 10)) 1999 sm_dprintf(" %s", c->q_user); 2000 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2001 { 2002 SM_MBDB_T user; 2003 2004 if (tTd(27, 2)) 2005 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2006 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2007 { 2008 if (tTd(27, 2)) 2009 sm_dprintf("found\n"); 2010 2011 /* ought to cache results here */ 2012 if (sameaddr(b, c)) 2013 return b; 2014 else 2015 return c; 2016 } 2017 if (tTd(27, 2)) 2018 sm_dprintf("failed\n"); 2019 } 2020 else 2021 { 2022 /* if local delivery, compare usernames */ 2023 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2024 b->q_mailer == c->q_mailer) 2025 { 2026 if (tTd(27, 2)) 2027 sm_dprintf("\t... local match (%s)\n", 2028 c->q_user); 2029 if (sameaddr(b, c)) 2030 return b; 2031 else 2032 return c; 2033 } 2034 } 2035 if (tTd(27, 10)) 2036 sm_dprintf("\n"); 2037 c = c->q_alias; 2038 } 2039 2040 if (tTd(27, 1)) 2041 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2042 2043 return NULL; 2044 } 2045