1 /* 2 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #pragma ident "%Z%%M% %I% %E% SMI" 15 16 #include <sendmail.h> 17 18 SM_RCSID("@(#)$Id: recipient.c,v 8.348 2007/03/19 21:33:09 ca Exp $") 19 20 static void includetimeout __P((int)); 21 static ADDRESS *self_reference __P((ADDRESS *)); 22 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 23 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 24 static int sorthost __P((ADDRESS *, ADDRESS *)); 25 26 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 27 28 /* 29 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 30 ** 31 ** Parameters: 32 ** xx -- first ADDRESS 33 ** yy -- second ADDRESS 34 ** 35 ** Returns: 36 ** <0 when xx->q_host is less than yy->q_host 37 ** >0 when xx->q_host is greater than yy->q_host 38 ** 0 when equal 39 */ 40 41 static int 42 sorthost(xx, yy) 43 register ADDRESS *xx; 44 register ADDRESS *yy; 45 { 46 #if _FFR_HOST_SORT_REVERSE 47 /* XXX maybe compare hostnames from the end? */ 48 return sm_strrevcasecmp(xx->q_host, yy->q_host); 49 #else /* _FFR_HOST_SORT_REVERSE */ 50 return sm_strcasecmp(xx->q_host, yy->q_host); 51 #endif /* _FFR_HOST_SORT_REVERSE */ 52 } 53 54 /* 55 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 56 ** 57 ** The mailer has been noted already as "expensive" for 'xx'. This 58 ** will give a result relative to 'yy'. Expensive mailers get rated 59 ** "greater than" non-expensive mailers because during the delivery phase 60 ** it will get queued -- no use it getting in the way of less expensive 61 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 62 ** expensive since an MX RR lookup happens when extracted from the queue 63 ** later. 64 ** 65 ** Parameters: 66 ** xx -- first ADDRESS 67 ** yy -- second ADDRESS 68 ** 69 ** Returns: 70 ** <0 when xx->q_host is less than yy->q_host and both are 71 ** expensive 72 ** >0 when xx->q_host is greater than yy->q_host, or when 73 ** 'yy' is non-expensive 74 ** 0 when equal (by expense and q_host) 75 */ 76 77 static int 78 sortexpensive(xx, yy) 79 ADDRESS *xx; 80 ADDRESS *yy; 81 { 82 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 83 return 1; /* xx should go later */ 84 #if _FFR_HOST_SORT_REVERSE 85 /* XXX maybe compare hostnames from the end? */ 86 return sm_strrevcasecmp(xx->q_host, yy->q_host); 87 #else /* _FFR_HOST_SORT_REVERSE */ 88 return sm_strcasecmp(xx->q_host, yy->q_host); 89 #endif /* _FFR_HOST_SORT_REVERSE */ 90 } 91 92 /* 93 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 94 ** 95 ** Parameters: 96 ** xx -- first ADDRESS 97 ** yy -- second ADDRESS 98 ** 99 ** Returns: 100 ** 0 when the "signature"'s are same 101 ** <0 when xx->q_signature is less than yy->q_signature 102 ** >0 when xx->q_signature is greater than yy->q_signature 103 ** 104 ** Side Effect: 105 ** May set ADDRESS pointer for q_signature if not already set. 106 */ 107 108 static int 109 sortbysignature(xx, yy) 110 ADDRESS *xx; 111 ADDRESS *yy; 112 { 113 register int ret; 114 115 /* Let's avoid redoing the signature over and over again */ 116 if (xx->q_signature == NULL) 117 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 118 if (yy->q_signature == NULL) 119 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 120 ret = strcmp(xx->q_signature, yy->q_signature); 121 122 /* 123 ** If the two signatures are the same then we will return a sort 124 ** value based on 'q_user'. But note that we have reversed xx and yy 125 ** on purpose. This additional compare helps reduce the number of 126 ** sameaddr() calls and loops in recipient() for the case when 127 ** the rcpt list has been provided already in-order. 128 */ 129 130 if (ret == 0) 131 return strcmp(yy->q_user, xx->q_user); 132 else 133 return ret; 134 } 135 136 /* 137 ** SENDTOLIST -- Designate a send list. 138 ** 139 ** The parameter is a comma-separated list of people to send to. 140 ** This routine arranges to send to all of them. 141 ** 142 ** Parameters: 143 ** list -- the send list. 144 ** ctladdr -- the address template for the person to 145 ** send to -- effective uid/gid are important. 146 ** This is typically the alias that caused this 147 ** expansion. 148 ** sendq -- a pointer to the head of a queue to put 149 ** these people into. 150 ** aliaslevel -- the current alias nesting depth -- to 151 ** diagnose loops. 152 ** e -- the envelope in which to add these recipients. 153 ** 154 ** Returns: 155 ** The number of addresses actually on the list. 156 */ 157 158 /* q_flags bits inherited from ctladdr */ 159 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 160 161 int 162 sendtolist(list, ctladdr, sendq, aliaslevel, e) 163 char *list; 164 ADDRESS *ctladdr; 165 ADDRESS **sendq; 166 int aliaslevel; 167 register ENVELOPE *e; 168 { 169 register char *p; 170 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 171 SM_NONVOLATILE char delimiter; /* the address delimiter */ 172 SM_NONVOLATILE int naddrs; 173 SM_NONVOLATILE int i; 174 char *endp; 175 char *oldto = e->e_to; 176 char *SM_NONVOLATILE bufp; 177 char buf[MAXNAME + 1]; 178 179 if (list == NULL) 180 { 181 syserr("sendtolist: null list"); 182 return 0; 183 } 184 185 if (tTd(25, 1)) 186 { 187 sm_dprintf("sendto: %s\n ctladdr=", list); 188 printaddr(sm_debug_file(), ctladdr, false); 189 } 190 191 /* heuristic to determine old versus new style addresses */ 192 if (ctladdr == NULL && 193 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 194 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 195 e->e_flags &= ~EF_OLDSTYLE; 196 delimiter = ' '; 197 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 198 delimiter = ','; 199 200 al = NULL; 201 naddrs = 0; 202 203 /* make sure we have enough space to copy the string */ 204 i = strlen(list) + 1; 205 if (i <= sizeof(buf)) 206 { 207 bufp = buf; 208 i = sizeof(buf); 209 } 210 else 211 bufp = sm_malloc_x(i); 212 endp = bufp + i; 213 214 SM_TRY 215 { 216 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 217 218 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 219 for (p = bufp; *p != '\0'; ) 220 { 221 auto char *delimptr; 222 register ADDRESS *a; 223 224 SM_ASSERT(p < endp); 225 226 /* parse the address */ 227 while ((isascii(*p) && isspace(*p)) || *p == ',') 228 p++; 229 SM_ASSERT(p < endp); 230 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 231 &delimptr, e, true); 232 p = delimptr; 233 SM_ASSERT(p < endp); 234 if (a == NULL) 235 continue; 236 a->q_next = al; 237 a->q_alias = ctladdr; 238 239 /* arrange to inherit attributes from parent */ 240 if (ctladdr != NULL) 241 { 242 ADDRESS *b; 243 244 /* self reference test */ 245 if (sameaddr(ctladdr, a)) 246 { 247 if (tTd(27, 5)) 248 { 249 sm_dprintf("sendtolist: QSELFREF "); 250 printaddr(sm_debug_file(), ctladdr, false); 251 } 252 ctladdr->q_flags |= QSELFREF; 253 } 254 255 /* check for address loops */ 256 b = self_reference(a); 257 if (b != NULL) 258 { 259 b->q_flags |= QSELFREF; 260 if (tTd(27, 5)) 261 { 262 sm_dprintf("sendtolist: QSELFREF "); 263 printaddr(sm_debug_file(), b, false); 264 } 265 if (a != b) 266 { 267 if (tTd(27, 5)) 268 { 269 sm_dprintf("sendtolist: QS_DONTSEND "); 270 printaddr(sm_debug_file(), a, false); 271 } 272 a->q_state = QS_DONTSEND; 273 b->q_flags |= a->q_flags & QNOTREMOTE; 274 continue; 275 } 276 } 277 278 /* full name */ 279 if (a->q_fullname == NULL) 280 a->q_fullname = ctladdr->q_fullname; 281 282 /* various flag bits */ 283 a->q_flags &= ~QINHERITEDBITS; 284 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 285 286 /* DSN recipient information */ 287 a->q_finalrcpt = ctladdr->q_finalrcpt; 288 a->q_orcpt = ctladdr->q_orcpt; 289 } 290 291 al = a; 292 } 293 294 /* arrange to send to everyone on the local send list */ 295 while (al != NULL) 296 { 297 register ADDRESS *a = al; 298 299 al = a->q_next; 300 a = recipient(a, sendq, aliaslevel, e); 301 naddrs++; 302 } 303 } 304 SM_FINALLY 305 { 306 e->e_to = oldto; 307 if (bufp != buf) 308 sm_free(bufp); 309 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 310 } 311 SM_END_TRY 312 return naddrs; 313 } 314 315 #if MILTER 316 /* 317 ** REMOVEFROMLIST -- Remove addresses from a send list. 318 ** 319 ** The parameter is a comma-separated list of recipients to remove. 320 ** Note that it only deletes matching addresses. If those addresses 321 ** have been expanded already in the sendq, it won't mark the 322 ** expanded recipients as QS_REMOVED. 323 ** 324 ** Parameters: 325 ** list -- the list to remove. 326 ** sendq -- a pointer to the head of a queue to remove 327 ** these addresses from. 328 ** e -- the envelope in which to remove these recipients. 329 ** 330 ** Returns: 331 ** The number of addresses removed from the list. 332 ** 333 */ 334 335 int 336 removefromlist(list, sendq, e) 337 char *list; 338 ADDRESS **sendq; 339 ENVELOPE *e; 340 { 341 SM_NONVOLATILE char delimiter; /* the address delimiter */ 342 SM_NONVOLATILE int naddrs; 343 SM_NONVOLATILE int i; 344 char *p; 345 char *oldto = e->e_to; 346 char *SM_NONVOLATILE bufp; 347 char buf[MAXNAME + 1]; 348 349 if (list == NULL) 350 { 351 syserr("removefromlist: null list"); 352 return 0; 353 } 354 355 if (tTd(25, 1)) 356 sm_dprintf("removefromlist: %s\n", list); 357 358 /* heuristic to determine old versus new style addresses */ 359 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 360 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 361 e->e_flags &= ~EF_OLDSTYLE; 362 delimiter = ' '; 363 if (!bitset(EF_OLDSTYLE, e->e_flags)) 364 delimiter = ','; 365 366 naddrs = 0; 367 368 /* make sure we have enough space to copy the string */ 369 i = strlen(list) + 1; 370 if (i <= sizeof(buf)) 371 { 372 bufp = buf; 373 i = sizeof(buf); 374 } 375 else 376 bufp = sm_malloc_x(i); 377 378 SM_TRY 379 { 380 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 381 382 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 383 for (p = bufp; *p != '\0'; ) 384 { 385 ADDRESS a; /* parsed address to be removed */ 386 ADDRESS *q; 387 ADDRESS **pq; 388 char *delimptr; 389 390 /* parse the address */ 391 while ((isascii(*p) && isspace(*p)) || *p == ',') 392 p++; 393 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 394 delimiter, &delimptr, e, true) == NULL) 395 { 396 p = delimptr; 397 continue; 398 } 399 p = delimptr; 400 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 401 { 402 if (!QS_IS_DEAD(q->q_state) && 403 (sameaddr(q, &a) || 404 strcmp(q->q_paddr, a.q_paddr) == 0)) 405 { 406 if (tTd(25, 5)) 407 { 408 sm_dprintf("removefromlist: QS_REMOVED "); 409 printaddr(sm_debug_file(), &a, false); 410 } 411 q->q_state = QS_REMOVED; 412 naddrs++; 413 break; 414 } 415 } 416 } 417 } 418 SM_FINALLY 419 { 420 e->e_to = oldto; 421 if (bufp != buf) 422 sm_free(bufp); 423 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 424 } 425 SM_END_TRY 426 return naddrs; 427 } 428 #endif /* MILTER */ 429 430 /* 431 ** RECIPIENT -- Designate a message recipient 432 ** Saves the named person for future mailing (after some checks). 433 ** 434 ** Parameters: 435 ** new -- the (preparsed) address header for the recipient. 436 ** sendq -- a pointer to the head of a queue to put the 437 ** recipient in. Duplicate suppression is done 438 ** in this queue. 439 ** aliaslevel -- the current alias nesting depth. 440 ** e -- the current envelope. 441 ** 442 ** Returns: 443 ** The actual address in the queue. This will be "a" if 444 ** the address is not a duplicate, else the original address. 445 ** 446 */ 447 448 ADDRESS * 449 recipient(new, sendq, aliaslevel, e) 450 register ADDRESS *new; 451 register ADDRESS **sendq; 452 int aliaslevel; 453 register ENVELOPE *e; 454 { 455 register ADDRESS *q; 456 ADDRESS **pq; 457 ADDRESS **prev; 458 register struct mailer *m; 459 register char *p; 460 int i, buflen; 461 bool quoted; /* set if the addr has a quote bit */ 462 bool insert; 463 int findusercount; 464 bool initialdontsend; 465 char *buf; 466 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 467 sortfn_t *sortfn; 468 469 p = NULL; 470 quoted = false; 471 insert = false; 472 findusercount = 0; 473 initialdontsend = QS_IS_DEAD(new->q_state); 474 e->e_to = new->q_paddr; 475 m = new->q_mailer; 476 errno = 0; 477 if (aliaslevel == 0) 478 new->q_flags |= QPRIMARY; 479 if (tTd(26, 1)) 480 { 481 sm_dprintf("\nrecipient (%d): ", aliaslevel); 482 printaddr(sm_debug_file(), new, false); 483 } 484 485 /* if this is primary, use it as original recipient */ 486 if (new->q_alias == NULL) 487 { 488 if (e->e_origrcpt == NULL) 489 e->e_origrcpt = new->q_paddr; 490 else if (e->e_origrcpt != new->q_paddr) 491 e->e_origrcpt = ""; 492 } 493 494 /* find parent recipient for finalrcpt and orcpt */ 495 for (q = new; q->q_alias != NULL; q = q->q_alias) 496 continue; 497 498 /* find final recipient DSN address */ 499 if (new->q_finalrcpt == NULL && 500 e->e_from.q_mailer != NULL) 501 { 502 char frbuf[MAXLINE]; 503 504 p = e->e_from.q_mailer->m_addrtype; 505 if (p == NULL) 506 p = "rfc822"; 507 if (sm_strcasecmp(p, "rfc822") != 0) 508 { 509 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 510 q->q_mailer->m_addrtype, 511 q->q_user); 512 } 513 else if (strchr(q->q_user, '@') != NULL) 514 { 515 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 516 p, q->q_user); 517 } 518 else if (strchr(q->q_paddr, '@') != NULL) 519 { 520 char *qp; 521 bool b; 522 523 qp = q->q_paddr; 524 525 /* strip brackets from address */ 526 b = false; 527 if (*qp == '<') 528 { 529 b = qp[strlen(qp) - 1] == '>'; 530 if (b) 531 qp[strlen(qp) - 1] = '\0'; 532 qp++; 533 } 534 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 535 p, qp); 536 537 /* undo damage */ 538 if (b) 539 qp[strlen(qp)] = '>'; 540 } 541 else 542 { 543 (void) sm_snprintf(frbuf, sizeof(frbuf), 544 "%s; %.700s@%.100s", 545 p, q->q_user, MyHostName); 546 } 547 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 548 } 549 550 #if _FFR_GEN_ORCPT 551 /* set ORCPT DSN arg if not already set */ 552 if (new->q_orcpt == NULL) 553 { 554 /* check for an existing ORCPT */ 555 if (q->q_orcpt != NULL) 556 new->q_orcpt = q->q_orcpt; 557 else 558 { 559 /* make our own */ 560 bool b = false; 561 char *qp; 562 char obuf[MAXLINE]; 563 564 if (e->e_from.q_mailer != NULL) 565 p = e->e_from.q_mailer->m_addrtype; 566 if (p == NULL) 567 p = "rfc822"; 568 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 569 570 qp = q->q_paddr; 571 572 /* FFR: Needs to strip comments from stdin addrs */ 573 574 /* strip brackets from address */ 575 if (*qp == '<') 576 { 577 b = qp[strlen(qp) - 1] == '>'; 578 if (b) 579 qp[strlen(qp) - 1] = '\0'; 580 qp++; 581 } 582 583 p = xtextify(denlstring(qp, true, false), "="); 584 585 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 586 { 587 /* if too big, don't use it */ 588 obuf[0] = '\0'; 589 } 590 591 /* undo damage */ 592 if (b) 593 qp[strlen(qp)] = '>'; 594 595 if (obuf[0] != '\0') 596 new->q_orcpt = 597 sm_rpool_strdup_x(e->e_rpool, obuf); 598 } 599 } 600 #endif /* _FFR_GEN_ORCPT */ 601 602 /* break aliasing loops */ 603 if (aliaslevel > MaxAliasRecursion) 604 { 605 new->q_state = QS_BADADDR; 606 new->q_status = "5.4.6"; 607 if (new->q_alias != NULL) 608 { 609 new->q_alias->q_state = QS_BADADDR; 610 new->q_alias->q_status = "5.4.6"; 611 } 612 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 613 { 614 sm_syslog(LOG_ERR, e->e_id, 615 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 616 FileName != NULL ? FileName : "", aliaslevel, 617 MaxAliasRecursion); 618 } 619 usrerrenh(new->q_status, 620 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 621 aliaslevel, MaxAliasRecursion); 622 return new; 623 } 624 625 /* 626 ** Finish setting up address structure. 627 */ 628 629 /* get unquoted user for file, program or user.name check */ 630 i = strlen(new->q_user); 631 if (i >= sizeof(buf0)) 632 { 633 buflen = i + 1; 634 buf = xalloc(buflen); 635 } 636 else 637 { 638 buf = buf0; 639 buflen = sizeof(buf0); 640 } 641 (void) sm_strlcpy(buf, new->q_user, buflen); 642 for (p = buf; *p != '\0' && !quoted; p++) 643 { 644 if (*p == '\\') 645 quoted = true; 646 } 647 stripquotes(buf); 648 649 /* check for direct mailing to restricted mailers */ 650 if (m == ProgMailer) 651 { 652 if (new->q_alias == NULL || UseMSP || 653 bitset(EF_UNSAFE, e->e_flags)) 654 { 655 new->q_state = QS_BADADDR; 656 new->q_status = "5.7.1"; 657 usrerrenh(new->q_status, 658 "550 Cannot mail directly to programs"); 659 } 660 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 661 { 662 new->q_state = QS_BADADDR; 663 new->q_status = "5.7.1"; 664 if (new->q_alias->q_ruser == NULL) 665 usrerrenh(new->q_status, 666 "550 UID %d is an unknown user: cannot mail to programs", 667 new->q_alias->q_uid); 668 else 669 usrerrenh(new->q_status, 670 "550 User %s@%s doesn't have a valid shell for mailing to programs", 671 new->q_alias->q_ruser, MyHostName); 672 } 673 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 674 { 675 new->q_state = QS_BADADDR; 676 new->q_status = "5.7.1"; 677 new->q_rstatus = "550 Unsafe for mailing to programs"; 678 usrerrenh(new->q_status, 679 "550 Address %s is unsafe for mailing to programs", 680 new->q_alias->q_paddr); 681 } 682 } 683 684 /* 685 ** Look up this person in the recipient list. 686 ** If they are there already, return, otherwise continue. 687 ** If the list is empty, just add it. Notice the cute 688 ** hack to make from addresses suppress things correctly: 689 ** the QS_DUPLICATE state will be set in the send list. 690 ** [Please note: the emphasis is on "hack."] 691 */ 692 693 prev = NULL; 694 695 /* 696 ** If this message is going to the queue or FastSplit is set 697 ** and it is the first try and the envelope hasn't split, then we 698 ** avoid doing an MX RR lookup now because one will be done when the 699 ** message is extracted from the queue later. It can go to the queue 700 ** because all messages are going to the queue or this mailer of 701 ** the current recipient is marked expensive. 702 */ 703 704 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 705 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 706 FastSplit > 0)) 707 sortfn = sorthost; 708 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 709 sortfn = sortexpensive; 710 else 711 sortfn = sortbysignature; 712 713 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 714 { 715 /* 716 ** If address is "less than" it should be inserted now. 717 ** If address is "greater than" current comparison it'll 718 ** insert later in the list; so loop again (if possible). 719 ** If address is "equal" (different equal than sameaddr() 720 ** call) then check if sameaddr() will be true. 721 ** Because this list is now sorted, it'll mean fewer 722 ** comparisons and fewer loops which is important for more 723 ** recipients. 724 */ 725 726 i = (*sortfn)(new, q); 727 if (i == 0) /* equal */ 728 { 729 /* 730 ** Sortbysignature() has said that the two have 731 ** equal MX RR's and the same user. Calling sameaddr() 732 ** now checks if the two hosts are as identical as the 733 ** MX RR's are (which might not be the case) 734 ** before saying these are the identical addresses. 735 */ 736 737 if (sameaddr(q, new) && 738 (bitset(QRCPTOK, q->q_flags) || 739 !bitset(QPRIMARY, q->q_flags))) 740 { 741 if (tTd(26, 1)) 742 { 743 sm_dprintf("%s in sendq: ", 744 new->q_paddr); 745 printaddr(sm_debug_file(), q, false); 746 } 747 if (!bitset(QPRIMARY, q->q_flags)) 748 { 749 if (!QS_IS_DEAD(new->q_state)) 750 message("duplicate suppressed"); 751 else 752 q->q_state = QS_DUPLICATE; 753 q->q_flags |= new->q_flags; 754 } 755 else if (bitset(QSELFREF, q->q_flags) 756 || q->q_state == QS_REMOVED) 757 { 758 /* 759 ** If an earlier milter removed the 760 ** address, a later one can still add 761 ** it back. 762 */ 763 764 q->q_state = new->q_state; 765 q->q_flags |= new->q_flags; 766 } 767 new = q; 768 goto done; 769 } 770 } 771 else if (i < 0) /* less than */ 772 { 773 insert = true; 774 break; 775 } 776 prev = pq; 777 } 778 779 /* pq should point to an address, never NULL */ 780 SM_ASSERT(pq != NULL); 781 782 /* add address on list */ 783 if (insert) 784 { 785 /* 786 ** insert before 'pq'. Only possible when at least 1 787 ** ADDRESS is in the list already. 788 */ 789 790 new->q_next = *pq; 791 if (prev == NULL) 792 *sendq = new; /* To be the first ADDRESS */ 793 else 794 (*prev)->q_next = new; 795 } 796 else 797 { 798 /* 799 ** Place in list at current 'pq' position. Possible 800 ** when there are 0 or more ADDRESS's in the list. 801 */ 802 803 new->q_next = NULL; 804 *pq = new; 805 } 806 807 /* added a new address: clear split flag */ 808 e->e_flags &= ~EF_SPLIT; 809 810 /* 811 ** Alias the name and handle special mailer types. 812 */ 813 814 trylocaluser: 815 if (tTd(29, 7)) 816 { 817 sm_dprintf("at trylocaluser: "); 818 printaddr(sm_debug_file(), new, false); 819 } 820 821 if (!QS_IS_OK(new->q_state)) 822 { 823 if (QS_IS_UNDELIVERED(new->q_state)) 824 e->e_nrcpts++; 825 goto testselfdestruct; 826 } 827 828 if (m == InclMailer) 829 { 830 new->q_state = QS_INCLUDED; 831 if (new->q_alias == NULL || UseMSP || 832 bitset(EF_UNSAFE, e->e_flags)) 833 { 834 new->q_state = QS_BADADDR; 835 new->q_status = "5.7.1"; 836 usrerrenh(new->q_status, 837 "550 Cannot mail directly to :include:s"); 838 } 839 else 840 { 841 int ret; 842 843 message("including file %s", new->q_user); 844 ret = include(new->q_user, false, new, 845 sendq, aliaslevel, e); 846 if (transienterror(ret)) 847 { 848 if (LogLevel > 2) 849 sm_syslog(LOG_ERR, e->e_id, 850 "include %s: transient error: %s", 851 shortenstring(new->q_user, 852 MAXSHORTSTR), 853 sm_errstring(ret)); 854 new->q_state = QS_QUEUEUP; 855 usrerr("451 4.2.4 Cannot open %s: %s", 856 shortenstring(new->q_user, 857 MAXSHORTSTR), 858 sm_errstring(ret)); 859 } 860 else if (ret != 0) 861 { 862 new->q_state = QS_BADADDR; 863 new->q_status = "5.2.4"; 864 usrerrenh(new->q_status, 865 "550 Cannot open %s: %s", 866 shortenstring(new->q_user, 867 MAXSHORTSTR), 868 sm_errstring(ret)); 869 } 870 } 871 } 872 else if (m == FileMailer) 873 { 874 /* check if allowed */ 875 if (new->q_alias == NULL || UseMSP || 876 bitset(EF_UNSAFE, e->e_flags)) 877 { 878 new->q_state = QS_BADADDR; 879 new->q_status = "5.7.1"; 880 usrerrenh(new->q_status, 881 "550 Cannot mail directly to files"); 882 } 883 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 884 { 885 new->q_state = QS_BADADDR; 886 new->q_status = "5.7.1"; 887 if (new->q_alias->q_ruser == NULL) 888 usrerrenh(new->q_status, 889 "550 UID %d is an unknown user: cannot mail to files", 890 new->q_alias->q_uid); 891 else 892 usrerrenh(new->q_status, 893 "550 User %s@%s doesn't have a valid shell for mailing to files", 894 new->q_alias->q_ruser, MyHostName); 895 } 896 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 897 { 898 new->q_state = QS_BADADDR; 899 new->q_status = "5.7.1"; 900 new->q_rstatus = "550 Unsafe for mailing to files"; 901 usrerrenh(new->q_status, 902 "550 Address %s is unsafe for mailing to files", 903 new->q_alias->q_paddr); 904 } 905 } 906 907 /* try aliasing */ 908 if (!quoted && QS_IS_OK(new->q_state) && 909 bitnset(M_ALIASABLE, m->m_flags)) 910 alias(new, sendq, aliaslevel, e); 911 912 #if USERDB 913 /* if not aliased, look it up in the user database */ 914 if (!bitset(QNOTREMOTE, new->q_flags) && 915 QS_IS_SENDABLE(new->q_state) && 916 bitnset(M_CHECKUDB, m->m_flags)) 917 { 918 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 919 { 920 new->q_state = QS_QUEUEUP; 921 if (e->e_message == NULL) 922 e->e_message = sm_rpool_strdup_x(e->e_rpool, 923 "Deferred: user database error"); 924 if (new->q_message == NULL) 925 new->q_message = "Deferred: user database error"; 926 if (LogLevel > 8) 927 sm_syslog(LOG_INFO, e->e_id, 928 "deferred: udbexpand: %s", 929 sm_errstring(errno)); 930 message("queued (user database error): %s", 931 sm_errstring(errno)); 932 e->e_nrcpts++; 933 goto testselfdestruct; 934 } 935 } 936 #endif /* USERDB */ 937 938 /* 939 ** If we have a level two config file, then pass the name through 940 ** Ruleset 5 before sending it off. Ruleset 5 has the right 941 ** to rewrite it to another mailer. This gives us a hook 942 ** after local aliasing has been done. 943 */ 944 945 if (tTd(29, 5)) 946 { 947 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 948 ConfigLevel, RewriteRules[5]); 949 printaddr(sm_debug_file(), new, false); 950 } 951 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 952 bitnset(M_TRYRULESET5, m->m_flags) && 953 !bitset(QNOTREMOTE, new->q_flags) && 954 QS_IS_OK(new->q_state)) 955 { 956 maplocaluser(new, sendq, aliaslevel + 1, e); 957 } 958 959 /* 960 ** If it didn't get rewritten to another mailer, go ahead 961 ** and deliver it. 962 */ 963 964 if (QS_IS_OK(new->q_state) && 965 bitnset(M_HASPWENT, m->m_flags)) 966 { 967 auto bool fuzzy; 968 SM_MBDB_T user; 969 int status; 970 971 /* warning -- finduser may trash buf */ 972 status = finduser(buf, &fuzzy, &user); 973 switch (status) 974 { 975 case EX_TEMPFAIL: 976 new->q_state = QS_QUEUEUP; 977 new->q_status = "4.5.2"; 978 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 979 new->q_alias, (time_t) 0, e, new); 980 break; 981 default: 982 new->q_state = QS_BADADDR; 983 new->q_status = "5.1.1"; 984 new->q_rstatus = "550 5.1.1 User unknown"; 985 giveresponse(EX_NOUSER, new->q_status, m, NULL, 986 new->q_alias, (time_t) 0, e, new); 987 break; 988 case EX_OK: 989 if (fuzzy) 990 { 991 /* name was a fuzzy match */ 992 new->q_user = sm_rpool_strdup_x(e->e_rpool, 993 user.mbdb_name); 994 if (findusercount++ > 3) 995 { 996 new->q_state = QS_BADADDR; 997 new->q_status = "5.4.6"; 998 usrerrenh(new->q_status, 999 "554 aliasing/forwarding loop for %s broken", 1000 user.mbdb_name); 1001 goto done; 1002 } 1003 1004 /* see if it aliases */ 1005 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1006 goto trylocaluser; 1007 } 1008 if (*user.mbdb_homedir == '\0') 1009 new->q_home = NULL; 1010 else if (strcmp(user.mbdb_homedir, "/") == 0) 1011 new->q_home = ""; 1012 else 1013 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1014 user.mbdb_homedir); 1015 if (user.mbdb_uid != SM_NO_UID) 1016 { 1017 new->q_uid = user.mbdb_uid; 1018 new->q_gid = user.mbdb_gid; 1019 new->q_flags |= QGOODUID; 1020 } 1021 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1022 user.mbdb_name); 1023 if (user.mbdb_fullname[0] != '\0') 1024 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1025 user.mbdb_fullname); 1026 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1027 { 1028 new->q_flags |= QBOGUSSHELL; 1029 } 1030 if (bitset(EF_VRFYONLY, e->e_flags)) 1031 { 1032 /* don't do any more now */ 1033 new->q_state = QS_VERIFIED; 1034 } 1035 else if (!quoted) 1036 forward(new, sendq, aliaslevel, e); 1037 } 1038 } 1039 if (!QS_IS_DEAD(new->q_state)) 1040 e->e_nrcpts++; 1041 1042 testselfdestruct: 1043 new->q_flags |= QTHISPASS; 1044 if (tTd(26, 8)) 1045 { 1046 sm_dprintf("testselfdestruct: "); 1047 printaddr(sm_debug_file(), new, false); 1048 if (tTd(26, 10)) 1049 { 1050 sm_dprintf("SENDQ:\n"); 1051 printaddr(sm_debug_file(), *sendq, true); 1052 sm_dprintf("----\n"); 1053 } 1054 } 1055 if (new->q_alias == NULL && new != &e->e_from && 1056 QS_IS_DEAD(new->q_state)) 1057 { 1058 for (q = *sendq; q != NULL; q = q->q_next) 1059 { 1060 if (!QS_IS_DEAD(q->q_state)) 1061 break; 1062 } 1063 if (q == NULL) 1064 { 1065 new->q_state = QS_BADADDR; 1066 new->q_status = "5.4.6"; 1067 usrerrenh(new->q_status, 1068 "554 aliasing/forwarding loop broken"); 1069 } 1070 } 1071 1072 done: 1073 new->q_flags |= QTHISPASS; 1074 if (buf != buf0) 1075 sm_free(buf); /* XXX leak if above code raises exception */ 1076 1077 /* 1078 ** If we are at the top level, check to see if this has 1079 ** expanded to exactly one address. If so, it can inherit 1080 ** the primaryness of the address. 1081 ** 1082 ** While we're at it, clear the QTHISPASS bits. 1083 */ 1084 1085 if (aliaslevel == 0) 1086 { 1087 int nrcpts = 0; 1088 ADDRESS *only = NULL; 1089 1090 for (q = *sendq; q != NULL; q = q->q_next) 1091 { 1092 if (bitset(QTHISPASS, q->q_flags) && 1093 QS_IS_SENDABLE(q->q_state)) 1094 { 1095 nrcpts++; 1096 only = q; 1097 } 1098 q->q_flags &= ~QTHISPASS; 1099 } 1100 if (nrcpts == 1) 1101 { 1102 /* check to see if this actually got a new owner */ 1103 q = only; 1104 while ((q = q->q_alias) != NULL) 1105 { 1106 if (q->q_owner != NULL) 1107 break; 1108 } 1109 if (q == NULL) 1110 only->q_flags |= QPRIMARY; 1111 } 1112 else if (!initialdontsend && nrcpts > 0) 1113 { 1114 /* arrange for return receipt */ 1115 e->e_flags |= EF_SENDRECEIPT; 1116 new->q_flags |= QEXPANDED; 1117 if (e->e_xfp != NULL && 1118 bitset(QPINGONSUCCESS, new->q_flags)) 1119 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1120 "%s... expanded to multiple addresses\n", 1121 new->q_paddr); 1122 } 1123 } 1124 new->q_flags |= QRCPTOK; 1125 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1126 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1127 return new; 1128 } 1129 1130 /* 1131 ** FINDUSER -- find the password entry for a user. 1132 ** 1133 ** This looks a lot like getpwnam, except that it may want to 1134 ** do some fancier pattern matching in /etc/passwd. 1135 ** 1136 ** This routine contains most of the time of many sendmail runs. 1137 ** It deserves to be optimized. 1138 ** 1139 ** Parameters: 1140 ** name -- the name to match against. 1141 ** fuzzyp -- an outarg that is set to true if this entry 1142 ** was found using the fuzzy matching algorithm; 1143 ** set to false otherwise. 1144 ** user -- structure to fill in if user is found 1145 ** 1146 ** Returns: 1147 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1148 ** If the user was not found, return EX_NOUSER. 1149 ** On error, return EX_TEMPFAIL or EX_OSERR. 1150 ** 1151 ** Side Effects: 1152 ** may modify name. 1153 */ 1154 1155 int 1156 finduser(name, fuzzyp, user) 1157 char *name; 1158 bool *fuzzyp; 1159 SM_MBDB_T *user; 1160 { 1161 #if MATCHGECOS 1162 register struct passwd *pw; 1163 #endif /* MATCHGECOS */ 1164 register char *p; 1165 bool tryagain; 1166 int status; 1167 1168 if (tTd(29, 4)) 1169 sm_dprintf("finduser(%s): ", name); 1170 1171 *fuzzyp = false; 1172 1173 #if HESIOD 1174 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1175 for (p = name; *p != '\0'; p++) 1176 if (!isascii(*p) || !isdigit(*p)) 1177 break; 1178 if (*p == '\0') 1179 { 1180 if (tTd(29, 4)) 1181 sm_dprintf("failed (numeric input)\n"); 1182 return EX_NOUSER; 1183 } 1184 #endif /* HESIOD */ 1185 1186 /* look up this login name using fast path */ 1187 status = sm_mbdb_lookup(name, user); 1188 if (status != EX_NOUSER) 1189 { 1190 if (tTd(29, 4)) 1191 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1192 return status; 1193 } 1194 1195 /* try mapping it to lower case */ 1196 tryagain = false; 1197 for (p = name; *p != '\0'; p++) 1198 { 1199 if (isascii(*p) && isupper(*p)) 1200 { 1201 *p = tolower(*p); 1202 tryagain = true; 1203 } 1204 } 1205 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1206 { 1207 if (tTd(29, 4)) 1208 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1209 *fuzzyp = true; 1210 return status; 1211 } 1212 1213 #if MATCHGECOS 1214 /* see if fuzzy matching allowed */ 1215 if (!MatchGecos) 1216 { 1217 if (tTd(29, 4)) 1218 sm_dprintf("not found (fuzzy disabled)\n"); 1219 return EX_NOUSER; 1220 } 1221 1222 /* search for a matching full name instead */ 1223 for (p = name; *p != '\0'; p++) 1224 { 1225 if (*p == (SpaceSub & 0177) || *p == '_') 1226 *p = ' '; 1227 } 1228 (void) setpwent(); 1229 while ((pw = getpwent()) != NULL) 1230 { 1231 char buf[MAXNAME + 1]; 1232 1233 # if 0 1234 if (sm_strcasecmp(pw->pw_name, name) == 0) 1235 { 1236 if (tTd(29, 4)) 1237 sm_dprintf("found (case wrapped)\n"); 1238 break; 1239 } 1240 # endif /* 0 */ 1241 1242 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1243 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1244 { 1245 if (tTd(29, 4)) 1246 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1247 message("sending to login name %s", pw->pw_name); 1248 break; 1249 } 1250 } 1251 if (pw != NULL) 1252 *fuzzyp = true; 1253 else if (tTd(29, 4)) 1254 sm_dprintf("no fuzzy match found\n"); 1255 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1256 endpwent(); 1257 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1258 if (pw == NULL) 1259 return EX_NOUSER; 1260 sm_mbdb_frompw(user, pw); 1261 return EX_OK; 1262 #else /* MATCHGECOS */ 1263 if (tTd(29, 4)) 1264 sm_dprintf("not found (fuzzy disabled)\n"); 1265 return EX_NOUSER; 1266 #endif /* MATCHGECOS */ 1267 } 1268 1269 /* 1270 ** WRITABLE -- predicate returning if the file is writable. 1271 ** 1272 ** This routine must duplicate the algorithm in sys/fio.c. 1273 ** Unfortunately, we cannot use the access call since we 1274 ** won't necessarily be the real uid when we try to 1275 ** actually open the file. 1276 ** 1277 ** Notice that ANY file with ANY execute bit is automatically 1278 ** not writable. This is also enforced by mailfile. 1279 ** 1280 ** Parameters: 1281 ** filename -- the file name to check. 1282 ** ctladdr -- the controlling address for this file. 1283 ** flags -- SFF_* flags to control the function. 1284 ** 1285 ** Returns: 1286 ** true -- if we will be able to write this file. 1287 ** false -- if we cannot write this file. 1288 ** 1289 ** Side Effects: 1290 ** none. 1291 */ 1292 1293 bool 1294 writable(filename, ctladdr, flags) 1295 char *filename; 1296 ADDRESS *ctladdr; 1297 long flags; 1298 { 1299 uid_t euid = 0; 1300 gid_t egid = 0; 1301 char *user = NULL; 1302 1303 if (tTd(44, 5)) 1304 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1305 1306 /* 1307 ** File does exist -- check that it is writable. 1308 */ 1309 1310 if (geteuid() != 0) 1311 { 1312 euid = geteuid(); 1313 egid = getegid(); 1314 user = NULL; 1315 } 1316 else if (ctladdr != NULL) 1317 { 1318 euid = ctladdr->q_uid; 1319 egid = ctladdr->q_gid; 1320 user = ctladdr->q_user; 1321 } 1322 else if (bitset(SFF_RUNASREALUID, flags)) 1323 { 1324 euid = RealUid; 1325 egid = RealGid; 1326 user = RealUserName; 1327 } 1328 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1329 { 1330 if (FileMailer->m_uid == NO_UID) 1331 { 1332 euid = DefUid; 1333 user = DefUser; 1334 } 1335 else 1336 { 1337 euid = FileMailer->m_uid; 1338 user = NULL; 1339 } 1340 if (FileMailer->m_gid == NO_GID) 1341 egid = DefGid; 1342 else 1343 egid = FileMailer->m_gid; 1344 } 1345 else 1346 { 1347 euid = egid = 0; 1348 user = NULL; 1349 } 1350 if (!bitset(SFF_ROOTOK, flags)) 1351 { 1352 if (euid == 0) 1353 { 1354 euid = DefUid; 1355 user = DefUser; 1356 } 1357 if (egid == 0) 1358 egid = DefGid; 1359 } 1360 if (geteuid() == 0 && 1361 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1362 flags |= SFF_SETUIDOK; 1363 1364 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1365 flags |= SFF_NOSLINK; 1366 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1367 flags |= SFF_NOHLINK; 1368 1369 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1370 return errno == 0; 1371 } 1372 1373 /* 1374 ** INCLUDE -- handle :include: specification. 1375 ** 1376 ** Parameters: 1377 ** fname -- filename to include. 1378 ** forwarding -- if true, we are reading a .forward file. 1379 ** if false, it's a :include: file. 1380 ** ctladdr -- address template to use to fill in these 1381 ** addresses -- effective user/group id are 1382 ** the important things. 1383 ** sendq -- a pointer to the head of the send queue 1384 ** to put these addresses in. 1385 ** aliaslevel -- the alias nesting depth. 1386 ** e -- the current envelope. 1387 ** 1388 ** Returns: 1389 ** open error status 1390 ** 1391 ** Side Effects: 1392 ** reads the :include: file and sends to everyone 1393 ** listed in that file. 1394 ** 1395 ** Security Note: 1396 ** If you have restricted chown (that is, you can't 1397 ** give a file away), it is reasonable to allow programs 1398 ** and files called from this :include: file to be to be 1399 ** run as the owner of the :include: file. This is bogus 1400 ** if there is any chance of someone giving away a file. 1401 ** We assume that pre-POSIX systems can give away files. 1402 ** 1403 ** There is an additional restriction that if you 1404 ** forward to a :include: file, it will not take on 1405 ** the ownership of the :include: file. This may not 1406 ** be necessary, but shouldn't hurt. 1407 */ 1408 1409 static jmp_buf CtxIncludeTimeout; 1410 1411 int 1412 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1413 char *fname; 1414 bool forwarding; 1415 ADDRESS *ctladdr; 1416 ADDRESS **sendq; 1417 int aliaslevel; 1418 ENVELOPE *e; 1419 { 1420 SM_FILE_T *volatile fp = NULL; 1421 char *oldto = e->e_to; 1422 char *oldfilename = FileName; 1423 int oldlinenumber = LineNumber; 1424 register SM_EVENT *ev = NULL; 1425 int nincludes; 1426 int mode; 1427 volatile bool maxreached = false; 1428 register ADDRESS *ca; 1429 volatile uid_t saveduid; 1430 volatile gid_t savedgid; 1431 volatile uid_t uid; 1432 volatile gid_t gid; 1433 char *volatile user; 1434 int rval = 0; 1435 volatile long sfflags = SFF_REGONLY; 1436 register char *p; 1437 bool safechown = false; 1438 volatile bool safedir = false; 1439 struct stat st; 1440 char buf[MAXLINE]; 1441 1442 if (tTd(27, 2)) 1443 sm_dprintf("include(%s)\n", fname); 1444 if (tTd(27, 4)) 1445 sm_dprintf(" ruid=%d euid=%d\n", 1446 (int) getuid(), (int) geteuid()); 1447 if (tTd(27, 14)) 1448 { 1449 sm_dprintf("ctladdr "); 1450 printaddr(sm_debug_file(), ctladdr, false); 1451 } 1452 1453 if (tTd(27, 9)) 1454 sm_dprintf("include: old uid = %d/%d\n", 1455 (int) getuid(), (int) geteuid()); 1456 1457 if (forwarding) 1458 { 1459 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1460 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1461 sfflags |= SFF_NOGWFILES; 1462 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1463 sfflags |= SFF_NOWWFILES; 1464 } 1465 else 1466 { 1467 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1468 sfflags |= SFF_NOGWFILES; 1469 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1470 sfflags |= SFF_NOWWFILES; 1471 } 1472 1473 /* 1474 ** If RunAsUser set, won't be able to run programs as user 1475 ** so mark them as unsafe unless the administrator knows better. 1476 */ 1477 1478 if ((geteuid() != 0 || RunAsUid != 0) && 1479 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1480 { 1481 if (tTd(27, 4)) 1482 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1483 (int) geteuid(), (int) RunAsUid); 1484 ctladdr->q_flags |= QUNSAFEADDR; 1485 } 1486 1487 ca = getctladdr(ctladdr); 1488 if (ca == NULL || 1489 (ca->q_uid == DefUid && ca->q_gid == 0)) 1490 { 1491 uid = DefUid; 1492 gid = DefGid; 1493 user = DefUser; 1494 } 1495 else 1496 { 1497 uid = ca->q_uid; 1498 gid = ca->q_gid; 1499 user = ca->q_user; 1500 } 1501 #if MAILER_SETUID_METHOD != USE_SETUID 1502 saveduid = geteuid(); 1503 savedgid = getegid(); 1504 if (saveduid == 0) 1505 { 1506 if (!DontInitGroups) 1507 { 1508 if (initgroups(user, gid) == -1) 1509 { 1510 rval = EAGAIN; 1511 syserr("include: initgroups(%s, %d) failed", 1512 user, gid); 1513 goto resetuid; 1514 } 1515 } 1516 else 1517 { 1518 GIDSET_T gidset[1]; 1519 1520 gidset[0] = gid; 1521 if (setgroups(1, gidset) == -1) 1522 { 1523 rval = EAGAIN; 1524 syserr("include: setgroups() failed"); 1525 goto resetuid; 1526 } 1527 } 1528 1529 if (gid != 0 && setgid(gid) < -1) 1530 { 1531 rval = EAGAIN; 1532 syserr("setgid(%d) failure", gid); 1533 goto resetuid; 1534 } 1535 if (uid != 0) 1536 { 1537 # if MAILER_SETUID_METHOD == USE_SETEUID 1538 if (seteuid(uid) < 0) 1539 { 1540 rval = EAGAIN; 1541 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1542 uid, (int) getuid(), (int) geteuid()); 1543 goto resetuid; 1544 } 1545 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1546 # if MAILER_SETUID_METHOD == USE_SETREUID 1547 if (setreuid(0, uid) < 0) 1548 { 1549 rval = EAGAIN; 1550 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1551 uid, (int) getuid(), (int) geteuid()); 1552 goto resetuid; 1553 } 1554 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1555 } 1556 } 1557 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1558 1559 if (tTd(27, 9)) 1560 sm_dprintf("include: new uid = %d/%d\n", 1561 (int) getuid(), (int) geteuid()); 1562 1563 /* 1564 ** If home directory is remote mounted but server is down, 1565 ** this can hang or give errors; use a timeout to avoid this 1566 */ 1567 1568 if (setjmp(CtxIncludeTimeout) != 0) 1569 { 1570 ctladdr->q_state = QS_QUEUEUP; 1571 errno = 0; 1572 1573 /* return pseudo-error code */ 1574 rval = E_SM_OPENTIMEOUT; 1575 goto resetuid; 1576 } 1577 if (TimeOuts.to_fileopen > 0) 1578 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1579 else 1580 ev = NULL; 1581 1582 1583 /* check for writable parent directory */ 1584 p = strrchr(fname, '/'); 1585 if (p != NULL) 1586 { 1587 int ret; 1588 1589 *p = '\0'; 1590 ret = safedirpath(fname, uid, gid, user, 1591 sfflags|SFF_SAFEDIRPATH, 0, 0); 1592 if (ret == 0) 1593 { 1594 /* in safe directory: relax chown & link rules */ 1595 safedir = true; 1596 sfflags |= SFF_NOPATHCHECK; 1597 } 1598 else 1599 { 1600 if (bitnset((forwarding ? 1601 DBS_FORWARDFILEINUNSAFEDIRPATH : 1602 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1603 DontBlameSendmail)) 1604 sfflags |= SFF_NOPATHCHECK; 1605 else if (bitnset((forwarding ? 1606 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1607 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1608 DontBlameSendmail) && 1609 ret == E_SM_GWDIR) 1610 { 1611 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1612 DontBlameSendmail); 1613 ret = safedirpath(fname, uid, gid, user, 1614 sfflags|SFF_SAFEDIRPATH, 1615 0, 0); 1616 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1617 DontBlameSendmail); 1618 if (ret == 0) 1619 sfflags |= SFF_NOPATHCHECK; 1620 else 1621 sfflags |= SFF_SAFEDIRPATH; 1622 } 1623 else 1624 sfflags |= SFF_SAFEDIRPATH; 1625 if (ret > E_PSEUDOBASE && 1626 !bitnset((forwarding ? 1627 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1628 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1629 DontBlameSendmail)) 1630 { 1631 if (LogLevel > 11) 1632 sm_syslog(LOG_INFO, e->e_id, 1633 "%s: unsafe directory path, marked unsafe", 1634 shortenstring(fname, MAXSHORTSTR)); 1635 ctladdr->q_flags |= QUNSAFEADDR; 1636 } 1637 } 1638 *p = '/'; 1639 } 1640 1641 /* allow links only in unwritable directories */ 1642 if (!safedir && 1643 !bitnset((forwarding ? 1644 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1645 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1646 DontBlameSendmail)) 1647 sfflags |= SFF_NOLINK; 1648 1649 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1650 if (rval != 0) 1651 { 1652 /* don't use this :include: file */ 1653 if (tTd(27, 4)) 1654 sm_dprintf("include: not safe (uid=%d): %s\n", 1655 (int) uid, sm_errstring(rval)); 1656 } 1657 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1658 SM_IO_RDONLY, NULL)) == NULL) 1659 { 1660 rval = errno; 1661 if (tTd(27, 4)) 1662 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1663 } 1664 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1665 { 1666 rval = E_SM_FILECHANGE; 1667 if (tTd(27, 4)) 1668 sm_dprintf("include: file changed after open\n"); 1669 } 1670 if (ev != NULL) 1671 sm_clrevent(ev); 1672 1673 resetuid: 1674 1675 #if HASSETREUID || USESETEUID 1676 if (saveduid == 0) 1677 { 1678 if (uid != 0) 1679 { 1680 # if USESETEUID 1681 if (seteuid(0) < 0) 1682 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1683 (int) getuid(), (int) geteuid()); 1684 # else /* USESETEUID */ 1685 if (setreuid(-1, 0) < 0) 1686 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1687 (int) getuid(), (int) geteuid()); 1688 if (setreuid(RealUid, 0) < 0) 1689 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1690 (int) RealUid, (int) getuid(), 1691 (int) geteuid()); 1692 # endif /* USESETEUID */ 1693 } 1694 if (setgid(savedgid) < 0) 1695 syserr("!setgid(%d) failure (real=%d eff=%d)", 1696 (int) savedgid, (int) getgid(), 1697 (int) getegid()); 1698 } 1699 #endif /* HASSETREUID || USESETEUID */ 1700 1701 if (tTd(27, 9)) 1702 sm_dprintf("include: reset uid = %d/%d\n", 1703 (int) getuid(), (int) geteuid()); 1704 1705 if (rval == E_SM_OPENTIMEOUT) 1706 usrerr("451 4.4.1 open timeout on %s", fname); 1707 1708 if (fp == NULL) 1709 return rval; 1710 1711 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1712 { 1713 rval = errno; 1714 syserr("Cannot fstat %s!", fname); 1715 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1716 return rval; 1717 } 1718 1719 /* if path was writable, check to avoid file giveaway tricks */ 1720 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1721 if (tTd(27, 6)) 1722 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1723 fname, safedir ? "safe" : "dangerous", 1724 safechown ? "" : "un"); 1725 1726 /* if no controlling user or coming from an alias delivery */ 1727 if (safechown && 1728 (ca == NULL || 1729 (ca->q_uid == DefUid && ca->q_gid == 0))) 1730 { 1731 ctladdr->q_uid = st.st_uid; 1732 ctladdr->q_gid = st.st_gid; 1733 ctladdr->q_flags |= QGOODUID; 1734 } 1735 if (ca != NULL && ca->q_uid == st.st_uid) 1736 { 1737 /* optimization -- avoid getpwuid if we already have info */ 1738 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1739 ctladdr->q_ruser = ca->q_ruser; 1740 } 1741 else if (!forwarding) 1742 { 1743 register struct passwd *pw; 1744 1745 pw = sm_getpwuid(st.st_uid); 1746 if (pw == NULL) 1747 { 1748 ctladdr->q_uid = st.st_uid; 1749 ctladdr->q_flags |= QBOGUSSHELL; 1750 } 1751 else 1752 { 1753 char *sh; 1754 1755 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1756 pw->pw_name); 1757 if (safechown) 1758 sh = pw->pw_shell; 1759 else 1760 sh = "/SENDMAIL/ANY/SHELL/"; 1761 if (!usershellok(pw->pw_name, sh)) 1762 { 1763 if (LogLevel > 11) 1764 sm_syslog(LOG_INFO, e->e_id, 1765 "%s: user %s has bad shell %s, marked %s", 1766 shortenstring(fname, 1767 MAXSHORTSTR), 1768 pw->pw_name, sh, 1769 safechown ? "bogus" : "unsafe"); 1770 if (safechown) 1771 ctladdr->q_flags |= QBOGUSSHELL; 1772 else 1773 ctladdr->q_flags |= QUNSAFEADDR; 1774 } 1775 } 1776 } 1777 1778 if (bitset(EF_VRFYONLY, e->e_flags)) 1779 { 1780 /* don't do any more now */ 1781 ctladdr->q_state = QS_VERIFIED; 1782 e->e_nrcpts++; 1783 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1784 return rval; 1785 } 1786 1787 /* 1788 ** Check to see if some bad guy can write this file 1789 ** 1790 ** Group write checking could be more clever, e.g., 1791 ** guessing as to which groups are actually safe ("sys" 1792 ** may be; "user" probably is not). 1793 */ 1794 1795 mode = S_IWOTH; 1796 if (!bitnset((forwarding ? 1797 DBS_GROUPWRITABLEFORWARDFILESAFE : 1798 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1799 DontBlameSendmail)) 1800 mode |= S_IWGRP; 1801 1802 if (bitset(mode, st.st_mode)) 1803 { 1804 if (tTd(27, 6)) 1805 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1806 shortenstring(fname, MAXSHORTSTR), 1807 bitset(S_IWOTH, st.st_mode) ? "world" 1808 : "group"); 1809 if (LogLevel > 11) 1810 sm_syslog(LOG_INFO, e->e_id, 1811 "%s: %s writable %s file, marked unsafe", 1812 shortenstring(fname, MAXSHORTSTR), 1813 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1814 forwarding ? "forward" : ":include:"); 1815 ctladdr->q_flags |= QUNSAFEADDR; 1816 } 1817 1818 /* read the file -- each line is a comma-separated list. */ 1819 FileName = fname; 1820 LineNumber = 0; 1821 ctladdr->q_flags &= ~QSELFREF; 1822 nincludes = 0; 1823 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL && 1824 !maxreached) 1825 { 1826 fixcrlf(buf, true); 1827 LineNumber++; 1828 if (buf[0] == '#' || buf[0] == '\0') 1829 continue; 1830 1831 /* <sp>#@# introduces a comment anywhere */ 1832 /* for Japanese character sets */ 1833 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1834 { 1835 if (p[1] == '@' && p[2] == '#' && 1836 isascii(p[-1]) && isspace(p[-1]) && 1837 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1838 { 1839 --p; 1840 while (p > buf && isascii(p[-1]) && 1841 isspace(p[-1])) 1842 --p; 1843 p[0] = '\0'; 1844 break; 1845 } 1846 } 1847 if (buf[0] == '\0') 1848 continue; 1849 1850 e->e_to = NULL; 1851 message("%s to %s", 1852 forwarding ? "forwarding" : "sending", buf); 1853 if (forwarding && LogLevel > 10) 1854 sm_syslog(LOG_INFO, e->e_id, 1855 "forward %.200s => %s", 1856 oldto, shortenstring(buf, MAXSHORTSTR)); 1857 1858 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1859 1860 if (forwarding && 1861 MaxForwardEntries > 0 && 1862 nincludes >= MaxForwardEntries) 1863 { 1864 /* just stop reading and processing further entries */ 1865 #if 0 1866 /* additional: (?) */ 1867 ctladdr->q_state = QS_DONTSEND; 1868 #endif /* 0 */ 1869 1870 syserr("Attempt to forward to more than %d addresses (in %s)!", 1871 MaxForwardEntries, fname); 1872 maxreached = true; 1873 } 1874 } 1875 1876 if (sm_io_error(fp) && tTd(27, 3)) 1877 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1878 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1879 { 1880 if (aliaslevel <= MaxAliasRecursion || 1881 ctladdr->q_state != QS_BADADDR) 1882 { 1883 ctladdr->q_state = QS_DONTSEND; 1884 if (tTd(27, 5)) 1885 { 1886 sm_dprintf("include: QS_DONTSEND "); 1887 printaddr(sm_debug_file(), ctladdr, false); 1888 } 1889 } 1890 } 1891 1892 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1893 FileName = oldfilename; 1894 LineNumber = oldlinenumber; 1895 e->e_to = oldto; 1896 return rval; 1897 } 1898 1899 static void 1900 includetimeout(ignore) 1901 int ignore; 1902 { 1903 /* 1904 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1905 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1906 ** DOING. 1907 */ 1908 1909 errno = ETIMEDOUT; 1910 longjmp(CtxIncludeTimeout, 1); 1911 } 1912 1913 /* 1914 ** SENDTOARGV -- send to an argument vector. 1915 ** 1916 ** Parameters: 1917 ** argv -- argument vector to send to. 1918 ** e -- the current envelope. 1919 ** 1920 ** Returns: 1921 ** none. 1922 ** 1923 ** Side Effects: 1924 ** puts all addresses on the argument vector onto the 1925 ** send queue. 1926 */ 1927 1928 void 1929 sendtoargv(argv, e) 1930 register char **argv; 1931 register ENVELOPE *e; 1932 { 1933 register char *p; 1934 1935 while ((p = *argv++) != NULL) 1936 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1937 } 1938 1939 /* 1940 ** GETCTLADDR -- get controlling address from an address header. 1941 ** 1942 ** If none, get one corresponding to the effective userid. 1943 ** 1944 ** Parameters: 1945 ** a -- the address to find the controller of. 1946 ** 1947 ** Returns: 1948 ** the controlling address. 1949 */ 1950 1951 ADDRESS * 1952 getctladdr(a) 1953 register ADDRESS *a; 1954 { 1955 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1956 a = a->q_alias; 1957 return a; 1958 } 1959 1960 /* 1961 ** SELF_REFERENCE -- check to see if an address references itself 1962 ** 1963 ** The check is done through a chain of aliases. If it is part of 1964 ** a loop, break the loop at the "best" address, that is, the one 1965 ** that exists as a real user. 1966 ** 1967 ** This is to handle the case of: 1968 ** awc: Andrew.Chang 1969 ** Andrew.Chang: awc@mail.server 1970 ** which is a problem only on mail.server. 1971 ** 1972 ** Parameters: 1973 ** a -- the address to check. 1974 ** 1975 ** Returns: 1976 ** The address that should be retained. 1977 */ 1978 1979 static ADDRESS * 1980 self_reference(a) 1981 ADDRESS *a; 1982 { 1983 ADDRESS *b; /* top entry in self ref loop */ 1984 ADDRESS *c; /* entry that point to a real mail box */ 1985 1986 if (tTd(27, 1)) 1987 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1988 1989 for (b = a->q_alias; b != NULL; b = b->q_alias) 1990 { 1991 if (sameaddr(a, b)) 1992 break; 1993 } 1994 1995 if (b == NULL) 1996 { 1997 if (tTd(27, 1)) 1998 sm_dprintf("\t... no self ref\n"); 1999 return NULL; 2000 } 2001 2002 /* 2003 ** Pick the first address that resolved to a real mail box 2004 ** i.e has a mbdb entry. The returned value will be marked 2005 ** QSELFREF in recipient(), which in turn will disable alias() 2006 ** from marking it as QS_IS_DEAD(), which mean it will be used 2007 ** as a deliverable address. 2008 ** 2009 ** The 2 key thing to note here are: 2010 ** 1) we are in a recursive call sequence: 2011 ** alias->sendtolist->recipient->alias 2012 ** 2) normally, when we return back to alias(), the address 2013 ** will be marked QS_EXPANDED, since alias() assumes the 2014 ** expanded form will be used instead of the current address. 2015 ** This behaviour is turned off if the address is marked 2016 ** QSELFREF. We set QSELFREF when we return to recipient(). 2017 */ 2018 2019 c = a; 2020 while (c != NULL) 2021 { 2022 if (tTd(27, 10)) 2023 sm_dprintf(" %s", c->q_user); 2024 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2025 { 2026 SM_MBDB_T user; 2027 2028 if (tTd(27, 2)) 2029 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2030 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2031 { 2032 if (tTd(27, 2)) 2033 sm_dprintf("found\n"); 2034 2035 /* ought to cache results here */ 2036 if (sameaddr(b, c)) 2037 return b; 2038 else 2039 return c; 2040 } 2041 if (tTd(27, 2)) 2042 sm_dprintf("failed\n"); 2043 } 2044 else 2045 { 2046 /* if local delivery, compare usernames */ 2047 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2048 b->q_mailer == c->q_mailer) 2049 { 2050 if (tTd(27, 2)) 2051 sm_dprintf("\t... local match (%s)\n", 2052 c->q_user); 2053 if (sameaddr(b, c)) 2054 return b; 2055 else 2056 return c; 2057 } 2058 } 2059 if (tTd(27, 10)) 2060 sm_dprintf("\n"); 2061 c = c->q_alias; 2062 } 2063 2064 if (tTd(27, 1)) 2065 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2066 2067 return NULL; 2068 } 2069