xref: /illumos-gate/usr/src/cmd/sendmail/util/smrsh.c (revision 2a8bcb4e)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.
37c478bd9Sstevel@tonic-gate  *	All rights reserved.
47c478bd9Sstevel@tonic-gate  * Copyright (c) 1993 Eric P. Allman.  All rights reserved.
57c478bd9Sstevel@tonic-gate  * Copyright (c) 1993
67c478bd9Sstevel@tonic-gate  *	The Regents of the University of California.  All rights reserved.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * By using this file, you agree to the terms and conditions set
97c478bd9Sstevel@tonic-gate  * forth in the LICENSE file which can be found at the top level of
107c478bd9Sstevel@tonic-gate  * the sendmail distribution.
117c478bd9Sstevel@tonic-gate  *
127c478bd9Sstevel@tonic-gate  */
137c478bd9Sstevel@tonic-gate 
147c478bd9Sstevel@tonic-gate #include <sm/gen.h>
157c478bd9Sstevel@tonic-gate 
167c478bd9Sstevel@tonic-gate SM_IDSTR(copyright,
177c478bd9Sstevel@tonic-gate "@(#) Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.\n\
187c478bd9Sstevel@tonic-gate 	All rights reserved.\n\
197c478bd9Sstevel@tonic-gate      Copyright (c) 1993 Eric P. Allman.  All rights reserved.\n\
207c478bd9Sstevel@tonic-gate      Copyright (c) 1993\n\
217c478bd9Sstevel@tonic-gate 	The Regents of the University of California.  All rights reserved.\n")
227c478bd9Sstevel@tonic-gate 
237c478bd9Sstevel@tonic-gate SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 2004/08/06 18:54:22 ca Exp $")
247c478bd9Sstevel@tonic-gate 
257c478bd9Sstevel@tonic-gate /*
267c478bd9Sstevel@tonic-gate **  SMRSH -- sendmail restricted shell
277c478bd9Sstevel@tonic-gate **
287c478bd9Sstevel@tonic-gate **	This is a patch to get around the prog mailer bugs in most
297c478bd9Sstevel@tonic-gate **	versions of sendmail.
307c478bd9Sstevel@tonic-gate **
317c478bd9Sstevel@tonic-gate **	Use this in place of /bin/sh in the "prog" mailer definition
327c478bd9Sstevel@tonic-gate **	in your sendmail.cf file.  You then create CMDDIR (owned by
337c478bd9Sstevel@tonic-gate **	root, mode 755) and put links to any programs you want
347c478bd9Sstevel@tonic-gate **	available to prog mailers in that directory.  This should
357c478bd9Sstevel@tonic-gate **	include things like "vacation" and "procmail", but not "sed"
367c478bd9Sstevel@tonic-gate **	or "sh".
377c478bd9Sstevel@tonic-gate **
387c478bd9Sstevel@tonic-gate **	Leading pathnames are stripped from program names so that
397c478bd9Sstevel@tonic-gate **	existing .forward files that reference things like
407c478bd9Sstevel@tonic-gate **	"/usr/bin/vacation" will continue to work.
417c478bd9Sstevel@tonic-gate **
427c478bd9Sstevel@tonic-gate **	The following characters are completely illegal:
437c478bd9Sstevel@tonic-gate **		<  >  ^  &  `  (  ) \n \r
447c478bd9Sstevel@tonic-gate **	The following characters are sometimes illegal:
457c478bd9Sstevel@tonic-gate **		|  &
467c478bd9Sstevel@tonic-gate **	This is more restrictive than strictly necessary.
477c478bd9Sstevel@tonic-gate **
487c478bd9Sstevel@tonic-gate **	To use this, add FEATURE(`smrsh') to your .mc file.
497c478bd9Sstevel@tonic-gate **
507c478bd9Sstevel@tonic-gate **	This can be used on any version of sendmail.
517c478bd9Sstevel@tonic-gate **
527c478bd9Sstevel@tonic-gate **	In loving memory of RTM.  11/02/93.
537c478bd9Sstevel@tonic-gate */
547c478bd9Sstevel@tonic-gate 
557c478bd9Sstevel@tonic-gate #include <unistd.h>
567c478bd9Sstevel@tonic-gate #include <sm/io.h>
577c478bd9Sstevel@tonic-gate #include <sm/limits.h>
587c478bd9Sstevel@tonic-gate #include <sm/string.h>
597c478bd9Sstevel@tonic-gate #include <sys/file.h>
607c478bd9Sstevel@tonic-gate #include <sys/types.h>
617c478bd9Sstevel@tonic-gate #include <sys/stat.h>
627c478bd9Sstevel@tonic-gate #include <string.h>
637c478bd9Sstevel@tonic-gate #include <ctype.h>
647c478bd9Sstevel@tonic-gate #include <errno.h>
657c478bd9Sstevel@tonic-gate #ifdef EX_OK
667c478bd9Sstevel@tonic-gate # undef EX_OK
677c478bd9Sstevel@tonic-gate #endif /* EX_OK */
687c478bd9Sstevel@tonic-gate #include <sysexits.h>
697c478bd9Sstevel@tonic-gate #include <syslog.h>
707c478bd9Sstevel@tonic-gate #include <stdlib.h>
717c478bd9Sstevel@tonic-gate 
727c478bd9Sstevel@tonic-gate #include <sm/conf.h>
737c478bd9Sstevel@tonic-gate #include <sm/errstring.h>
747c478bd9Sstevel@tonic-gate 
757c478bd9Sstevel@tonic-gate /* directory in which all commands must reside */
767c478bd9Sstevel@tonic-gate #ifndef CMDDIR
777c478bd9Sstevel@tonic-gate # ifdef SMRSH_CMDDIR
787c478bd9Sstevel@tonic-gate #  define CMDDIR	SMRSH_CMDDIR
797c478bd9Sstevel@tonic-gate # else /* SMRSH_CMDDIR */
807c478bd9Sstevel@tonic-gate #  define CMDDIR	"/usr/adm/sm.bin"
817c478bd9Sstevel@tonic-gate # endif /* SMRSH_CMDDIR */
827c478bd9Sstevel@tonic-gate #endif /* ! CMDDIR */
837c478bd9Sstevel@tonic-gate 
847c478bd9Sstevel@tonic-gate /* characters disallowed in the shell "-c" argument */
857c478bd9Sstevel@tonic-gate #define SPECIALS	"<|>^();&`$\r\n"
867c478bd9Sstevel@tonic-gate 
877c478bd9Sstevel@tonic-gate /* default search path */
887c478bd9Sstevel@tonic-gate #ifndef PATH
897c478bd9Sstevel@tonic-gate # ifdef SMRSH_PATH
907c478bd9Sstevel@tonic-gate #  define PATH		SMRSH_PATH
917c478bd9Sstevel@tonic-gate # else /* SMRSH_PATH */
927c478bd9Sstevel@tonic-gate #  define PATH		"/bin:/usr/bin:/usr/ucb"
937c478bd9Sstevel@tonic-gate # endif /* SMRSH_PATH */
947c478bd9Sstevel@tonic-gate #endif /* ! PATH */
957c478bd9Sstevel@tonic-gate 
967c478bd9Sstevel@tonic-gate char newcmdbuf[1000];
977c478bd9Sstevel@tonic-gate char *prg, *par;
987c478bd9Sstevel@tonic-gate 
997c478bd9Sstevel@tonic-gate static void	addcmd __P((char *, bool, size_t));
1007c478bd9Sstevel@tonic-gate 
1017c478bd9Sstevel@tonic-gate /*
1027c478bd9Sstevel@tonic-gate **  ADDCMD -- add a string to newcmdbuf, check for overflow
1037c478bd9Sstevel@tonic-gate **
1047c478bd9Sstevel@tonic-gate **    Parameters:
1057c478bd9Sstevel@tonic-gate **	s -- string to add
1067c478bd9Sstevel@tonic-gate **	cmd -- it's a command: prepend CMDDIR/
1077c478bd9Sstevel@tonic-gate **	len -- length of string to add
1087c478bd9Sstevel@tonic-gate **
1097c478bd9Sstevel@tonic-gate **    Side Effects:
1107c478bd9Sstevel@tonic-gate **	changes newcmdbuf or exits with a failure.
1117c478bd9Sstevel@tonic-gate **
1127c478bd9Sstevel@tonic-gate */
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate static void
addcmd(s,cmd,len)1157c478bd9Sstevel@tonic-gate addcmd(s, cmd, len)
1167c478bd9Sstevel@tonic-gate 	char *s;
1177c478bd9Sstevel@tonic-gate 	bool cmd;
1187c478bd9Sstevel@tonic-gate 	size_t len;
1197c478bd9Sstevel@tonic-gate {
1207c478bd9Sstevel@tonic-gate 	if (s == NULL || *s == '\0')
1217c478bd9Sstevel@tonic-gate 		return;
1227c478bd9Sstevel@tonic-gate 
1237c478bd9Sstevel@tonic-gate 	/* enough space for s (len) and CMDDIR + "/" and '\0'? */
1247c478bd9Sstevel@tonic-gate 	if (sizeof newcmdbuf - strlen(newcmdbuf) <=
1257c478bd9Sstevel@tonic-gate 	    len + 1 + (cmd ? (strlen(CMDDIR) + 1) : 0))
1267c478bd9Sstevel@tonic-gate 	{
1277c478bd9Sstevel@tonic-gate 		(void)sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1287c478bd9Sstevel@tonic-gate 				    "%s: command too long: %s\n", prg, par);
1297c478bd9Sstevel@tonic-gate #ifndef DEBUG
1307c478bd9Sstevel@tonic-gate 		syslog(LOG_WARNING, "command too long: %.40s", par);
1317c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1327c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
1337c478bd9Sstevel@tonic-gate 	}
1347c478bd9Sstevel@tonic-gate 	if (cmd)
1357c478bd9Sstevel@tonic-gate 		(void) sm_strlcat2(newcmdbuf, CMDDIR, "/", sizeof newcmdbuf);
1367c478bd9Sstevel@tonic-gate 	(void) strncat(newcmdbuf, s, len);
1377c478bd9Sstevel@tonic-gate }
1387c478bd9Sstevel@tonic-gate 
1397c478bd9Sstevel@tonic-gate int
main(argc,argv)1407c478bd9Sstevel@tonic-gate main(argc, argv)
1417c478bd9Sstevel@tonic-gate 	int argc;
1427c478bd9Sstevel@tonic-gate 	char **argv;
1437c478bd9Sstevel@tonic-gate {
1447c478bd9Sstevel@tonic-gate 	register char *p;
1457c478bd9Sstevel@tonic-gate 	register char *q;
1467c478bd9Sstevel@tonic-gate 	register char *r;
1477c478bd9Sstevel@tonic-gate 	register char *cmd;
1487c478bd9Sstevel@tonic-gate 	int isexec;
1497c478bd9Sstevel@tonic-gate 	int save_errno;
1507c478bd9Sstevel@tonic-gate 	char *newenv[2];
1517c478bd9Sstevel@tonic-gate 	char pathbuf[1000];
1527c478bd9Sstevel@tonic-gate 	char specialbuf[32];
1537c478bd9Sstevel@tonic-gate 	struct stat st;
1547c478bd9Sstevel@tonic-gate 
1557c478bd9Sstevel@tonic-gate #ifndef DEBUG
1567c478bd9Sstevel@tonic-gate # ifndef LOG_MAIL
1577c478bd9Sstevel@tonic-gate 	openlog("smrsh", 0);
1587c478bd9Sstevel@tonic-gate # else /* ! LOG_MAIL */
1597c478bd9Sstevel@tonic-gate 	openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL);
1607c478bd9Sstevel@tonic-gate # endif /* ! LOG_MAIL */
1617c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate 	(void) sm_strlcpyn(pathbuf, sizeof pathbuf, 2, "PATH=", PATH);
1647c478bd9Sstevel@tonic-gate 	newenv[0] = pathbuf;
1657c478bd9Sstevel@tonic-gate 	newenv[1] = NULL;
1667c478bd9Sstevel@tonic-gate 
1677c478bd9Sstevel@tonic-gate 	/*
1687c478bd9Sstevel@tonic-gate 	**  Do basic argv usage checking
1697c478bd9Sstevel@tonic-gate 	*/
1707c478bd9Sstevel@tonic-gate 
1717c478bd9Sstevel@tonic-gate 	prg = argv[0];
1727c478bd9Sstevel@tonic-gate 
1737c478bd9Sstevel@tonic-gate 	if (argc != 3 || strcmp(argv[1], "-c") != 0)
1747c478bd9Sstevel@tonic-gate 	{
1757c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1767c478bd9Sstevel@tonic-gate 				     "Usage: %s -c command\n", prg);
1777c478bd9Sstevel@tonic-gate #ifndef DEBUG
1787c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "usage");
1797c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1807c478bd9Sstevel@tonic-gate 		exit(EX_USAGE);
1817c478bd9Sstevel@tonic-gate 	}
1827c478bd9Sstevel@tonic-gate 
1837c478bd9Sstevel@tonic-gate 	par = argv[2];
1847c478bd9Sstevel@tonic-gate 
1857c478bd9Sstevel@tonic-gate 	/*
1867c478bd9Sstevel@tonic-gate 	**  Disallow special shell syntax.  This is overly restrictive,
1877c478bd9Sstevel@tonic-gate 	**  but it should shut down all attacks.
1887c478bd9Sstevel@tonic-gate 	**  Be sure to include 8-bit versions, since many shells strip
1897c478bd9Sstevel@tonic-gate 	**  the address to 7 bits before checking.
1907c478bd9Sstevel@tonic-gate 	*/
1917c478bd9Sstevel@tonic-gate 
1927c478bd9Sstevel@tonic-gate 	if (strlen(SPECIALS) * 2 >= sizeof specialbuf)
1937c478bd9Sstevel@tonic-gate 	{
1947c478bd9Sstevel@tonic-gate #ifndef DEBUG
1957c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "too many specials: %.40s", SPECIALS);
1967c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1977c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
1987c478bd9Sstevel@tonic-gate 	}
1997c478bd9Sstevel@tonic-gate 	(void) sm_strlcpy(specialbuf, SPECIALS, sizeof specialbuf);
2007c478bd9Sstevel@tonic-gate 	for (p = specialbuf; *p != '\0'; p++)
2017c478bd9Sstevel@tonic-gate 		*p |= '\200';
2027c478bd9Sstevel@tonic-gate 	(void) sm_strlcat(specialbuf, SPECIALS, sizeof specialbuf);
2037c478bd9Sstevel@tonic-gate 
2047c478bd9Sstevel@tonic-gate 	/*
2057c478bd9Sstevel@tonic-gate 	**  Do a quick sanity check on command line length.
2067c478bd9Sstevel@tonic-gate 	*/
2077c478bd9Sstevel@tonic-gate 
2087c478bd9Sstevel@tonic-gate 	if (strlen(par) > (sizeof newcmdbuf - sizeof CMDDIR - 2))
2097c478bd9Sstevel@tonic-gate 	{
2107c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2117c478bd9Sstevel@tonic-gate 				     "%s: command too long: %s\n", prg, par);
2127c478bd9Sstevel@tonic-gate #ifndef DEBUG
2137c478bd9Sstevel@tonic-gate 		syslog(LOG_WARNING, "command too long: %.40s", par);
2147c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2157c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
2167c478bd9Sstevel@tonic-gate 	}
2177c478bd9Sstevel@tonic-gate 
2187c478bd9Sstevel@tonic-gate 	q = par;
2197c478bd9Sstevel@tonic-gate 	newcmdbuf[0] = '\0';
2207c478bd9Sstevel@tonic-gate 	isexec = false;
2217c478bd9Sstevel@tonic-gate 
2227c478bd9Sstevel@tonic-gate 	while (*q != '\0')
2237c478bd9Sstevel@tonic-gate 	{
2247c478bd9Sstevel@tonic-gate 		/*
2257c478bd9Sstevel@tonic-gate 		**  Strip off a leading pathname on the command name.  For
2267c478bd9Sstevel@tonic-gate 		**  example, change /usr/ucb/vacation to vacation.
2277c478bd9Sstevel@tonic-gate 		*/
2287c478bd9Sstevel@tonic-gate 
2297c478bd9Sstevel@tonic-gate 		/* strip leading spaces */
2307c478bd9Sstevel@tonic-gate 		while (*q != '\0' && isascii(*q) && isspace(*q))
2317c478bd9Sstevel@tonic-gate 			q++;
2327c478bd9Sstevel@tonic-gate 		if (*q == '\0')
2337c478bd9Sstevel@tonic-gate 		{
2347c478bd9Sstevel@tonic-gate 			if (isexec)
2357c478bd9Sstevel@tonic-gate 			{
2367c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2377c478bd9Sstevel@tonic-gate 						     "%s: missing command to exec\n",
2387c478bd9Sstevel@tonic-gate 						     prg);
2397c478bd9Sstevel@tonic-gate #ifndef DEBUG
2407c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: missing command to exec", (int) getuid());
2417c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2427c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
2437c478bd9Sstevel@tonic-gate 			}
2447c478bd9Sstevel@tonic-gate 			break;
2457c478bd9Sstevel@tonic-gate 		}
2467c478bd9Sstevel@tonic-gate 
2477c478bd9Sstevel@tonic-gate 		/* find the end of the command name */
2487c478bd9Sstevel@tonic-gate 		p = strpbrk(q, " \t");
2497c478bd9Sstevel@tonic-gate 		if (p == NULL)
2507c478bd9Sstevel@tonic-gate 			cmd = &q[strlen(q)];
2517c478bd9Sstevel@tonic-gate 		else
2527c478bd9Sstevel@tonic-gate 		{
2537c478bd9Sstevel@tonic-gate 			*p = '\0';
2547c478bd9Sstevel@tonic-gate 			cmd = p;
2557c478bd9Sstevel@tonic-gate 		}
2567c478bd9Sstevel@tonic-gate 		/* search backwards for last / (allow for 0200 bit) */
2577c478bd9Sstevel@tonic-gate 		while (cmd > q)
2587c478bd9Sstevel@tonic-gate 		{
2597c478bd9Sstevel@tonic-gate 			if ((*--cmd & 0177) == '/')
2607c478bd9Sstevel@tonic-gate 			{
2617c478bd9Sstevel@tonic-gate 				cmd++;
2627c478bd9Sstevel@tonic-gate 				break;
2637c478bd9Sstevel@tonic-gate 			}
2647c478bd9Sstevel@tonic-gate 		}
2657c478bd9Sstevel@tonic-gate 		/* cmd now points at final component of path name */
2667c478bd9Sstevel@tonic-gate 
2677c478bd9Sstevel@tonic-gate 		/* allow a few shell builtins */
2687c478bd9Sstevel@tonic-gate 		if (strcmp(q, "exec") == 0 && p != NULL)
2697c478bd9Sstevel@tonic-gate 		{
2707c478bd9Sstevel@tonic-gate 			addcmd("exec ", false, strlen("exec "));
2717c478bd9Sstevel@tonic-gate 
2727c478bd9Sstevel@tonic-gate 			/* test _next_ arg */
2737c478bd9Sstevel@tonic-gate 			q = ++p;
2747c478bd9Sstevel@tonic-gate 			isexec = true;
2757c478bd9Sstevel@tonic-gate 			continue;
2767c478bd9Sstevel@tonic-gate 		}
2777c478bd9Sstevel@tonic-gate 		else if (strcmp(q, "exit") == 0 || strcmp(q, "echo") == 0)
2787c478bd9Sstevel@tonic-gate 		{
2797c478bd9Sstevel@tonic-gate 			addcmd(cmd, false, strlen(cmd));
2807c478bd9Sstevel@tonic-gate 
2817c478bd9Sstevel@tonic-gate 			/* test following chars */
2827c478bd9Sstevel@tonic-gate 		}
2837c478bd9Sstevel@tonic-gate 		else
2847c478bd9Sstevel@tonic-gate 		{
2857c478bd9Sstevel@tonic-gate 			char cmdbuf[MAXPATHLEN];
2867c478bd9Sstevel@tonic-gate 
2877c478bd9Sstevel@tonic-gate 			/*
2887c478bd9Sstevel@tonic-gate 			**  Check to see if the command name is legal.
2897c478bd9Sstevel@tonic-gate 			*/
2907c478bd9Sstevel@tonic-gate 
2917c478bd9Sstevel@tonic-gate 			if (sm_strlcpyn(cmdbuf, sizeof cmdbuf, 3, CMDDIR,
2927c478bd9Sstevel@tonic-gate 					"/", cmd) >= sizeof cmdbuf)
2937c478bd9Sstevel@tonic-gate 			{
2947c478bd9Sstevel@tonic-gate 				/* too long */
2957c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2967c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (filename too long)\n",
2977c478bd9Sstevel@tonic-gate 						      prg, cmd);
2987c478bd9Sstevel@tonic-gate 				if (p != NULL)
2997c478bd9Sstevel@tonic-gate 					*p = ' ';
3007c478bd9Sstevel@tonic-gate #ifndef DEBUG
3017c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (filename too long)",
3027c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3037c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3047c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3057c478bd9Sstevel@tonic-gate 			}
3067c478bd9Sstevel@tonic-gate 
3077c478bd9Sstevel@tonic-gate #ifdef DEBUG
3087c478bd9Sstevel@tonic-gate 			(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3097c478bd9Sstevel@tonic-gate 					     "Trying %s\n", cmdbuf);
3107c478bd9Sstevel@tonic-gate #endif /* DEBUG */
3117c478bd9Sstevel@tonic-gate 			if (stat(cmdbuf, &st) < 0)
3127c478bd9Sstevel@tonic-gate 			{
3137c478bd9Sstevel@tonic-gate 				/* can't stat it */
3147c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3157c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (stat failed)\n",
3167c478bd9Sstevel@tonic-gate 						      prg, cmd);
3177c478bd9Sstevel@tonic-gate 				if (p != NULL)
3187c478bd9Sstevel@tonic-gate 					*p = ' ';
3197c478bd9Sstevel@tonic-gate #ifndef DEBUG
3207c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (stat failed)",
3217c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3227c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3237c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3247c478bd9Sstevel@tonic-gate 			}
3257c478bd9Sstevel@tonic-gate 			if (!S_ISREG(st.st_mode)
3267c478bd9Sstevel@tonic-gate #ifdef S_ISLNK
3277c478bd9Sstevel@tonic-gate 			    && !S_ISLNK(st.st_mode)
3287c478bd9Sstevel@tonic-gate #endif /* S_ISLNK */
3297c478bd9Sstevel@tonic-gate 			   )
3307c478bd9Sstevel@tonic-gate 			{
3317c478bd9Sstevel@tonic-gate 				/* can't stat it */
3327c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3337c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (not a file)\n",
3347c478bd9Sstevel@tonic-gate 						      prg, cmd);
3357c478bd9Sstevel@tonic-gate 				if (p != NULL)
3367c478bd9Sstevel@tonic-gate 					*p = ' ';
3377c478bd9Sstevel@tonic-gate #ifndef DEBUG
3387c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (not a file)",
3397c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3407c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3417c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3427c478bd9Sstevel@tonic-gate 			}
3437c478bd9Sstevel@tonic-gate 			if (access(cmdbuf, X_OK) < 0)
3447c478bd9Sstevel@tonic-gate 			{
3457c478bd9Sstevel@tonic-gate 				/* oops....  crack attack possiblity */
3467c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3477c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs\n",
3487c478bd9Sstevel@tonic-gate 						      prg, cmd);
3497c478bd9Sstevel@tonic-gate 				if (p != NULL)
3507c478bd9Sstevel@tonic-gate 					*p = ' ';
3517c478bd9Sstevel@tonic-gate #ifndef DEBUG
3527c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\"",
3537c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3547c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3557c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3567c478bd9Sstevel@tonic-gate 			}
3577c478bd9Sstevel@tonic-gate 
3587c478bd9Sstevel@tonic-gate 			/*
3597c478bd9Sstevel@tonic-gate 			**  Create the actual shell input.
3607c478bd9Sstevel@tonic-gate 			*/
3617c478bd9Sstevel@tonic-gate 
3627c478bd9Sstevel@tonic-gate 			addcmd(cmd, true, strlen(cmd));
3637c478bd9Sstevel@tonic-gate 		}
3647c478bd9Sstevel@tonic-gate 		isexec = false;
3657c478bd9Sstevel@tonic-gate 
3667c478bd9Sstevel@tonic-gate 		if (p != NULL)
3677c478bd9Sstevel@tonic-gate 			*p = ' ';
3687c478bd9Sstevel@tonic-gate 		else
3697c478bd9Sstevel@tonic-gate 			break;
3707c478bd9Sstevel@tonic-gate 
3717c478bd9Sstevel@tonic-gate 		r = strpbrk(p, specialbuf);
3727c478bd9Sstevel@tonic-gate 		if (r == NULL)
3737c478bd9Sstevel@tonic-gate 		{
3747c478bd9Sstevel@tonic-gate 			addcmd(p, false, strlen(p));
3757c478bd9Sstevel@tonic-gate 			break;
3767c478bd9Sstevel@tonic-gate 		}
3777c478bd9Sstevel@tonic-gate #if ALLOWSEMI
3787c478bd9Sstevel@tonic-gate 		if (*r == ';')
3797c478bd9Sstevel@tonic-gate 		{
3807c478bd9Sstevel@tonic-gate 			addcmd(p, false,  r - p + 1);
3817c478bd9Sstevel@tonic-gate 			q = r + 1;
3827c478bd9Sstevel@tonic-gate 			continue;
3837c478bd9Sstevel@tonic-gate 		}
3847c478bd9Sstevel@tonic-gate #endif /* ALLOWSEMI */
3857c478bd9Sstevel@tonic-gate 		if ((*r == '&' && *(r + 1) == '&') ||
3867c478bd9Sstevel@tonic-gate 		    (*r == '|' && *(r + 1) == '|'))
3877c478bd9Sstevel@tonic-gate 		{
3887c478bd9Sstevel@tonic-gate 			addcmd(p, false,  r - p + 2);
3897c478bd9Sstevel@tonic-gate 			q = r + 2;
3907c478bd9Sstevel@tonic-gate 			continue;
3917c478bd9Sstevel@tonic-gate 		}
3927c478bd9Sstevel@tonic-gate 
3937c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3947c478bd9Sstevel@tonic-gate 				     "%s: cannot use %c in command\n", prg, *r);
3957c478bd9Sstevel@tonic-gate #ifndef DEBUG
3967c478bd9Sstevel@tonic-gate 		syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s",
3977c478bd9Sstevel@tonic-gate 		       (int) getuid(), *r, par);
3987c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3997c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
4007c478bd9Sstevel@tonic-gate 	}
4017c478bd9Sstevel@tonic-gate 	if (isexec)
4027c478bd9Sstevel@tonic-gate 	{
4037c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4047c478bd9Sstevel@tonic-gate 				     "%s: missing command to exec\n", prg);
4057c478bd9Sstevel@tonic-gate #ifndef DEBUG
4067c478bd9Sstevel@tonic-gate 		syslog(LOG_CRIT, "uid %d: missing command to exec",
4077c478bd9Sstevel@tonic-gate 		       (int) getuid());
4087c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4097c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
4107c478bd9Sstevel@tonic-gate 	}
4117c478bd9Sstevel@tonic-gate 	/* make sure we created something */
4127c478bd9Sstevel@tonic-gate 	if (newcmdbuf[0] == '\0')
4137c478bd9Sstevel@tonic-gate 	{
4147c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4157c478bd9Sstevel@tonic-gate 				     "Usage: %s -c command\n", prg);
4167c478bd9Sstevel@tonic-gate #ifndef DEBUG
4177c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "usage");
4187c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4197c478bd9Sstevel@tonic-gate 		exit(EX_USAGE);
4207c478bd9Sstevel@tonic-gate 	}
4217c478bd9Sstevel@tonic-gate 
4227c478bd9Sstevel@tonic-gate 	/*
4237c478bd9Sstevel@tonic-gate 	**  Now invoke the shell
4247c478bd9Sstevel@tonic-gate 	*/
4257c478bd9Sstevel@tonic-gate 
4267c478bd9Sstevel@tonic-gate #ifdef DEBUG
4277c478bd9Sstevel@tonic-gate 	(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT, "%s\n", newcmdbuf);
4287c478bd9Sstevel@tonic-gate #endif /* DEBUG */
4297c478bd9Sstevel@tonic-gate 	(void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf,
4307c478bd9Sstevel@tonic-gate 		      (char *)NULL, newenv);
4317c478bd9Sstevel@tonic-gate 	save_errno = errno;
4327c478bd9Sstevel@tonic-gate #ifndef DEBUG
4337c478bd9Sstevel@tonic-gate 	syslog(LOG_CRIT, "Cannot exec /bin/sh: %s", sm_errstring(errno));
4347c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4357c478bd9Sstevel@tonic-gate 	errno = save_errno;
4367c478bd9Sstevel@tonic-gate 	sm_perror("/bin/sh");
4377c478bd9Sstevel@tonic-gate 	exit(EX_OSFILE);
4387c478bd9Sstevel@tonic-gate 	/* NOTREACHED */
4397c478bd9Sstevel@tonic-gate 	return EX_OSFILE;
4407c478bd9Sstevel@tonic-gate }
441