17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.
37c478bd9Sstevel@tonic-gate * All rights reserved.
47c478bd9Sstevel@tonic-gate * Copyright (c) 1993 Eric P. Allman. All rights reserved.
57c478bd9Sstevel@tonic-gate * Copyright (c) 1993
67c478bd9Sstevel@tonic-gate * The Regents of the University of California. All rights reserved.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * By using this file, you agree to the terms and conditions set
97c478bd9Sstevel@tonic-gate * forth in the LICENSE file which can be found at the top level of
107c478bd9Sstevel@tonic-gate * the sendmail distribution.
117c478bd9Sstevel@tonic-gate *
127c478bd9Sstevel@tonic-gate */
137c478bd9Sstevel@tonic-gate
147c478bd9Sstevel@tonic-gate #include <sm/gen.h>
157c478bd9Sstevel@tonic-gate
167c478bd9Sstevel@tonic-gate SM_IDSTR(copyright,
177c478bd9Sstevel@tonic-gate "@(#) Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.\n\
187c478bd9Sstevel@tonic-gate All rights reserved.\n\
197c478bd9Sstevel@tonic-gate Copyright (c) 1993 Eric P. Allman. All rights reserved.\n\
207c478bd9Sstevel@tonic-gate Copyright (c) 1993\n\
217c478bd9Sstevel@tonic-gate The Regents of the University of California. All rights reserved.\n")
227c478bd9Sstevel@tonic-gate
237c478bd9Sstevel@tonic-gate SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 2004/08/06 18:54:22 ca Exp $")
247c478bd9Sstevel@tonic-gate
257c478bd9Sstevel@tonic-gate /*
267c478bd9Sstevel@tonic-gate ** SMRSH -- sendmail restricted shell
277c478bd9Sstevel@tonic-gate **
287c478bd9Sstevel@tonic-gate ** This is a patch to get around the prog mailer bugs in most
297c478bd9Sstevel@tonic-gate ** versions of sendmail.
307c478bd9Sstevel@tonic-gate **
317c478bd9Sstevel@tonic-gate ** Use this in place of /bin/sh in the "prog" mailer definition
327c478bd9Sstevel@tonic-gate ** in your sendmail.cf file. You then create CMDDIR (owned by
337c478bd9Sstevel@tonic-gate ** root, mode 755) and put links to any programs you want
347c478bd9Sstevel@tonic-gate ** available to prog mailers in that directory. This should
357c478bd9Sstevel@tonic-gate ** include things like "vacation" and "procmail", but not "sed"
367c478bd9Sstevel@tonic-gate ** or "sh".
377c478bd9Sstevel@tonic-gate **
387c478bd9Sstevel@tonic-gate ** Leading pathnames are stripped from program names so that
397c478bd9Sstevel@tonic-gate ** existing .forward files that reference things like
407c478bd9Sstevel@tonic-gate ** "/usr/bin/vacation" will continue to work.
417c478bd9Sstevel@tonic-gate **
427c478bd9Sstevel@tonic-gate ** The following characters are completely illegal:
437c478bd9Sstevel@tonic-gate ** < > ^ & ` ( ) \n \r
447c478bd9Sstevel@tonic-gate ** The following characters are sometimes illegal:
457c478bd9Sstevel@tonic-gate ** | &
467c478bd9Sstevel@tonic-gate ** This is more restrictive than strictly necessary.
477c478bd9Sstevel@tonic-gate **
487c478bd9Sstevel@tonic-gate ** To use this, add FEATURE(`smrsh') to your .mc file.
497c478bd9Sstevel@tonic-gate **
507c478bd9Sstevel@tonic-gate ** This can be used on any version of sendmail.
517c478bd9Sstevel@tonic-gate **
527c478bd9Sstevel@tonic-gate ** In loving memory of RTM. 11/02/93.
537c478bd9Sstevel@tonic-gate */
547c478bd9Sstevel@tonic-gate
557c478bd9Sstevel@tonic-gate #include <unistd.h>
567c478bd9Sstevel@tonic-gate #include <sm/io.h>
577c478bd9Sstevel@tonic-gate #include <sm/limits.h>
587c478bd9Sstevel@tonic-gate #include <sm/string.h>
597c478bd9Sstevel@tonic-gate #include <sys/file.h>
607c478bd9Sstevel@tonic-gate #include <sys/types.h>
617c478bd9Sstevel@tonic-gate #include <sys/stat.h>
627c478bd9Sstevel@tonic-gate #include <string.h>
637c478bd9Sstevel@tonic-gate #include <ctype.h>
647c478bd9Sstevel@tonic-gate #include <errno.h>
657c478bd9Sstevel@tonic-gate #ifdef EX_OK
667c478bd9Sstevel@tonic-gate # undef EX_OK
677c478bd9Sstevel@tonic-gate #endif /* EX_OK */
687c478bd9Sstevel@tonic-gate #include <sysexits.h>
697c478bd9Sstevel@tonic-gate #include <syslog.h>
707c478bd9Sstevel@tonic-gate #include <stdlib.h>
717c478bd9Sstevel@tonic-gate
727c478bd9Sstevel@tonic-gate #include <sm/conf.h>
737c478bd9Sstevel@tonic-gate #include <sm/errstring.h>
747c478bd9Sstevel@tonic-gate
757c478bd9Sstevel@tonic-gate /* directory in which all commands must reside */
767c478bd9Sstevel@tonic-gate #ifndef CMDDIR
777c478bd9Sstevel@tonic-gate # ifdef SMRSH_CMDDIR
787c478bd9Sstevel@tonic-gate # define CMDDIR SMRSH_CMDDIR
797c478bd9Sstevel@tonic-gate # else /* SMRSH_CMDDIR */
807c478bd9Sstevel@tonic-gate # define CMDDIR "/usr/adm/sm.bin"
817c478bd9Sstevel@tonic-gate # endif /* SMRSH_CMDDIR */
827c478bd9Sstevel@tonic-gate #endif /* ! CMDDIR */
837c478bd9Sstevel@tonic-gate
847c478bd9Sstevel@tonic-gate /* characters disallowed in the shell "-c" argument */
857c478bd9Sstevel@tonic-gate #define SPECIALS "<|>^();&`$\r\n"
867c478bd9Sstevel@tonic-gate
877c478bd9Sstevel@tonic-gate /* default search path */
887c478bd9Sstevel@tonic-gate #ifndef PATH
897c478bd9Sstevel@tonic-gate # ifdef SMRSH_PATH
907c478bd9Sstevel@tonic-gate # define PATH SMRSH_PATH
917c478bd9Sstevel@tonic-gate # else /* SMRSH_PATH */
927c478bd9Sstevel@tonic-gate # define PATH "/bin:/usr/bin:/usr/ucb"
937c478bd9Sstevel@tonic-gate # endif /* SMRSH_PATH */
947c478bd9Sstevel@tonic-gate #endif /* ! PATH */
957c478bd9Sstevel@tonic-gate
967c478bd9Sstevel@tonic-gate char newcmdbuf[1000];
977c478bd9Sstevel@tonic-gate char *prg, *par;
987c478bd9Sstevel@tonic-gate
997c478bd9Sstevel@tonic-gate static void addcmd __P((char *, bool, size_t));
1007c478bd9Sstevel@tonic-gate
1017c478bd9Sstevel@tonic-gate /*
1027c478bd9Sstevel@tonic-gate ** ADDCMD -- add a string to newcmdbuf, check for overflow
1037c478bd9Sstevel@tonic-gate **
1047c478bd9Sstevel@tonic-gate ** Parameters:
1057c478bd9Sstevel@tonic-gate ** s -- string to add
1067c478bd9Sstevel@tonic-gate ** cmd -- it's a command: prepend CMDDIR/
1077c478bd9Sstevel@tonic-gate ** len -- length of string to add
1087c478bd9Sstevel@tonic-gate **
1097c478bd9Sstevel@tonic-gate ** Side Effects:
1107c478bd9Sstevel@tonic-gate ** changes newcmdbuf or exits with a failure.
1117c478bd9Sstevel@tonic-gate **
1127c478bd9Sstevel@tonic-gate */
1137c478bd9Sstevel@tonic-gate
1147c478bd9Sstevel@tonic-gate static void
addcmd(s,cmd,len)1157c478bd9Sstevel@tonic-gate addcmd(s, cmd, len)
1167c478bd9Sstevel@tonic-gate char *s;
1177c478bd9Sstevel@tonic-gate bool cmd;
1187c478bd9Sstevel@tonic-gate size_t len;
1197c478bd9Sstevel@tonic-gate {
1207c478bd9Sstevel@tonic-gate if (s == NULL || *s == '\0')
1217c478bd9Sstevel@tonic-gate return;
1227c478bd9Sstevel@tonic-gate
1237c478bd9Sstevel@tonic-gate /* enough space for s (len) and CMDDIR + "/" and '\0'? */
1247c478bd9Sstevel@tonic-gate if (sizeof newcmdbuf - strlen(newcmdbuf) <=
1257c478bd9Sstevel@tonic-gate len + 1 + (cmd ? (strlen(CMDDIR) + 1) : 0))
1267c478bd9Sstevel@tonic-gate {
1277c478bd9Sstevel@tonic-gate (void)sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1287c478bd9Sstevel@tonic-gate "%s: command too long: %s\n", prg, par);
1297c478bd9Sstevel@tonic-gate #ifndef DEBUG
1307c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "command too long: %.40s", par);
1317c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1327c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
1337c478bd9Sstevel@tonic-gate }
1347c478bd9Sstevel@tonic-gate if (cmd)
1357c478bd9Sstevel@tonic-gate (void) sm_strlcat2(newcmdbuf, CMDDIR, "/", sizeof newcmdbuf);
1367c478bd9Sstevel@tonic-gate (void) strncat(newcmdbuf, s, len);
1377c478bd9Sstevel@tonic-gate }
1387c478bd9Sstevel@tonic-gate
1397c478bd9Sstevel@tonic-gate int
main(argc,argv)1407c478bd9Sstevel@tonic-gate main(argc, argv)
1417c478bd9Sstevel@tonic-gate int argc;
1427c478bd9Sstevel@tonic-gate char **argv;
1437c478bd9Sstevel@tonic-gate {
1447c478bd9Sstevel@tonic-gate register char *p;
1457c478bd9Sstevel@tonic-gate register char *q;
1467c478bd9Sstevel@tonic-gate register char *r;
1477c478bd9Sstevel@tonic-gate register char *cmd;
1487c478bd9Sstevel@tonic-gate int isexec;
1497c478bd9Sstevel@tonic-gate int save_errno;
1507c478bd9Sstevel@tonic-gate char *newenv[2];
1517c478bd9Sstevel@tonic-gate char pathbuf[1000];
1527c478bd9Sstevel@tonic-gate char specialbuf[32];
1537c478bd9Sstevel@tonic-gate struct stat st;
1547c478bd9Sstevel@tonic-gate
1557c478bd9Sstevel@tonic-gate #ifndef DEBUG
1567c478bd9Sstevel@tonic-gate # ifndef LOG_MAIL
1577c478bd9Sstevel@tonic-gate openlog("smrsh", 0);
1587c478bd9Sstevel@tonic-gate # else /* ! LOG_MAIL */
1597c478bd9Sstevel@tonic-gate openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL);
1607c478bd9Sstevel@tonic-gate # endif /* ! LOG_MAIL */
1617c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1627c478bd9Sstevel@tonic-gate
1637c478bd9Sstevel@tonic-gate (void) sm_strlcpyn(pathbuf, sizeof pathbuf, 2, "PATH=", PATH);
1647c478bd9Sstevel@tonic-gate newenv[0] = pathbuf;
1657c478bd9Sstevel@tonic-gate newenv[1] = NULL;
1667c478bd9Sstevel@tonic-gate
1677c478bd9Sstevel@tonic-gate /*
1687c478bd9Sstevel@tonic-gate ** Do basic argv usage checking
1697c478bd9Sstevel@tonic-gate */
1707c478bd9Sstevel@tonic-gate
1717c478bd9Sstevel@tonic-gate prg = argv[0];
1727c478bd9Sstevel@tonic-gate
1737c478bd9Sstevel@tonic-gate if (argc != 3 || strcmp(argv[1], "-c") != 0)
1747c478bd9Sstevel@tonic-gate {
1757c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1767c478bd9Sstevel@tonic-gate "Usage: %s -c command\n", prg);
1777c478bd9Sstevel@tonic-gate #ifndef DEBUG
1787c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "usage");
1797c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1807c478bd9Sstevel@tonic-gate exit(EX_USAGE);
1817c478bd9Sstevel@tonic-gate }
1827c478bd9Sstevel@tonic-gate
1837c478bd9Sstevel@tonic-gate par = argv[2];
1847c478bd9Sstevel@tonic-gate
1857c478bd9Sstevel@tonic-gate /*
1867c478bd9Sstevel@tonic-gate ** Disallow special shell syntax. This is overly restrictive,
1877c478bd9Sstevel@tonic-gate ** but it should shut down all attacks.
1887c478bd9Sstevel@tonic-gate ** Be sure to include 8-bit versions, since many shells strip
1897c478bd9Sstevel@tonic-gate ** the address to 7 bits before checking.
1907c478bd9Sstevel@tonic-gate */
1917c478bd9Sstevel@tonic-gate
1927c478bd9Sstevel@tonic-gate if (strlen(SPECIALS) * 2 >= sizeof specialbuf)
1937c478bd9Sstevel@tonic-gate {
1947c478bd9Sstevel@tonic-gate #ifndef DEBUG
1957c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "too many specials: %.40s", SPECIALS);
1967c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1977c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
1987c478bd9Sstevel@tonic-gate }
1997c478bd9Sstevel@tonic-gate (void) sm_strlcpy(specialbuf, SPECIALS, sizeof specialbuf);
2007c478bd9Sstevel@tonic-gate for (p = specialbuf; *p != '\0'; p++)
2017c478bd9Sstevel@tonic-gate *p |= '\200';
2027c478bd9Sstevel@tonic-gate (void) sm_strlcat(specialbuf, SPECIALS, sizeof specialbuf);
2037c478bd9Sstevel@tonic-gate
2047c478bd9Sstevel@tonic-gate /*
2057c478bd9Sstevel@tonic-gate ** Do a quick sanity check on command line length.
2067c478bd9Sstevel@tonic-gate */
2077c478bd9Sstevel@tonic-gate
2087c478bd9Sstevel@tonic-gate if (strlen(par) > (sizeof newcmdbuf - sizeof CMDDIR - 2))
2097c478bd9Sstevel@tonic-gate {
2107c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2117c478bd9Sstevel@tonic-gate "%s: command too long: %s\n", prg, par);
2127c478bd9Sstevel@tonic-gate #ifndef DEBUG
2137c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "command too long: %.40s", par);
2147c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2157c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
2167c478bd9Sstevel@tonic-gate }
2177c478bd9Sstevel@tonic-gate
2187c478bd9Sstevel@tonic-gate q = par;
2197c478bd9Sstevel@tonic-gate newcmdbuf[0] = '\0';
2207c478bd9Sstevel@tonic-gate isexec = false;
2217c478bd9Sstevel@tonic-gate
2227c478bd9Sstevel@tonic-gate while (*q != '\0')
2237c478bd9Sstevel@tonic-gate {
2247c478bd9Sstevel@tonic-gate /*
2257c478bd9Sstevel@tonic-gate ** Strip off a leading pathname on the command name. For
2267c478bd9Sstevel@tonic-gate ** example, change /usr/ucb/vacation to vacation.
2277c478bd9Sstevel@tonic-gate */
2287c478bd9Sstevel@tonic-gate
2297c478bd9Sstevel@tonic-gate /* strip leading spaces */
2307c478bd9Sstevel@tonic-gate while (*q != '\0' && isascii(*q) && isspace(*q))
2317c478bd9Sstevel@tonic-gate q++;
2327c478bd9Sstevel@tonic-gate if (*q == '\0')
2337c478bd9Sstevel@tonic-gate {
2347c478bd9Sstevel@tonic-gate if (isexec)
2357c478bd9Sstevel@tonic-gate {
2367c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2377c478bd9Sstevel@tonic-gate "%s: missing command to exec\n",
2387c478bd9Sstevel@tonic-gate prg);
2397c478bd9Sstevel@tonic-gate #ifndef DEBUG
2407c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: missing command to exec", (int) getuid());
2417c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2427c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
2437c478bd9Sstevel@tonic-gate }
2447c478bd9Sstevel@tonic-gate break;
2457c478bd9Sstevel@tonic-gate }
2467c478bd9Sstevel@tonic-gate
2477c478bd9Sstevel@tonic-gate /* find the end of the command name */
2487c478bd9Sstevel@tonic-gate p = strpbrk(q, " \t");
2497c478bd9Sstevel@tonic-gate if (p == NULL)
2507c478bd9Sstevel@tonic-gate cmd = &q[strlen(q)];
2517c478bd9Sstevel@tonic-gate else
2527c478bd9Sstevel@tonic-gate {
2537c478bd9Sstevel@tonic-gate *p = '\0';
2547c478bd9Sstevel@tonic-gate cmd = p;
2557c478bd9Sstevel@tonic-gate }
2567c478bd9Sstevel@tonic-gate /* search backwards for last / (allow for 0200 bit) */
2577c478bd9Sstevel@tonic-gate while (cmd > q)
2587c478bd9Sstevel@tonic-gate {
2597c478bd9Sstevel@tonic-gate if ((*--cmd & 0177) == '/')
2607c478bd9Sstevel@tonic-gate {
2617c478bd9Sstevel@tonic-gate cmd++;
2627c478bd9Sstevel@tonic-gate break;
2637c478bd9Sstevel@tonic-gate }
2647c478bd9Sstevel@tonic-gate }
2657c478bd9Sstevel@tonic-gate /* cmd now points at final component of path name */
2667c478bd9Sstevel@tonic-gate
2677c478bd9Sstevel@tonic-gate /* allow a few shell builtins */
2687c478bd9Sstevel@tonic-gate if (strcmp(q, "exec") == 0 && p != NULL)
2697c478bd9Sstevel@tonic-gate {
2707c478bd9Sstevel@tonic-gate addcmd("exec ", false, strlen("exec "));
2717c478bd9Sstevel@tonic-gate
2727c478bd9Sstevel@tonic-gate /* test _next_ arg */
2737c478bd9Sstevel@tonic-gate q = ++p;
2747c478bd9Sstevel@tonic-gate isexec = true;
2757c478bd9Sstevel@tonic-gate continue;
2767c478bd9Sstevel@tonic-gate }
2777c478bd9Sstevel@tonic-gate else if (strcmp(q, "exit") == 0 || strcmp(q, "echo") == 0)
2787c478bd9Sstevel@tonic-gate {
2797c478bd9Sstevel@tonic-gate addcmd(cmd, false, strlen(cmd));
2807c478bd9Sstevel@tonic-gate
2817c478bd9Sstevel@tonic-gate /* test following chars */
2827c478bd9Sstevel@tonic-gate }
2837c478bd9Sstevel@tonic-gate else
2847c478bd9Sstevel@tonic-gate {
2857c478bd9Sstevel@tonic-gate char cmdbuf[MAXPATHLEN];
2867c478bd9Sstevel@tonic-gate
2877c478bd9Sstevel@tonic-gate /*
2887c478bd9Sstevel@tonic-gate ** Check to see if the command name is legal.
2897c478bd9Sstevel@tonic-gate */
2907c478bd9Sstevel@tonic-gate
2917c478bd9Sstevel@tonic-gate if (sm_strlcpyn(cmdbuf, sizeof cmdbuf, 3, CMDDIR,
2927c478bd9Sstevel@tonic-gate "/", cmd) >= sizeof cmdbuf)
2937c478bd9Sstevel@tonic-gate {
2947c478bd9Sstevel@tonic-gate /* too long */
2957c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2967c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (filename too long)\n",
2977c478bd9Sstevel@tonic-gate prg, cmd);
2987c478bd9Sstevel@tonic-gate if (p != NULL)
2997c478bd9Sstevel@tonic-gate *p = ' ';
3007c478bd9Sstevel@tonic-gate #ifndef DEBUG
3017c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (filename too long)",
3027c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3037c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3047c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3057c478bd9Sstevel@tonic-gate }
3067c478bd9Sstevel@tonic-gate
3077c478bd9Sstevel@tonic-gate #ifdef DEBUG
3087c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3097c478bd9Sstevel@tonic-gate "Trying %s\n", cmdbuf);
3107c478bd9Sstevel@tonic-gate #endif /* DEBUG */
3117c478bd9Sstevel@tonic-gate if (stat(cmdbuf, &st) < 0)
3127c478bd9Sstevel@tonic-gate {
3137c478bd9Sstevel@tonic-gate /* can't stat it */
3147c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3157c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (stat failed)\n",
3167c478bd9Sstevel@tonic-gate prg, cmd);
3177c478bd9Sstevel@tonic-gate if (p != NULL)
3187c478bd9Sstevel@tonic-gate *p = ' ';
3197c478bd9Sstevel@tonic-gate #ifndef DEBUG
3207c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (stat failed)",
3217c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3227c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3237c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3247c478bd9Sstevel@tonic-gate }
3257c478bd9Sstevel@tonic-gate if (!S_ISREG(st.st_mode)
3267c478bd9Sstevel@tonic-gate #ifdef S_ISLNK
3277c478bd9Sstevel@tonic-gate && !S_ISLNK(st.st_mode)
3287c478bd9Sstevel@tonic-gate #endif /* S_ISLNK */
3297c478bd9Sstevel@tonic-gate )
3307c478bd9Sstevel@tonic-gate {
3317c478bd9Sstevel@tonic-gate /* can't stat it */
3327c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3337c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (not a file)\n",
3347c478bd9Sstevel@tonic-gate prg, cmd);
3357c478bd9Sstevel@tonic-gate if (p != NULL)
3367c478bd9Sstevel@tonic-gate *p = ' ';
3377c478bd9Sstevel@tonic-gate #ifndef DEBUG
3387c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (not a file)",
3397c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3407c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3417c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3427c478bd9Sstevel@tonic-gate }
3437c478bd9Sstevel@tonic-gate if (access(cmdbuf, X_OK) < 0)
3447c478bd9Sstevel@tonic-gate {
3457c478bd9Sstevel@tonic-gate /* oops.... crack attack possiblity */
3467c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3477c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs\n",
3487c478bd9Sstevel@tonic-gate prg, cmd);
3497c478bd9Sstevel@tonic-gate if (p != NULL)
3507c478bd9Sstevel@tonic-gate *p = ' ';
3517c478bd9Sstevel@tonic-gate #ifndef DEBUG
3527c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\"",
3537c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3547c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3557c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3567c478bd9Sstevel@tonic-gate }
3577c478bd9Sstevel@tonic-gate
3587c478bd9Sstevel@tonic-gate /*
3597c478bd9Sstevel@tonic-gate ** Create the actual shell input.
3607c478bd9Sstevel@tonic-gate */
3617c478bd9Sstevel@tonic-gate
3627c478bd9Sstevel@tonic-gate addcmd(cmd, true, strlen(cmd));
3637c478bd9Sstevel@tonic-gate }
3647c478bd9Sstevel@tonic-gate isexec = false;
3657c478bd9Sstevel@tonic-gate
3667c478bd9Sstevel@tonic-gate if (p != NULL)
3677c478bd9Sstevel@tonic-gate *p = ' ';
3687c478bd9Sstevel@tonic-gate else
3697c478bd9Sstevel@tonic-gate break;
3707c478bd9Sstevel@tonic-gate
3717c478bd9Sstevel@tonic-gate r = strpbrk(p, specialbuf);
3727c478bd9Sstevel@tonic-gate if (r == NULL)
3737c478bd9Sstevel@tonic-gate {
3747c478bd9Sstevel@tonic-gate addcmd(p, false, strlen(p));
3757c478bd9Sstevel@tonic-gate break;
3767c478bd9Sstevel@tonic-gate }
3777c478bd9Sstevel@tonic-gate #if ALLOWSEMI
3787c478bd9Sstevel@tonic-gate if (*r == ';')
3797c478bd9Sstevel@tonic-gate {
3807c478bd9Sstevel@tonic-gate addcmd(p, false, r - p + 1);
3817c478bd9Sstevel@tonic-gate q = r + 1;
3827c478bd9Sstevel@tonic-gate continue;
3837c478bd9Sstevel@tonic-gate }
3847c478bd9Sstevel@tonic-gate #endif /* ALLOWSEMI */
3857c478bd9Sstevel@tonic-gate if ((*r == '&' && *(r + 1) == '&') ||
3867c478bd9Sstevel@tonic-gate (*r == '|' && *(r + 1) == '|'))
3877c478bd9Sstevel@tonic-gate {
3887c478bd9Sstevel@tonic-gate addcmd(p, false, r - p + 2);
3897c478bd9Sstevel@tonic-gate q = r + 2;
3907c478bd9Sstevel@tonic-gate continue;
3917c478bd9Sstevel@tonic-gate }
3927c478bd9Sstevel@tonic-gate
3937c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3947c478bd9Sstevel@tonic-gate "%s: cannot use %c in command\n", prg, *r);
3957c478bd9Sstevel@tonic-gate #ifndef DEBUG
3967c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s",
3977c478bd9Sstevel@tonic-gate (int) getuid(), *r, par);
3987c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3997c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
4007c478bd9Sstevel@tonic-gate }
4017c478bd9Sstevel@tonic-gate if (isexec)
4027c478bd9Sstevel@tonic-gate {
4037c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4047c478bd9Sstevel@tonic-gate "%s: missing command to exec\n", prg);
4057c478bd9Sstevel@tonic-gate #ifndef DEBUG
4067c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: missing command to exec",
4077c478bd9Sstevel@tonic-gate (int) getuid());
4087c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4097c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
4107c478bd9Sstevel@tonic-gate }
4117c478bd9Sstevel@tonic-gate /* make sure we created something */
4127c478bd9Sstevel@tonic-gate if (newcmdbuf[0] == '\0')
4137c478bd9Sstevel@tonic-gate {
4147c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4157c478bd9Sstevel@tonic-gate "Usage: %s -c command\n", prg);
4167c478bd9Sstevel@tonic-gate #ifndef DEBUG
4177c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "usage");
4187c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4197c478bd9Sstevel@tonic-gate exit(EX_USAGE);
4207c478bd9Sstevel@tonic-gate }
4217c478bd9Sstevel@tonic-gate
4227c478bd9Sstevel@tonic-gate /*
4237c478bd9Sstevel@tonic-gate ** Now invoke the shell
4247c478bd9Sstevel@tonic-gate */
4257c478bd9Sstevel@tonic-gate
4267c478bd9Sstevel@tonic-gate #ifdef DEBUG
4277c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT, "%s\n", newcmdbuf);
4287c478bd9Sstevel@tonic-gate #endif /* DEBUG */
4297c478bd9Sstevel@tonic-gate (void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf,
4307c478bd9Sstevel@tonic-gate (char *)NULL, newenv);
4317c478bd9Sstevel@tonic-gate save_errno = errno;
4327c478bd9Sstevel@tonic-gate #ifndef DEBUG
4337c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "Cannot exec /bin/sh: %s", sm_errstring(errno));
4347c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4357c478bd9Sstevel@tonic-gate errno = save_errno;
4367c478bd9Sstevel@tonic-gate sm_perror("/bin/sh");
4377c478bd9Sstevel@tonic-gate exit(EX_OSFILE);
4387c478bd9Sstevel@tonic-gate /* NOTREACHED */
4397c478bd9Sstevel@tonic-gate return EX_OSFILE;
4407c478bd9Sstevel@tonic-gate }
441