1 /* 2 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14 #pragma ident "%Z%%M% %I% %E% SMI" 15 16 #include <sendmail.h> 17 18 SM_RCSID("@(#)$Id: recipient.c,v 8.349 2007/07/10 17:01:22 ca Exp $") 19 20 static void includetimeout __P((int)); 21 static ADDRESS *self_reference __P((ADDRESS *)); 22 static int sortexpensive __P((ADDRESS *, ADDRESS *)); 23 static int sortbysignature __P((ADDRESS *, ADDRESS *)); 24 static int sorthost __P((ADDRESS *, ADDRESS *)); 25 26 typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 27 28 /* 29 ** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 30 ** 31 ** Parameters: 32 ** xx -- first ADDRESS 33 ** yy -- second ADDRESS 34 ** 35 ** Returns: 36 ** <0 when xx->q_host is less than yy->q_host 37 ** >0 when xx->q_host is greater than yy->q_host 38 ** 0 when equal 39 */ 40 41 static int 42 sorthost(xx, yy) 43 register ADDRESS *xx; 44 register ADDRESS *yy; 45 { 46 #if _FFR_HOST_SORT_REVERSE 47 /* XXX maybe compare hostnames from the end? */ 48 return sm_strrevcasecmp(xx->q_host, yy->q_host); 49 #else /* _FFR_HOST_SORT_REVERSE */ 50 return sm_strcasecmp(xx->q_host, yy->q_host); 51 #endif /* _FFR_HOST_SORT_REVERSE */ 52 } 53 54 /* 55 ** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 56 ** 57 ** The mailer has been noted already as "expensive" for 'xx'. This 58 ** will give a result relative to 'yy'. Expensive mailers get rated 59 ** "greater than" non-expensive mailers because during the delivery phase 60 ** it will get queued -- no use it getting in the way of less expensive 61 ** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 62 ** expensive since an MX RR lookup happens when extracted from the queue 63 ** later. 64 ** 65 ** Parameters: 66 ** xx -- first ADDRESS 67 ** yy -- second ADDRESS 68 ** 69 ** Returns: 70 ** <0 when xx->q_host is less than yy->q_host and both are 71 ** expensive 72 ** >0 when xx->q_host is greater than yy->q_host, or when 73 ** 'yy' is non-expensive 74 ** 0 when equal (by expense and q_host) 75 */ 76 77 static int 78 sortexpensive(xx, yy) 79 ADDRESS *xx; 80 ADDRESS *yy; 81 { 82 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 83 return 1; /* xx should go later */ 84 #if _FFR_HOST_SORT_REVERSE 85 /* XXX maybe compare hostnames from the end? */ 86 return sm_strrevcasecmp(xx->q_host, yy->q_host); 87 #else /* _FFR_HOST_SORT_REVERSE */ 88 return sm_strcasecmp(xx->q_host, yy->q_host); 89 #endif /* _FFR_HOST_SORT_REVERSE */ 90 } 91 92 /* 93 ** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 94 ** 95 ** Parameters: 96 ** xx -- first ADDRESS 97 ** yy -- second ADDRESS 98 ** 99 ** Returns: 100 ** 0 when the "signature"'s are same 101 ** <0 when xx->q_signature is less than yy->q_signature 102 ** >0 when xx->q_signature is greater than yy->q_signature 103 ** 104 ** Side Effect: 105 ** May set ADDRESS pointer for q_signature if not already set. 106 */ 107 108 static int 109 sortbysignature(xx, yy) 110 ADDRESS *xx; 111 ADDRESS *yy; 112 { 113 register int ret; 114 115 /* Let's avoid redoing the signature over and over again */ 116 if (xx->q_signature == NULL) 117 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host); 118 if (yy->q_signature == NULL) 119 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host); 120 ret = strcmp(xx->q_signature, yy->q_signature); 121 122 /* 123 ** If the two signatures are the same then we will return a sort 124 ** value based on 'q_user'. But note that we have reversed xx and yy 125 ** on purpose. This additional compare helps reduce the number of 126 ** sameaddr() calls and loops in recipient() for the case when 127 ** the rcpt list has been provided already in-order. 128 */ 129 130 if (ret == 0) 131 return strcmp(yy->q_user, xx->q_user); 132 else 133 return ret; 134 } 135 136 /* 137 ** SENDTOLIST -- Designate a send list. 138 ** 139 ** The parameter is a comma-separated list of people to send to. 140 ** This routine arranges to send to all of them. 141 ** 142 ** Parameters: 143 ** list -- the send list. 144 ** ctladdr -- the address template for the person to 145 ** send to -- effective uid/gid are important. 146 ** This is typically the alias that caused this 147 ** expansion. 148 ** sendq -- a pointer to the head of a queue to put 149 ** these people into. 150 ** aliaslevel -- the current alias nesting depth -- to 151 ** diagnose loops. 152 ** e -- the envelope in which to add these recipients. 153 ** 154 ** Returns: 155 ** The number of addresses actually on the list. 156 */ 157 158 /* q_flags bits inherited from ctladdr */ 159 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 160 161 int 162 sendtolist(list, ctladdr, sendq, aliaslevel, e) 163 char *list; 164 ADDRESS *ctladdr; 165 ADDRESS **sendq; 166 int aliaslevel; 167 register ENVELOPE *e; 168 { 169 register char *p; 170 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 171 SM_NONVOLATILE char delimiter; /* the address delimiter */ 172 SM_NONVOLATILE int naddrs; 173 SM_NONVOLATILE int i; 174 char *endp; 175 char *oldto = e->e_to; 176 char *SM_NONVOLATILE bufp; 177 char buf[MAXNAME + 1]; 178 179 if (list == NULL) 180 { 181 syserr("sendtolist: null list"); 182 return 0; 183 } 184 185 if (tTd(25, 1)) 186 { 187 sm_dprintf("sendto: %s\n ctladdr=", list); 188 printaddr(sm_debug_file(), ctladdr, false); 189 } 190 191 /* heuristic to determine old versus new style addresses */ 192 if (ctladdr == NULL && 193 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 194 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 195 e->e_flags &= ~EF_OLDSTYLE; 196 delimiter = ' '; 197 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 198 delimiter = ','; 199 200 al = NULL; 201 naddrs = 0; 202 203 /* make sure we have enough space to copy the string */ 204 i = strlen(list) + 1; 205 if (i <= sizeof(buf)) 206 { 207 bufp = buf; 208 i = sizeof(buf); 209 } 210 else 211 bufp = sm_malloc_x(i); 212 endp = bufp + i; 213 214 SM_TRY 215 { 216 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 217 218 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 219 for (p = bufp; *p != '\0'; ) 220 { 221 auto char *delimptr; 222 register ADDRESS *a; 223 224 SM_ASSERT(p < endp); 225 226 /* parse the address */ 227 while ((isascii(*p) && isspace(*p)) || *p == ',') 228 p++; 229 SM_ASSERT(p < endp); 230 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 231 &delimptr, e, true); 232 p = delimptr; 233 SM_ASSERT(p < endp); 234 if (a == NULL) 235 continue; 236 a->q_next = al; 237 a->q_alias = ctladdr; 238 239 /* arrange to inherit attributes from parent */ 240 if (ctladdr != NULL) 241 { 242 ADDRESS *b; 243 244 /* self reference test */ 245 if (sameaddr(ctladdr, a)) 246 { 247 if (tTd(27, 5)) 248 { 249 sm_dprintf("sendtolist: QSELFREF "); 250 printaddr(sm_debug_file(), ctladdr, false); 251 } 252 ctladdr->q_flags |= QSELFREF; 253 } 254 255 /* check for address loops */ 256 b = self_reference(a); 257 if (b != NULL) 258 { 259 b->q_flags |= QSELFREF; 260 if (tTd(27, 5)) 261 { 262 sm_dprintf("sendtolist: QSELFREF "); 263 printaddr(sm_debug_file(), b, false); 264 } 265 if (a != b) 266 { 267 if (tTd(27, 5)) 268 { 269 sm_dprintf("sendtolist: QS_DONTSEND "); 270 printaddr(sm_debug_file(), a, false); 271 } 272 a->q_state = QS_DONTSEND; 273 b->q_flags |= a->q_flags & QNOTREMOTE; 274 continue; 275 } 276 } 277 278 /* full name */ 279 if (a->q_fullname == NULL) 280 a->q_fullname = ctladdr->q_fullname; 281 282 /* various flag bits */ 283 a->q_flags &= ~QINHERITEDBITS; 284 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 285 286 /* DSN recipient information */ 287 a->q_finalrcpt = ctladdr->q_finalrcpt; 288 a->q_orcpt = ctladdr->q_orcpt; 289 } 290 291 al = a; 292 } 293 294 /* arrange to send to everyone on the local send list */ 295 while (al != NULL) 296 { 297 register ADDRESS *a = al; 298 299 al = a->q_next; 300 a = recipient(a, sendq, aliaslevel, e); 301 naddrs++; 302 } 303 } 304 SM_FINALLY 305 { 306 e->e_to = oldto; 307 if (bufp != buf) 308 sm_free(bufp); 309 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 310 } 311 SM_END_TRY 312 return naddrs; 313 } 314 315 #if MILTER 316 /* 317 ** REMOVEFROMLIST -- Remove addresses from a send list. 318 ** 319 ** The parameter is a comma-separated list of recipients to remove. 320 ** Note that it only deletes matching addresses. If those addresses 321 ** have been expanded already in the sendq, it won't mark the 322 ** expanded recipients as QS_REMOVED. 323 ** 324 ** Parameters: 325 ** list -- the list to remove. 326 ** sendq -- a pointer to the head of a queue to remove 327 ** these addresses from. 328 ** e -- the envelope in which to remove these recipients. 329 ** 330 ** Returns: 331 ** The number of addresses removed from the list. 332 ** 333 */ 334 335 int 336 removefromlist(list, sendq, e) 337 char *list; 338 ADDRESS **sendq; 339 ENVELOPE *e; 340 { 341 SM_NONVOLATILE char delimiter; /* the address delimiter */ 342 SM_NONVOLATILE int naddrs; 343 SM_NONVOLATILE int i; 344 char *p; 345 char *oldto = e->e_to; 346 char *SM_NONVOLATILE bufp; 347 char buf[MAXNAME + 1]; 348 349 if (list == NULL) 350 { 351 syserr("removefromlist: null list"); 352 return 0; 353 } 354 355 if (tTd(25, 1)) 356 sm_dprintf("removefromlist: %s\n", list); 357 358 /* heuristic to determine old versus new style addresses */ 359 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 360 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 361 e->e_flags &= ~EF_OLDSTYLE; 362 delimiter = ' '; 363 if (!bitset(EF_OLDSTYLE, e->e_flags)) 364 delimiter = ','; 365 366 naddrs = 0; 367 368 /* make sure we have enough space to copy the string */ 369 i = strlen(list) + 1; 370 if (i <= sizeof(buf)) 371 { 372 bufp = buf; 373 i = sizeof(buf); 374 } 375 else 376 bufp = sm_malloc_x(i); 377 378 SM_TRY 379 { 380 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 381 382 #if _FFR_ADDR_TYPE_MODES 383 if (AddrTypeModes) 384 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), 385 "e r d"); 386 else 387 #endif /* _FFR_ADDR_TYPE_MODES */ 388 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 389 for (p = bufp; *p != '\0'; ) 390 { 391 ADDRESS a; /* parsed address to be removed */ 392 ADDRESS *q; 393 ADDRESS **pq; 394 char *delimptr; 395 396 /* parse the address */ 397 while ((isascii(*p) && isspace(*p)) || *p == ',') 398 p++; 399 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 400 delimiter, &delimptr, e, true) == NULL) 401 { 402 p = delimptr; 403 continue; 404 } 405 p = delimptr; 406 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 407 { 408 if (!QS_IS_DEAD(q->q_state) && 409 (sameaddr(q, &a) || 410 strcmp(q->q_paddr, a.q_paddr) == 0)) 411 { 412 if (tTd(25, 5)) 413 { 414 sm_dprintf("removefromlist: QS_REMOVED "); 415 printaddr(sm_debug_file(), &a, false); 416 } 417 q->q_state = QS_REMOVED; 418 naddrs++; 419 break; 420 } 421 } 422 } 423 } 424 SM_FINALLY 425 { 426 e->e_to = oldto; 427 if (bufp != buf) 428 sm_free(bufp); 429 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 430 } 431 SM_END_TRY 432 return naddrs; 433 } 434 #endif /* MILTER */ 435 436 /* 437 ** RECIPIENT -- Designate a message recipient 438 ** Saves the named person for future mailing (after some checks). 439 ** 440 ** Parameters: 441 ** new -- the (preparsed) address header for the recipient. 442 ** sendq -- a pointer to the head of a queue to put the 443 ** recipient in. Duplicate suppression is done 444 ** in this queue. 445 ** aliaslevel -- the current alias nesting depth. 446 ** e -- the current envelope. 447 ** 448 ** Returns: 449 ** The actual address in the queue. This will be "a" if 450 ** the address is not a duplicate, else the original address. 451 ** 452 */ 453 454 ADDRESS * 455 recipient(new, sendq, aliaslevel, e) 456 register ADDRESS *new; 457 register ADDRESS **sendq; 458 int aliaslevel; 459 register ENVELOPE *e; 460 { 461 register ADDRESS *q; 462 ADDRESS **pq; 463 ADDRESS **prev; 464 register struct mailer *m; 465 register char *p; 466 int i, buflen; 467 bool quoted; /* set if the addr has a quote bit */ 468 bool insert; 469 int findusercount; 470 bool initialdontsend; 471 char *buf; 472 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 473 sortfn_t *sortfn; 474 475 p = NULL; 476 quoted = false; 477 insert = false; 478 findusercount = 0; 479 initialdontsend = QS_IS_DEAD(new->q_state); 480 e->e_to = new->q_paddr; 481 m = new->q_mailer; 482 errno = 0; 483 if (aliaslevel == 0) 484 new->q_flags |= QPRIMARY; 485 if (tTd(26, 1)) 486 { 487 sm_dprintf("\nrecipient (%d): ", aliaslevel); 488 printaddr(sm_debug_file(), new, false); 489 } 490 491 /* if this is primary, use it as original recipient */ 492 if (new->q_alias == NULL) 493 { 494 if (e->e_origrcpt == NULL) 495 e->e_origrcpt = new->q_paddr; 496 else if (e->e_origrcpt != new->q_paddr) 497 e->e_origrcpt = ""; 498 } 499 500 /* find parent recipient for finalrcpt and orcpt */ 501 for (q = new; q->q_alias != NULL; q = q->q_alias) 502 continue; 503 504 /* find final recipient DSN address */ 505 if (new->q_finalrcpt == NULL && 506 e->e_from.q_mailer != NULL) 507 { 508 char frbuf[MAXLINE]; 509 510 p = e->e_from.q_mailer->m_addrtype; 511 if (p == NULL) 512 p = "rfc822"; 513 if (sm_strcasecmp(p, "rfc822") != 0) 514 { 515 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 516 q->q_mailer->m_addrtype, 517 q->q_user); 518 } 519 else if (strchr(q->q_user, '@') != NULL) 520 { 521 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 522 p, q->q_user); 523 } 524 else if (strchr(q->q_paddr, '@') != NULL) 525 { 526 char *qp; 527 bool b; 528 529 qp = q->q_paddr; 530 531 /* strip brackets from address */ 532 b = false; 533 if (*qp == '<') 534 { 535 b = qp[strlen(qp) - 1] == '>'; 536 if (b) 537 qp[strlen(qp) - 1] = '\0'; 538 qp++; 539 } 540 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 541 p, qp); 542 543 /* undo damage */ 544 if (b) 545 qp[strlen(qp)] = '>'; 546 } 547 else 548 { 549 (void) sm_snprintf(frbuf, sizeof(frbuf), 550 "%s; %.700s@%.100s", 551 p, q->q_user, MyHostName); 552 } 553 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 554 } 555 556 #if _FFR_GEN_ORCPT 557 /* set ORCPT DSN arg if not already set */ 558 if (new->q_orcpt == NULL) 559 { 560 /* check for an existing ORCPT */ 561 if (q->q_orcpt != NULL) 562 new->q_orcpt = q->q_orcpt; 563 else 564 { 565 /* make our own */ 566 bool b = false; 567 char *qp; 568 char obuf[MAXLINE]; 569 570 if (e->e_from.q_mailer != NULL) 571 p = e->e_from.q_mailer->m_addrtype; 572 if (p == NULL) 573 p = "rfc822"; 574 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 575 576 qp = q->q_paddr; 577 578 /* FFR: Needs to strip comments from stdin addrs */ 579 580 /* strip brackets from address */ 581 if (*qp == '<') 582 { 583 b = qp[strlen(qp) - 1] == '>'; 584 if (b) 585 qp[strlen(qp) - 1] = '\0'; 586 qp++; 587 } 588 589 p = xtextify(denlstring(qp, true, false), "="); 590 591 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 592 { 593 /* if too big, don't use it */ 594 obuf[0] = '\0'; 595 } 596 597 /* undo damage */ 598 if (b) 599 qp[strlen(qp)] = '>'; 600 601 if (obuf[0] != '\0') 602 new->q_orcpt = 603 sm_rpool_strdup_x(e->e_rpool, obuf); 604 } 605 } 606 #endif /* _FFR_GEN_ORCPT */ 607 608 /* break aliasing loops */ 609 if (aliaslevel > MaxAliasRecursion) 610 { 611 new->q_state = QS_BADADDR; 612 new->q_status = "5.4.6"; 613 if (new->q_alias != NULL) 614 { 615 new->q_alias->q_state = QS_BADADDR; 616 new->q_alias->q_status = "5.4.6"; 617 } 618 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 619 { 620 sm_syslog(LOG_ERR, e->e_id, 621 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 622 FileName != NULL ? FileName : "", aliaslevel, 623 MaxAliasRecursion); 624 } 625 usrerrenh(new->q_status, 626 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 627 aliaslevel, MaxAliasRecursion); 628 return new; 629 } 630 631 /* 632 ** Finish setting up address structure. 633 */ 634 635 /* get unquoted user for file, program or user.name check */ 636 i = strlen(new->q_user); 637 if (i >= sizeof(buf0)) 638 { 639 buflen = i + 1; 640 buf = xalloc(buflen); 641 } 642 else 643 { 644 buf = buf0; 645 buflen = sizeof(buf0); 646 } 647 (void) sm_strlcpy(buf, new->q_user, buflen); 648 for (p = buf; *p != '\0' && !quoted; p++) 649 { 650 if (*p == '\\') 651 quoted = true; 652 } 653 stripquotes(buf); 654 655 /* check for direct mailing to restricted mailers */ 656 if (m == ProgMailer) 657 { 658 if (new->q_alias == NULL || UseMSP || 659 bitset(EF_UNSAFE, e->e_flags)) 660 { 661 new->q_state = QS_BADADDR; 662 new->q_status = "5.7.1"; 663 usrerrenh(new->q_status, 664 "550 Cannot mail directly to programs"); 665 } 666 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 667 { 668 new->q_state = QS_BADADDR; 669 new->q_status = "5.7.1"; 670 if (new->q_alias->q_ruser == NULL) 671 usrerrenh(new->q_status, 672 "550 UID %d is an unknown user: cannot mail to programs", 673 new->q_alias->q_uid); 674 else 675 usrerrenh(new->q_status, 676 "550 User %s@%s doesn't have a valid shell for mailing to programs", 677 new->q_alias->q_ruser, MyHostName); 678 } 679 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 680 { 681 new->q_state = QS_BADADDR; 682 new->q_status = "5.7.1"; 683 new->q_rstatus = "550 Unsafe for mailing to programs"; 684 usrerrenh(new->q_status, 685 "550 Address %s is unsafe for mailing to programs", 686 new->q_alias->q_paddr); 687 } 688 } 689 690 /* 691 ** Look up this person in the recipient list. 692 ** If they are there already, return, otherwise continue. 693 ** If the list is empty, just add it. Notice the cute 694 ** hack to make from addresses suppress things correctly: 695 ** the QS_DUPLICATE state will be set in the send list. 696 ** [Please note: the emphasis is on "hack."] 697 */ 698 699 prev = NULL; 700 701 /* 702 ** If this message is going to the queue or FastSplit is set 703 ** and it is the first try and the envelope hasn't split, then we 704 ** avoid doing an MX RR lookup now because one will be done when the 705 ** message is extracted from the queue later. It can go to the queue 706 ** because all messages are going to the queue or this mailer of 707 ** the current recipient is marked expensive. 708 */ 709 710 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 711 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 712 FastSplit > 0)) 713 sortfn = sorthost; 714 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 715 sortfn = sortexpensive; 716 else 717 sortfn = sortbysignature; 718 719 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 720 { 721 /* 722 ** If address is "less than" it should be inserted now. 723 ** If address is "greater than" current comparison it'll 724 ** insert later in the list; so loop again (if possible). 725 ** If address is "equal" (different equal than sameaddr() 726 ** call) then check if sameaddr() will be true. 727 ** Because this list is now sorted, it'll mean fewer 728 ** comparisons and fewer loops which is important for more 729 ** recipients. 730 */ 731 732 i = (*sortfn)(new, q); 733 if (i == 0) /* equal */ 734 { 735 /* 736 ** Sortbysignature() has said that the two have 737 ** equal MX RR's and the same user. Calling sameaddr() 738 ** now checks if the two hosts are as identical as the 739 ** MX RR's are (which might not be the case) 740 ** before saying these are the identical addresses. 741 */ 742 743 if (sameaddr(q, new) && 744 (bitset(QRCPTOK, q->q_flags) || 745 !bitset(QPRIMARY, q->q_flags))) 746 { 747 if (tTd(26, 1)) 748 { 749 sm_dprintf("%s in sendq: ", 750 new->q_paddr); 751 printaddr(sm_debug_file(), q, false); 752 } 753 if (!bitset(QPRIMARY, q->q_flags)) 754 { 755 if (!QS_IS_DEAD(new->q_state)) 756 message("duplicate suppressed"); 757 else 758 q->q_state = QS_DUPLICATE; 759 q->q_flags |= new->q_flags; 760 } 761 else if (bitset(QSELFREF, q->q_flags) 762 || q->q_state == QS_REMOVED) 763 { 764 /* 765 ** If an earlier milter removed the 766 ** address, a later one can still add 767 ** it back. 768 */ 769 770 q->q_state = new->q_state; 771 q->q_flags |= new->q_flags; 772 } 773 new = q; 774 goto done; 775 } 776 } 777 else if (i < 0) /* less than */ 778 { 779 insert = true; 780 break; 781 } 782 prev = pq; 783 } 784 785 /* pq should point to an address, never NULL */ 786 SM_ASSERT(pq != NULL); 787 788 /* add address on list */ 789 if (insert) 790 { 791 /* 792 ** insert before 'pq'. Only possible when at least 1 793 ** ADDRESS is in the list already. 794 */ 795 796 new->q_next = *pq; 797 if (prev == NULL) 798 *sendq = new; /* To be the first ADDRESS */ 799 else 800 (*prev)->q_next = new; 801 } 802 else 803 { 804 /* 805 ** Place in list at current 'pq' position. Possible 806 ** when there are 0 or more ADDRESS's in the list. 807 */ 808 809 new->q_next = NULL; 810 *pq = new; 811 } 812 813 /* added a new address: clear split flag */ 814 e->e_flags &= ~EF_SPLIT; 815 816 /* 817 ** Alias the name and handle special mailer types. 818 */ 819 820 trylocaluser: 821 if (tTd(29, 7)) 822 { 823 sm_dprintf("at trylocaluser: "); 824 printaddr(sm_debug_file(), new, false); 825 } 826 827 if (!QS_IS_OK(new->q_state)) 828 { 829 if (QS_IS_UNDELIVERED(new->q_state)) 830 e->e_nrcpts++; 831 goto testselfdestruct; 832 } 833 834 if (m == InclMailer) 835 { 836 new->q_state = QS_INCLUDED; 837 if (new->q_alias == NULL || UseMSP || 838 bitset(EF_UNSAFE, e->e_flags)) 839 { 840 new->q_state = QS_BADADDR; 841 new->q_status = "5.7.1"; 842 usrerrenh(new->q_status, 843 "550 Cannot mail directly to :include:s"); 844 } 845 else 846 { 847 int ret; 848 849 message("including file %s", new->q_user); 850 ret = include(new->q_user, false, new, 851 sendq, aliaslevel, e); 852 if (transienterror(ret)) 853 { 854 if (LogLevel > 2) 855 sm_syslog(LOG_ERR, e->e_id, 856 "include %s: transient error: %s", 857 shortenstring(new->q_user, 858 MAXSHORTSTR), 859 sm_errstring(ret)); 860 new->q_state = QS_QUEUEUP; 861 usrerr("451 4.2.4 Cannot open %s: %s", 862 shortenstring(new->q_user, 863 MAXSHORTSTR), 864 sm_errstring(ret)); 865 } 866 else if (ret != 0) 867 { 868 new->q_state = QS_BADADDR; 869 new->q_status = "5.2.4"; 870 usrerrenh(new->q_status, 871 "550 Cannot open %s: %s", 872 shortenstring(new->q_user, 873 MAXSHORTSTR), 874 sm_errstring(ret)); 875 } 876 } 877 } 878 else if (m == FileMailer) 879 { 880 /* check if allowed */ 881 if (new->q_alias == NULL || UseMSP || 882 bitset(EF_UNSAFE, e->e_flags)) 883 { 884 new->q_state = QS_BADADDR; 885 new->q_status = "5.7.1"; 886 usrerrenh(new->q_status, 887 "550 Cannot mail directly to files"); 888 } 889 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 890 { 891 new->q_state = QS_BADADDR; 892 new->q_status = "5.7.1"; 893 if (new->q_alias->q_ruser == NULL) 894 usrerrenh(new->q_status, 895 "550 UID %d is an unknown user: cannot mail to files", 896 new->q_alias->q_uid); 897 else 898 usrerrenh(new->q_status, 899 "550 User %s@%s doesn't have a valid shell for mailing to files", 900 new->q_alias->q_ruser, MyHostName); 901 } 902 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 903 { 904 new->q_state = QS_BADADDR; 905 new->q_status = "5.7.1"; 906 new->q_rstatus = "550 Unsafe for mailing to files"; 907 usrerrenh(new->q_status, 908 "550 Address %s is unsafe for mailing to files", 909 new->q_alias->q_paddr); 910 } 911 } 912 913 /* try aliasing */ 914 if (!quoted && QS_IS_OK(new->q_state) && 915 bitnset(M_ALIASABLE, m->m_flags)) 916 alias(new, sendq, aliaslevel, e); 917 918 #if USERDB 919 /* if not aliased, look it up in the user database */ 920 if (!bitset(QNOTREMOTE, new->q_flags) && 921 QS_IS_SENDABLE(new->q_state) && 922 bitnset(M_CHECKUDB, m->m_flags)) 923 { 924 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 925 { 926 new->q_state = QS_QUEUEUP; 927 if (e->e_message == NULL) 928 e->e_message = sm_rpool_strdup_x(e->e_rpool, 929 "Deferred: user database error"); 930 if (new->q_message == NULL) 931 new->q_message = "Deferred: user database error"; 932 if (LogLevel > 8) 933 sm_syslog(LOG_INFO, e->e_id, 934 "deferred: udbexpand: %s", 935 sm_errstring(errno)); 936 message("queued (user database error): %s", 937 sm_errstring(errno)); 938 e->e_nrcpts++; 939 goto testselfdestruct; 940 } 941 } 942 #endif /* USERDB */ 943 944 /* 945 ** If we have a level two config file, then pass the name through 946 ** Ruleset 5 before sending it off. Ruleset 5 has the right 947 ** to rewrite it to another mailer. This gives us a hook 948 ** after local aliasing has been done. 949 */ 950 951 if (tTd(29, 5)) 952 { 953 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 954 ConfigLevel, RewriteRules[5]); 955 printaddr(sm_debug_file(), new, false); 956 } 957 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 958 bitnset(M_TRYRULESET5, m->m_flags) && 959 !bitset(QNOTREMOTE, new->q_flags) && 960 QS_IS_OK(new->q_state)) 961 { 962 maplocaluser(new, sendq, aliaslevel + 1, e); 963 } 964 965 /* 966 ** If it didn't get rewritten to another mailer, go ahead 967 ** and deliver it. 968 */ 969 970 if (QS_IS_OK(new->q_state) && 971 bitnset(M_HASPWENT, m->m_flags)) 972 { 973 auto bool fuzzy; 974 SM_MBDB_T user; 975 int status; 976 977 /* warning -- finduser may trash buf */ 978 status = finduser(buf, &fuzzy, &user); 979 switch (status) 980 { 981 case EX_TEMPFAIL: 982 new->q_state = QS_QUEUEUP; 983 new->q_status = "4.5.2"; 984 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 985 new->q_alias, (time_t) 0, e, new); 986 break; 987 default: 988 new->q_state = QS_BADADDR; 989 new->q_status = "5.1.1"; 990 new->q_rstatus = "550 5.1.1 User unknown"; 991 giveresponse(EX_NOUSER, new->q_status, m, NULL, 992 new->q_alias, (time_t) 0, e, new); 993 break; 994 case EX_OK: 995 if (fuzzy) 996 { 997 /* name was a fuzzy match */ 998 new->q_user = sm_rpool_strdup_x(e->e_rpool, 999 user.mbdb_name); 1000 if (findusercount++ > 3) 1001 { 1002 new->q_state = QS_BADADDR; 1003 new->q_status = "5.4.6"; 1004 usrerrenh(new->q_status, 1005 "554 aliasing/forwarding loop for %s broken", 1006 user.mbdb_name); 1007 goto done; 1008 } 1009 1010 /* see if it aliases */ 1011 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1012 goto trylocaluser; 1013 } 1014 if (*user.mbdb_homedir == '\0') 1015 new->q_home = NULL; 1016 else if (strcmp(user.mbdb_homedir, "/") == 0) 1017 new->q_home = ""; 1018 else 1019 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1020 user.mbdb_homedir); 1021 if (user.mbdb_uid != SM_NO_UID) 1022 { 1023 new->q_uid = user.mbdb_uid; 1024 new->q_gid = user.mbdb_gid; 1025 new->q_flags |= QGOODUID; 1026 } 1027 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1028 user.mbdb_name); 1029 if (user.mbdb_fullname[0] != '\0') 1030 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1031 user.mbdb_fullname); 1032 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1033 { 1034 new->q_flags |= QBOGUSSHELL; 1035 } 1036 if (bitset(EF_VRFYONLY, e->e_flags)) 1037 { 1038 /* don't do any more now */ 1039 new->q_state = QS_VERIFIED; 1040 } 1041 else if (!quoted) 1042 forward(new, sendq, aliaslevel, e); 1043 } 1044 } 1045 if (!QS_IS_DEAD(new->q_state)) 1046 e->e_nrcpts++; 1047 1048 testselfdestruct: 1049 new->q_flags |= QTHISPASS; 1050 if (tTd(26, 8)) 1051 { 1052 sm_dprintf("testselfdestruct: "); 1053 printaddr(sm_debug_file(), new, false); 1054 if (tTd(26, 10)) 1055 { 1056 sm_dprintf("SENDQ:\n"); 1057 printaddr(sm_debug_file(), *sendq, true); 1058 sm_dprintf("----\n"); 1059 } 1060 } 1061 if (new->q_alias == NULL && new != &e->e_from && 1062 QS_IS_DEAD(new->q_state)) 1063 { 1064 for (q = *sendq; q != NULL; q = q->q_next) 1065 { 1066 if (!QS_IS_DEAD(q->q_state)) 1067 break; 1068 } 1069 if (q == NULL) 1070 { 1071 new->q_state = QS_BADADDR; 1072 new->q_status = "5.4.6"; 1073 usrerrenh(new->q_status, 1074 "554 aliasing/forwarding loop broken"); 1075 } 1076 } 1077 1078 done: 1079 new->q_flags |= QTHISPASS; 1080 if (buf != buf0) 1081 sm_free(buf); /* XXX leak if above code raises exception */ 1082 1083 /* 1084 ** If we are at the top level, check to see if this has 1085 ** expanded to exactly one address. If so, it can inherit 1086 ** the primaryness of the address. 1087 ** 1088 ** While we're at it, clear the QTHISPASS bits. 1089 */ 1090 1091 if (aliaslevel == 0) 1092 { 1093 int nrcpts = 0; 1094 ADDRESS *only = NULL; 1095 1096 for (q = *sendq; q != NULL; q = q->q_next) 1097 { 1098 if (bitset(QTHISPASS, q->q_flags) && 1099 QS_IS_SENDABLE(q->q_state)) 1100 { 1101 nrcpts++; 1102 only = q; 1103 } 1104 q->q_flags &= ~QTHISPASS; 1105 } 1106 if (nrcpts == 1) 1107 { 1108 /* check to see if this actually got a new owner */ 1109 q = only; 1110 while ((q = q->q_alias) != NULL) 1111 { 1112 if (q->q_owner != NULL) 1113 break; 1114 } 1115 if (q == NULL) 1116 only->q_flags |= QPRIMARY; 1117 } 1118 else if (!initialdontsend && nrcpts > 0) 1119 { 1120 /* arrange for return receipt */ 1121 e->e_flags |= EF_SENDRECEIPT; 1122 new->q_flags |= QEXPANDED; 1123 if (e->e_xfp != NULL && 1124 bitset(QPINGONSUCCESS, new->q_flags)) 1125 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1126 "%s... expanded to multiple addresses\n", 1127 new->q_paddr); 1128 } 1129 } 1130 new->q_flags |= QRCPTOK; 1131 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1132 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1133 return new; 1134 } 1135 1136 /* 1137 ** FINDUSER -- find the password entry for a user. 1138 ** 1139 ** This looks a lot like getpwnam, except that it may want to 1140 ** do some fancier pattern matching in /etc/passwd. 1141 ** 1142 ** This routine contains most of the time of many sendmail runs. 1143 ** It deserves to be optimized. 1144 ** 1145 ** Parameters: 1146 ** name -- the name to match against. 1147 ** fuzzyp -- an outarg that is set to true if this entry 1148 ** was found using the fuzzy matching algorithm; 1149 ** set to false otherwise. 1150 ** user -- structure to fill in if user is found 1151 ** 1152 ** Returns: 1153 ** On success, fill in *user, set *fuzzyp and return EX_OK. 1154 ** If the user was not found, return EX_NOUSER. 1155 ** On error, return EX_TEMPFAIL or EX_OSERR. 1156 ** 1157 ** Side Effects: 1158 ** may modify name. 1159 */ 1160 1161 int 1162 finduser(name, fuzzyp, user) 1163 char *name; 1164 bool *fuzzyp; 1165 SM_MBDB_T *user; 1166 { 1167 #if MATCHGECOS 1168 register struct passwd *pw; 1169 #endif /* MATCHGECOS */ 1170 register char *p; 1171 bool tryagain; 1172 int status; 1173 1174 if (tTd(29, 4)) 1175 sm_dprintf("finduser(%s): ", name); 1176 1177 *fuzzyp = false; 1178 1179 #if HESIOD 1180 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1181 for (p = name; *p != '\0'; p++) 1182 if (!isascii(*p) || !isdigit(*p)) 1183 break; 1184 if (*p == '\0') 1185 { 1186 if (tTd(29, 4)) 1187 sm_dprintf("failed (numeric input)\n"); 1188 return EX_NOUSER; 1189 } 1190 #endif /* HESIOD */ 1191 1192 /* look up this login name using fast path */ 1193 status = sm_mbdb_lookup(name, user); 1194 if (status != EX_NOUSER) 1195 { 1196 if (tTd(29, 4)) 1197 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1198 return status; 1199 } 1200 1201 /* try mapping it to lower case */ 1202 tryagain = false; 1203 for (p = name; *p != '\0'; p++) 1204 { 1205 if (isascii(*p) && isupper(*p)) 1206 { 1207 *p = tolower(*p); 1208 tryagain = true; 1209 } 1210 } 1211 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1212 { 1213 if (tTd(29, 4)) 1214 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1215 *fuzzyp = true; 1216 return status; 1217 } 1218 1219 #if MATCHGECOS 1220 /* see if fuzzy matching allowed */ 1221 if (!MatchGecos) 1222 { 1223 if (tTd(29, 4)) 1224 sm_dprintf("not found (fuzzy disabled)\n"); 1225 return EX_NOUSER; 1226 } 1227 1228 /* search for a matching full name instead */ 1229 for (p = name; *p != '\0'; p++) 1230 { 1231 if (*p == (SpaceSub & 0177) || *p == '_') 1232 *p = ' '; 1233 } 1234 (void) setpwent(); 1235 while ((pw = getpwent()) != NULL) 1236 { 1237 char buf[MAXNAME + 1]; 1238 1239 # if 0 1240 if (sm_strcasecmp(pw->pw_name, name) == 0) 1241 { 1242 if (tTd(29, 4)) 1243 sm_dprintf("found (case wrapped)\n"); 1244 break; 1245 } 1246 # endif /* 0 */ 1247 1248 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1249 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1250 { 1251 if (tTd(29, 4)) 1252 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1253 message("sending to login name %s", pw->pw_name); 1254 break; 1255 } 1256 } 1257 if (pw != NULL) 1258 *fuzzyp = true; 1259 else if (tTd(29, 4)) 1260 sm_dprintf("no fuzzy match found\n"); 1261 # if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1262 endpwent(); 1263 # endif /* DEC_OSF_BROKEN_GETPWENT */ 1264 if (pw == NULL) 1265 return EX_NOUSER; 1266 sm_mbdb_frompw(user, pw); 1267 return EX_OK; 1268 #else /* MATCHGECOS */ 1269 if (tTd(29, 4)) 1270 sm_dprintf("not found (fuzzy disabled)\n"); 1271 return EX_NOUSER; 1272 #endif /* MATCHGECOS */ 1273 } 1274 1275 /* 1276 ** WRITABLE -- predicate returning if the file is writable. 1277 ** 1278 ** This routine must duplicate the algorithm in sys/fio.c. 1279 ** Unfortunately, we cannot use the access call since we 1280 ** won't necessarily be the real uid when we try to 1281 ** actually open the file. 1282 ** 1283 ** Notice that ANY file with ANY execute bit is automatically 1284 ** not writable. This is also enforced by mailfile. 1285 ** 1286 ** Parameters: 1287 ** filename -- the file name to check. 1288 ** ctladdr -- the controlling address for this file. 1289 ** flags -- SFF_* flags to control the function. 1290 ** 1291 ** Returns: 1292 ** true -- if we will be able to write this file. 1293 ** false -- if we cannot write this file. 1294 ** 1295 ** Side Effects: 1296 ** none. 1297 */ 1298 1299 bool 1300 writable(filename, ctladdr, flags) 1301 char *filename; 1302 ADDRESS *ctladdr; 1303 long flags; 1304 { 1305 uid_t euid = 0; 1306 gid_t egid = 0; 1307 char *user = NULL; 1308 1309 if (tTd(44, 5)) 1310 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1311 1312 /* 1313 ** File does exist -- check that it is writable. 1314 */ 1315 1316 if (geteuid() != 0) 1317 { 1318 euid = geteuid(); 1319 egid = getegid(); 1320 user = NULL; 1321 } 1322 else if (ctladdr != NULL) 1323 { 1324 euid = ctladdr->q_uid; 1325 egid = ctladdr->q_gid; 1326 user = ctladdr->q_user; 1327 } 1328 else if (bitset(SFF_RUNASREALUID, flags)) 1329 { 1330 euid = RealUid; 1331 egid = RealGid; 1332 user = RealUserName; 1333 } 1334 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1335 { 1336 if (FileMailer->m_uid == NO_UID) 1337 { 1338 euid = DefUid; 1339 user = DefUser; 1340 } 1341 else 1342 { 1343 euid = FileMailer->m_uid; 1344 user = NULL; 1345 } 1346 if (FileMailer->m_gid == NO_GID) 1347 egid = DefGid; 1348 else 1349 egid = FileMailer->m_gid; 1350 } 1351 else 1352 { 1353 euid = egid = 0; 1354 user = NULL; 1355 } 1356 if (!bitset(SFF_ROOTOK, flags)) 1357 { 1358 if (euid == 0) 1359 { 1360 euid = DefUid; 1361 user = DefUser; 1362 } 1363 if (egid == 0) 1364 egid = DefGid; 1365 } 1366 if (geteuid() == 0 && 1367 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1368 flags |= SFF_SETUIDOK; 1369 1370 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1371 flags |= SFF_NOSLINK; 1372 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1373 flags |= SFF_NOHLINK; 1374 1375 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1376 return errno == 0; 1377 } 1378 1379 /* 1380 ** INCLUDE -- handle :include: specification. 1381 ** 1382 ** Parameters: 1383 ** fname -- filename to include. 1384 ** forwarding -- if true, we are reading a .forward file. 1385 ** if false, it's a :include: file. 1386 ** ctladdr -- address template to use to fill in these 1387 ** addresses -- effective user/group id are 1388 ** the important things. 1389 ** sendq -- a pointer to the head of the send queue 1390 ** to put these addresses in. 1391 ** aliaslevel -- the alias nesting depth. 1392 ** e -- the current envelope. 1393 ** 1394 ** Returns: 1395 ** open error status 1396 ** 1397 ** Side Effects: 1398 ** reads the :include: file and sends to everyone 1399 ** listed in that file. 1400 ** 1401 ** Security Note: 1402 ** If you have restricted chown (that is, you can't 1403 ** give a file away), it is reasonable to allow programs 1404 ** and files called from this :include: file to be to be 1405 ** run as the owner of the :include: file. This is bogus 1406 ** if there is any chance of someone giving away a file. 1407 ** We assume that pre-POSIX systems can give away files. 1408 ** 1409 ** There is an additional restriction that if you 1410 ** forward to a :include: file, it will not take on 1411 ** the ownership of the :include: file. This may not 1412 ** be necessary, but shouldn't hurt. 1413 */ 1414 1415 static jmp_buf CtxIncludeTimeout; 1416 1417 int 1418 include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1419 char *fname; 1420 bool forwarding; 1421 ADDRESS *ctladdr; 1422 ADDRESS **sendq; 1423 int aliaslevel; 1424 ENVELOPE *e; 1425 { 1426 SM_FILE_T *volatile fp = NULL; 1427 char *oldto = e->e_to; 1428 char *oldfilename = FileName; 1429 int oldlinenumber = LineNumber; 1430 register SM_EVENT *ev = NULL; 1431 int nincludes; 1432 int mode; 1433 volatile bool maxreached = false; 1434 register ADDRESS *ca; 1435 volatile uid_t saveduid; 1436 volatile gid_t savedgid; 1437 volatile uid_t uid; 1438 volatile gid_t gid; 1439 char *volatile user; 1440 int rval = 0; 1441 volatile long sfflags = SFF_REGONLY; 1442 register char *p; 1443 bool safechown = false; 1444 volatile bool safedir = false; 1445 struct stat st; 1446 char buf[MAXLINE]; 1447 1448 if (tTd(27, 2)) 1449 sm_dprintf("include(%s)\n", fname); 1450 if (tTd(27, 4)) 1451 sm_dprintf(" ruid=%d euid=%d\n", 1452 (int) getuid(), (int) geteuid()); 1453 if (tTd(27, 14)) 1454 { 1455 sm_dprintf("ctladdr "); 1456 printaddr(sm_debug_file(), ctladdr, false); 1457 } 1458 1459 if (tTd(27, 9)) 1460 sm_dprintf("include: old uid = %d/%d\n", 1461 (int) getuid(), (int) geteuid()); 1462 1463 if (forwarding) 1464 { 1465 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1466 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1467 sfflags |= SFF_NOGWFILES; 1468 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1469 sfflags |= SFF_NOWWFILES; 1470 } 1471 else 1472 { 1473 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1474 sfflags |= SFF_NOGWFILES; 1475 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1476 sfflags |= SFF_NOWWFILES; 1477 } 1478 1479 /* 1480 ** If RunAsUser set, won't be able to run programs as user 1481 ** so mark them as unsafe unless the administrator knows better. 1482 */ 1483 1484 if ((geteuid() != 0 || RunAsUid != 0) && 1485 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1486 { 1487 if (tTd(27, 4)) 1488 sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n", 1489 (int) geteuid(), (int) RunAsUid); 1490 ctladdr->q_flags |= QUNSAFEADDR; 1491 } 1492 1493 ca = getctladdr(ctladdr); 1494 if (ca == NULL || 1495 (ca->q_uid == DefUid && ca->q_gid == 0)) 1496 { 1497 uid = DefUid; 1498 gid = DefGid; 1499 user = DefUser; 1500 } 1501 else 1502 { 1503 uid = ca->q_uid; 1504 gid = ca->q_gid; 1505 user = ca->q_user; 1506 } 1507 #if MAILER_SETUID_METHOD != USE_SETUID 1508 saveduid = geteuid(); 1509 savedgid = getegid(); 1510 if (saveduid == 0) 1511 { 1512 if (!DontInitGroups) 1513 { 1514 if (initgroups(user, gid) == -1) 1515 { 1516 rval = EAGAIN; 1517 syserr("include: initgroups(%s, %d) failed", 1518 user, gid); 1519 goto resetuid; 1520 } 1521 } 1522 else 1523 { 1524 GIDSET_T gidset[1]; 1525 1526 gidset[0] = gid; 1527 if (setgroups(1, gidset) == -1) 1528 { 1529 rval = EAGAIN; 1530 syserr("include: setgroups() failed"); 1531 goto resetuid; 1532 } 1533 } 1534 1535 if (gid != 0 && setgid(gid) < -1) 1536 { 1537 rval = EAGAIN; 1538 syserr("setgid(%d) failure", gid); 1539 goto resetuid; 1540 } 1541 if (uid != 0) 1542 { 1543 # if MAILER_SETUID_METHOD == USE_SETEUID 1544 if (seteuid(uid) < 0) 1545 { 1546 rval = EAGAIN; 1547 syserr("seteuid(%d) failure (real=%d, eff=%d)", 1548 uid, (int) getuid(), (int) geteuid()); 1549 goto resetuid; 1550 } 1551 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1552 # if MAILER_SETUID_METHOD == USE_SETREUID 1553 if (setreuid(0, uid) < 0) 1554 { 1555 rval = EAGAIN; 1556 syserr("setreuid(0, %d) failure (real=%d, eff=%d)", 1557 uid, (int) getuid(), (int) geteuid()); 1558 goto resetuid; 1559 } 1560 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1561 } 1562 } 1563 #endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1564 1565 if (tTd(27, 9)) 1566 sm_dprintf("include: new uid = %d/%d\n", 1567 (int) getuid(), (int) geteuid()); 1568 1569 /* 1570 ** If home directory is remote mounted but server is down, 1571 ** this can hang or give errors; use a timeout to avoid this 1572 */ 1573 1574 if (setjmp(CtxIncludeTimeout) != 0) 1575 { 1576 ctladdr->q_state = QS_QUEUEUP; 1577 errno = 0; 1578 1579 /* return pseudo-error code */ 1580 rval = E_SM_OPENTIMEOUT; 1581 goto resetuid; 1582 } 1583 if (TimeOuts.to_fileopen > 0) 1584 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1585 else 1586 ev = NULL; 1587 1588 1589 /* check for writable parent directory */ 1590 p = strrchr(fname, '/'); 1591 if (p != NULL) 1592 { 1593 int ret; 1594 1595 *p = '\0'; 1596 ret = safedirpath(fname, uid, gid, user, 1597 sfflags|SFF_SAFEDIRPATH, 0, 0); 1598 if (ret == 0) 1599 { 1600 /* in safe directory: relax chown & link rules */ 1601 safedir = true; 1602 sfflags |= SFF_NOPATHCHECK; 1603 } 1604 else 1605 { 1606 if (bitnset((forwarding ? 1607 DBS_FORWARDFILEINUNSAFEDIRPATH : 1608 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1609 DontBlameSendmail)) 1610 sfflags |= SFF_NOPATHCHECK; 1611 else if (bitnset((forwarding ? 1612 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1613 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1614 DontBlameSendmail) && 1615 ret == E_SM_GWDIR) 1616 { 1617 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1618 DontBlameSendmail); 1619 ret = safedirpath(fname, uid, gid, user, 1620 sfflags|SFF_SAFEDIRPATH, 1621 0, 0); 1622 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1623 DontBlameSendmail); 1624 if (ret == 0) 1625 sfflags |= SFF_NOPATHCHECK; 1626 else 1627 sfflags |= SFF_SAFEDIRPATH; 1628 } 1629 else 1630 sfflags |= SFF_SAFEDIRPATH; 1631 if (ret > E_PSEUDOBASE && 1632 !bitnset((forwarding ? 1633 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1634 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1635 DontBlameSendmail)) 1636 { 1637 if (LogLevel > 11) 1638 sm_syslog(LOG_INFO, e->e_id, 1639 "%s: unsafe directory path, marked unsafe", 1640 shortenstring(fname, MAXSHORTSTR)); 1641 ctladdr->q_flags |= QUNSAFEADDR; 1642 } 1643 } 1644 *p = '/'; 1645 } 1646 1647 /* allow links only in unwritable directories */ 1648 if (!safedir && 1649 !bitnset((forwarding ? 1650 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1651 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1652 DontBlameSendmail)) 1653 sfflags |= SFF_NOLINK; 1654 1655 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1656 if (rval != 0) 1657 { 1658 /* don't use this :include: file */ 1659 if (tTd(27, 4)) 1660 sm_dprintf("include: not safe (uid=%d): %s\n", 1661 (int) uid, sm_errstring(rval)); 1662 } 1663 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1664 SM_IO_RDONLY, NULL)) == NULL) 1665 { 1666 rval = errno; 1667 if (tTd(27, 4)) 1668 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1669 } 1670 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1671 { 1672 rval = E_SM_FILECHANGE; 1673 if (tTd(27, 4)) 1674 sm_dprintf("include: file changed after open\n"); 1675 } 1676 if (ev != NULL) 1677 sm_clrevent(ev); 1678 1679 resetuid: 1680 1681 #if HASSETREUID || USESETEUID 1682 if (saveduid == 0) 1683 { 1684 if (uid != 0) 1685 { 1686 # if USESETEUID 1687 if (seteuid(0) < 0) 1688 syserr("!seteuid(0) failure (real=%d, eff=%d)", 1689 (int) getuid(), (int) geteuid()); 1690 # else /* USESETEUID */ 1691 if (setreuid(-1, 0) < 0) 1692 syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", 1693 (int) getuid(), (int) geteuid()); 1694 if (setreuid(RealUid, 0) < 0) 1695 syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", 1696 (int) RealUid, (int) getuid(), 1697 (int) geteuid()); 1698 # endif /* USESETEUID */ 1699 } 1700 if (setgid(savedgid) < 0) 1701 syserr("!setgid(%d) failure (real=%d eff=%d)", 1702 (int) savedgid, (int) getgid(), 1703 (int) getegid()); 1704 } 1705 #endif /* HASSETREUID || USESETEUID */ 1706 1707 if (tTd(27, 9)) 1708 sm_dprintf("include: reset uid = %d/%d\n", 1709 (int) getuid(), (int) geteuid()); 1710 1711 if (rval == E_SM_OPENTIMEOUT) 1712 usrerr("451 4.4.1 open timeout on %s", fname); 1713 1714 if (fp == NULL) 1715 return rval; 1716 1717 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1718 { 1719 rval = errno; 1720 syserr("Cannot fstat %s!", fname); 1721 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1722 return rval; 1723 } 1724 1725 /* if path was writable, check to avoid file giveaway tricks */ 1726 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1727 if (tTd(27, 6)) 1728 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1729 fname, safedir ? "safe" : "dangerous", 1730 safechown ? "" : "un"); 1731 1732 /* if no controlling user or coming from an alias delivery */ 1733 if (safechown && 1734 (ca == NULL || 1735 (ca->q_uid == DefUid && ca->q_gid == 0))) 1736 { 1737 ctladdr->q_uid = st.st_uid; 1738 ctladdr->q_gid = st.st_gid; 1739 ctladdr->q_flags |= QGOODUID; 1740 } 1741 if (ca != NULL && ca->q_uid == st.st_uid) 1742 { 1743 /* optimization -- avoid getpwuid if we already have info */ 1744 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1745 ctladdr->q_ruser = ca->q_ruser; 1746 } 1747 else if (!forwarding) 1748 { 1749 register struct passwd *pw; 1750 1751 pw = sm_getpwuid(st.st_uid); 1752 if (pw == NULL) 1753 { 1754 ctladdr->q_uid = st.st_uid; 1755 ctladdr->q_flags |= QBOGUSSHELL; 1756 } 1757 else 1758 { 1759 char *sh; 1760 1761 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1762 pw->pw_name); 1763 if (safechown) 1764 sh = pw->pw_shell; 1765 else 1766 sh = "/SENDMAIL/ANY/SHELL/"; 1767 if (!usershellok(pw->pw_name, sh)) 1768 { 1769 if (LogLevel > 11) 1770 sm_syslog(LOG_INFO, e->e_id, 1771 "%s: user %s has bad shell %s, marked %s", 1772 shortenstring(fname, 1773 MAXSHORTSTR), 1774 pw->pw_name, sh, 1775 safechown ? "bogus" : "unsafe"); 1776 if (safechown) 1777 ctladdr->q_flags |= QBOGUSSHELL; 1778 else 1779 ctladdr->q_flags |= QUNSAFEADDR; 1780 } 1781 } 1782 } 1783 1784 if (bitset(EF_VRFYONLY, e->e_flags)) 1785 { 1786 /* don't do any more now */ 1787 ctladdr->q_state = QS_VERIFIED; 1788 e->e_nrcpts++; 1789 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1790 return rval; 1791 } 1792 1793 /* 1794 ** Check to see if some bad guy can write this file 1795 ** 1796 ** Group write checking could be more clever, e.g., 1797 ** guessing as to which groups are actually safe ("sys" 1798 ** may be; "user" probably is not). 1799 */ 1800 1801 mode = S_IWOTH; 1802 if (!bitnset((forwarding ? 1803 DBS_GROUPWRITABLEFORWARDFILESAFE : 1804 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1805 DontBlameSendmail)) 1806 mode |= S_IWGRP; 1807 1808 if (bitset(mode, st.st_mode)) 1809 { 1810 if (tTd(27, 6)) 1811 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1812 shortenstring(fname, MAXSHORTSTR), 1813 bitset(S_IWOTH, st.st_mode) ? "world" 1814 : "group"); 1815 if (LogLevel > 11) 1816 sm_syslog(LOG_INFO, e->e_id, 1817 "%s: %s writable %s file, marked unsafe", 1818 shortenstring(fname, MAXSHORTSTR), 1819 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1820 forwarding ? "forward" : ":include:"); 1821 ctladdr->q_flags |= QUNSAFEADDR; 1822 } 1823 1824 /* read the file -- each line is a comma-separated list. */ 1825 FileName = fname; 1826 LineNumber = 0; 1827 ctladdr->q_flags &= ~QSELFREF; 1828 nincludes = 0; 1829 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL && 1830 !maxreached) 1831 { 1832 fixcrlf(buf, true); 1833 LineNumber++; 1834 if (buf[0] == '#' || buf[0] == '\0') 1835 continue; 1836 1837 /* <sp>#@# introduces a comment anywhere */ 1838 /* for Japanese character sets */ 1839 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1840 { 1841 if (p[1] == '@' && p[2] == '#' && 1842 isascii(p[-1]) && isspace(p[-1]) && 1843 (p[3] == '\0' || (isascii(p[3]) && isspace(p[3])))) 1844 { 1845 --p; 1846 while (p > buf && isascii(p[-1]) && 1847 isspace(p[-1])) 1848 --p; 1849 p[0] = '\0'; 1850 break; 1851 } 1852 } 1853 if (buf[0] == '\0') 1854 continue; 1855 1856 e->e_to = NULL; 1857 message("%s to %s", 1858 forwarding ? "forwarding" : "sending", buf); 1859 if (forwarding && LogLevel > 10) 1860 sm_syslog(LOG_INFO, e->e_id, 1861 "forward %.200s => %s", 1862 oldto, shortenstring(buf, MAXSHORTSTR)); 1863 1864 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1865 1866 if (forwarding && 1867 MaxForwardEntries > 0 && 1868 nincludes >= MaxForwardEntries) 1869 { 1870 /* just stop reading and processing further entries */ 1871 #if 0 1872 /* additional: (?) */ 1873 ctladdr->q_state = QS_DONTSEND; 1874 #endif /* 0 */ 1875 1876 syserr("Attempt to forward to more than %d addresses (in %s)!", 1877 MaxForwardEntries, fname); 1878 maxreached = true; 1879 } 1880 } 1881 1882 if (sm_io_error(fp) && tTd(27, 3)) 1883 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1884 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1885 { 1886 if (aliaslevel <= MaxAliasRecursion || 1887 ctladdr->q_state != QS_BADADDR) 1888 { 1889 ctladdr->q_state = QS_DONTSEND; 1890 if (tTd(27, 5)) 1891 { 1892 sm_dprintf("include: QS_DONTSEND "); 1893 printaddr(sm_debug_file(), ctladdr, false); 1894 } 1895 } 1896 } 1897 1898 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1899 FileName = oldfilename; 1900 LineNumber = oldlinenumber; 1901 e->e_to = oldto; 1902 return rval; 1903 } 1904 1905 static void 1906 includetimeout(ignore) 1907 int ignore; 1908 { 1909 /* 1910 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1911 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1912 ** DOING. 1913 */ 1914 1915 errno = ETIMEDOUT; 1916 longjmp(CtxIncludeTimeout, 1); 1917 } 1918 1919 /* 1920 ** SENDTOARGV -- send to an argument vector. 1921 ** 1922 ** Parameters: 1923 ** argv -- argument vector to send to. 1924 ** e -- the current envelope. 1925 ** 1926 ** Returns: 1927 ** none. 1928 ** 1929 ** Side Effects: 1930 ** puts all addresses on the argument vector onto the 1931 ** send queue. 1932 */ 1933 1934 void 1935 sendtoargv(argv, e) 1936 register char **argv; 1937 register ENVELOPE *e; 1938 { 1939 register char *p; 1940 1941 while ((p = *argv++) != NULL) 1942 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1943 } 1944 1945 /* 1946 ** GETCTLADDR -- get controlling address from an address header. 1947 ** 1948 ** If none, get one corresponding to the effective userid. 1949 ** 1950 ** Parameters: 1951 ** a -- the address to find the controller of. 1952 ** 1953 ** Returns: 1954 ** the controlling address. 1955 */ 1956 1957 ADDRESS * 1958 getctladdr(a) 1959 register ADDRESS *a; 1960 { 1961 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1962 a = a->q_alias; 1963 return a; 1964 } 1965 1966 /* 1967 ** SELF_REFERENCE -- check to see if an address references itself 1968 ** 1969 ** The check is done through a chain of aliases. If it is part of 1970 ** a loop, break the loop at the "best" address, that is, the one 1971 ** that exists as a real user. 1972 ** 1973 ** This is to handle the case of: 1974 ** awc: Andrew.Chang 1975 ** Andrew.Chang: awc@mail.server 1976 ** which is a problem only on mail.server. 1977 ** 1978 ** Parameters: 1979 ** a -- the address to check. 1980 ** 1981 ** Returns: 1982 ** The address that should be retained. 1983 */ 1984 1985 static ADDRESS * 1986 self_reference(a) 1987 ADDRESS *a; 1988 { 1989 ADDRESS *b; /* top entry in self ref loop */ 1990 ADDRESS *c; /* entry that point to a real mail box */ 1991 1992 if (tTd(27, 1)) 1993 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1994 1995 for (b = a->q_alias; b != NULL; b = b->q_alias) 1996 { 1997 if (sameaddr(a, b)) 1998 break; 1999 } 2000 2001 if (b == NULL) 2002 { 2003 if (tTd(27, 1)) 2004 sm_dprintf("\t... no self ref\n"); 2005 return NULL; 2006 } 2007 2008 /* 2009 ** Pick the first address that resolved to a real mail box 2010 ** i.e has a mbdb entry. The returned value will be marked 2011 ** QSELFREF in recipient(), which in turn will disable alias() 2012 ** from marking it as QS_IS_DEAD(), which mean it will be used 2013 ** as a deliverable address. 2014 ** 2015 ** The 2 key thing to note here are: 2016 ** 1) we are in a recursive call sequence: 2017 ** alias->sendtolist->recipient->alias 2018 ** 2) normally, when we return back to alias(), the address 2019 ** will be marked QS_EXPANDED, since alias() assumes the 2020 ** expanded form will be used instead of the current address. 2021 ** This behaviour is turned off if the address is marked 2022 ** QSELFREF. We set QSELFREF when we return to recipient(). 2023 */ 2024 2025 c = a; 2026 while (c != NULL) 2027 { 2028 if (tTd(27, 10)) 2029 sm_dprintf(" %s", c->q_user); 2030 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2031 { 2032 SM_MBDB_T user; 2033 2034 if (tTd(27, 2)) 2035 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2036 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2037 { 2038 if (tTd(27, 2)) 2039 sm_dprintf("found\n"); 2040 2041 /* ought to cache results here */ 2042 if (sameaddr(b, c)) 2043 return b; 2044 else 2045 return c; 2046 } 2047 if (tTd(27, 2)) 2048 sm_dprintf("failed\n"); 2049 } 2050 else 2051 { 2052 /* if local delivery, compare usernames */ 2053 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2054 b->q_mailer == c->q_mailer) 2055 { 2056 if (tTd(27, 2)) 2057 sm_dprintf("\t... local match (%s)\n", 2058 c->q_user); 2059 if (sameaddr(b, c)) 2060 return b; 2061 else 2062 return c; 2063 } 2064 } 2065 if (tTd(27, 10)) 2066 sm_dprintf("\n"); 2067 c = c->q_alias; 2068 } 2069 2070 if (tTd(27, 1)) 2071 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2072 2073 return NULL; 2074 } 2075