17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.
37c478bd9Sstevel@tonic-gate * All rights reserved.
47c478bd9Sstevel@tonic-gate * Copyright (c) 1993 Eric P. Allman. All rights reserved.
57c478bd9Sstevel@tonic-gate * Copyright (c) 1993
67c478bd9Sstevel@tonic-gate * The Regents of the University of California. All rights reserved.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * By using this file, you agree to the terms and conditions set
97c478bd9Sstevel@tonic-gate * forth in the LICENSE file which can be found at the top level of
107c478bd9Sstevel@tonic-gate * the sendmail distribution.
117c478bd9Sstevel@tonic-gate *
127c478bd9Sstevel@tonic-gate */
137c478bd9Sstevel@tonic-gate
147c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
157c478bd9Sstevel@tonic-gate
167c478bd9Sstevel@tonic-gate #include <sm/gen.h>
177c478bd9Sstevel@tonic-gate
187c478bd9Sstevel@tonic-gate SM_IDSTR(copyright,
197c478bd9Sstevel@tonic-gate "@(#) Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.\n\
207c478bd9Sstevel@tonic-gate All rights reserved.\n\
217c478bd9Sstevel@tonic-gate Copyright (c) 1993 Eric P. Allman. All rights reserved.\n\
227c478bd9Sstevel@tonic-gate Copyright (c) 1993\n\
237c478bd9Sstevel@tonic-gate The Regents of the University of California. All rights reserved.\n")
247c478bd9Sstevel@tonic-gate
257c478bd9Sstevel@tonic-gate SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 2004/08/06 18:54:22 ca Exp $")
267c478bd9Sstevel@tonic-gate
277c478bd9Sstevel@tonic-gate /*
287c478bd9Sstevel@tonic-gate ** SMRSH -- sendmail restricted shell
297c478bd9Sstevel@tonic-gate **
307c478bd9Sstevel@tonic-gate ** This is a patch to get around the prog mailer bugs in most
317c478bd9Sstevel@tonic-gate ** versions of sendmail.
327c478bd9Sstevel@tonic-gate **
337c478bd9Sstevel@tonic-gate ** Use this in place of /bin/sh in the "prog" mailer definition
347c478bd9Sstevel@tonic-gate ** in your sendmail.cf file. You then create CMDDIR (owned by
357c478bd9Sstevel@tonic-gate ** root, mode 755) and put links to any programs you want
367c478bd9Sstevel@tonic-gate ** available to prog mailers in that directory. This should
377c478bd9Sstevel@tonic-gate ** include things like "vacation" and "procmail", but not "sed"
387c478bd9Sstevel@tonic-gate ** or "sh".
397c478bd9Sstevel@tonic-gate **
407c478bd9Sstevel@tonic-gate ** Leading pathnames are stripped from program names so that
417c478bd9Sstevel@tonic-gate ** existing .forward files that reference things like
427c478bd9Sstevel@tonic-gate ** "/usr/bin/vacation" will continue to work.
437c478bd9Sstevel@tonic-gate **
447c478bd9Sstevel@tonic-gate ** The following characters are completely illegal:
457c478bd9Sstevel@tonic-gate ** < > ^ & ` ( ) \n \r
467c478bd9Sstevel@tonic-gate ** The following characters are sometimes illegal:
477c478bd9Sstevel@tonic-gate ** | &
487c478bd9Sstevel@tonic-gate ** This is more restrictive than strictly necessary.
497c478bd9Sstevel@tonic-gate **
507c478bd9Sstevel@tonic-gate ** To use this, add FEATURE(`smrsh') to your .mc file.
517c478bd9Sstevel@tonic-gate **
527c478bd9Sstevel@tonic-gate ** This can be used on any version of sendmail.
537c478bd9Sstevel@tonic-gate **
547c478bd9Sstevel@tonic-gate ** In loving memory of RTM. 11/02/93.
557c478bd9Sstevel@tonic-gate */
567c478bd9Sstevel@tonic-gate
577c478bd9Sstevel@tonic-gate #include <unistd.h>
587c478bd9Sstevel@tonic-gate #include <sm/io.h>
597c478bd9Sstevel@tonic-gate #include <sm/limits.h>
607c478bd9Sstevel@tonic-gate #include <sm/string.h>
617c478bd9Sstevel@tonic-gate #include <sys/file.h>
627c478bd9Sstevel@tonic-gate #include <sys/types.h>
637c478bd9Sstevel@tonic-gate #include <sys/stat.h>
647c478bd9Sstevel@tonic-gate #include <string.h>
657c478bd9Sstevel@tonic-gate #include <ctype.h>
667c478bd9Sstevel@tonic-gate #include <errno.h>
677c478bd9Sstevel@tonic-gate #ifdef EX_OK
687c478bd9Sstevel@tonic-gate # undef EX_OK
697c478bd9Sstevel@tonic-gate #endif /* EX_OK */
707c478bd9Sstevel@tonic-gate #include <sysexits.h>
717c478bd9Sstevel@tonic-gate #include <syslog.h>
727c478bd9Sstevel@tonic-gate #include <stdlib.h>
737c478bd9Sstevel@tonic-gate
747c478bd9Sstevel@tonic-gate #include <sm/conf.h>
757c478bd9Sstevel@tonic-gate #include <sm/errstring.h>
767c478bd9Sstevel@tonic-gate
777c478bd9Sstevel@tonic-gate /* directory in which all commands must reside */
787c478bd9Sstevel@tonic-gate #ifndef CMDDIR
797c478bd9Sstevel@tonic-gate # ifdef SMRSH_CMDDIR
807c478bd9Sstevel@tonic-gate # define CMDDIR SMRSH_CMDDIR
817c478bd9Sstevel@tonic-gate # else /* SMRSH_CMDDIR */
827c478bd9Sstevel@tonic-gate # define CMDDIR "/usr/adm/sm.bin"
837c478bd9Sstevel@tonic-gate # endif /* SMRSH_CMDDIR */
847c478bd9Sstevel@tonic-gate #endif /* ! CMDDIR */
857c478bd9Sstevel@tonic-gate
867c478bd9Sstevel@tonic-gate /* characters disallowed in the shell "-c" argument */
877c478bd9Sstevel@tonic-gate #define SPECIALS "<|>^();&`$\r\n"
887c478bd9Sstevel@tonic-gate
897c478bd9Sstevel@tonic-gate /* default search path */
907c478bd9Sstevel@tonic-gate #ifndef PATH
917c478bd9Sstevel@tonic-gate # ifdef SMRSH_PATH
927c478bd9Sstevel@tonic-gate # define PATH SMRSH_PATH
937c478bd9Sstevel@tonic-gate # else /* SMRSH_PATH */
947c478bd9Sstevel@tonic-gate # define PATH "/bin:/usr/bin:/usr/ucb"
957c478bd9Sstevel@tonic-gate # endif /* SMRSH_PATH */
967c478bd9Sstevel@tonic-gate #endif /* ! PATH */
977c478bd9Sstevel@tonic-gate
987c478bd9Sstevel@tonic-gate char newcmdbuf[1000];
997c478bd9Sstevel@tonic-gate char *prg, *par;
1007c478bd9Sstevel@tonic-gate
1017c478bd9Sstevel@tonic-gate static void addcmd __P((char *, bool, size_t));
1027c478bd9Sstevel@tonic-gate
1037c478bd9Sstevel@tonic-gate /*
1047c478bd9Sstevel@tonic-gate ** ADDCMD -- add a string to newcmdbuf, check for overflow
1057c478bd9Sstevel@tonic-gate **
1067c478bd9Sstevel@tonic-gate ** Parameters:
1077c478bd9Sstevel@tonic-gate ** s -- string to add
1087c478bd9Sstevel@tonic-gate ** cmd -- it's a command: prepend CMDDIR/
1097c478bd9Sstevel@tonic-gate ** len -- length of string to add
1107c478bd9Sstevel@tonic-gate **
1117c478bd9Sstevel@tonic-gate ** Side Effects:
1127c478bd9Sstevel@tonic-gate ** changes newcmdbuf or exits with a failure.
1137c478bd9Sstevel@tonic-gate **
1147c478bd9Sstevel@tonic-gate */
1157c478bd9Sstevel@tonic-gate
1167c478bd9Sstevel@tonic-gate static void
addcmd(s,cmd,len)1177c478bd9Sstevel@tonic-gate addcmd(s, cmd, len)
1187c478bd9Sstevel@tonic-gate char *s;
1197c478bd9Sstevel@tonic-gate bool cmd;
1207c478bd9Sstevel@tonic-gate size_t len;
1217c478bd9Sstevel@tonic-gate {
1227c478bd9Sstevel@tonic-gate if (s == NULL || *s == '\0')
1237c478bd9Sstevel@tonic-gate return;
1247c478bd9Sstevel@tonic-gate
1257c478bd9Sstevel@tonic-gate /* enough space for s (len) and CMDDIR + "/" and '\0'? */
1267c478bd9Sstevel@tonic-gate if (sizeof newcmdbuf - strlen(newcmdbuf) <=
1277c478bd9Sstevel@tonic-gate len + 1 + (cmd ? (strlen(CMDDIR) + 1) : 0))
1287c478bd9Sstevel@tonic-gate {
1297c478bd9Sstevel@tonic-gate (void)sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1307c478bd9Sstevel@tonic-gate "%s: command too long: %s\n", prg, par);
1317c478bd9Sstevel@tonic-gate #ifndef DEBUG
1327c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "command too long: %.40s", par);
1337c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1347c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
1357c478bd9Sstevel@tonic-gate }
1367c478bd9Sstevel@tonic-gate if (cmd)
1377c478bd9Sstevel@tonic-gate (void) sm_strlcat2(newcmdbuf, CMDDIR, "/", sizeof newcmdbuf);
1387c478bd9Sstevel@tonic-gate (void) strncat(newcmdbuf, s, len);
1397c478bd9Sstevel@tonic-gate }
1407c478bd9Sstevel@tonic-gate
1417c478bd9Sstevel@tonic-gate int
main(argc,argv)1427c478bd9Sstevel@tonic-gate main(argc, argv)
1437c478bd9Sstevel@tonic-gate int argc;
1447c478bd9Sstevel@tonic-gate char **argv;
1457c478bd9Sstevel@tonic-gate {
1467c478bd9Sstevel@tonic-gate register char *p;
1477c478bd9Sstevel@tonic-gate register char *q;
1487c478bd9Sstevel@tonic-gate register char *r;
1497c478bd9Sstevel@tonic-gate register char *cmd;
1507c478bd9Sstevel@tonic-gate int isexec;
1517c478bd9Sstevel@tonic-gate int save_errno;
1527c478bd9Sstevel@tonic-gate char *newenv[2];
1537c478bd9Sstevel@tonic-gate char pathbuf[1000];
1547c478bd9Sstevel@tonic-gate char specialbuf[32];
1557c478bd9Sstevel@tonic-gate struct stat st;
1567c478bd9Sstevel@tonic-gate
1577c478bd9Sstevel@tonic-gate #ifndef DEBUG
1587c478bd9Sstevel@tonic-gate # ifndef LOG_MAIL
1597c478bd9Sstevel@tonic-gate openlog("smrsh", 0);
1607c478bd9Sstevel@tonic-gate # else /* ! LOG_MAIL */
1617c478bd9Sstevel@tonic-gate openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL);
1627c478bd9Sstevel@tonic-gate # endif /* ! LOG_MAIL */
1637c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1647c478bd9Sstevel@tonic-gate
1657c478bd9Sstevel@tonic-gate (void) sm_strlcpyn(pathbuf, sizeof pathbuf, 2, "PATH=", PATH);
1667c478bd9Sstevel@tonic-gate newenv[0] = pathbuf;
1677c478bd9Sstevel@tonic-gate newenv[1] = NULL;
1687c478bd9Sstevel@tonic-gate
1697c478bd9Sstevel@tonic-gate /*
1707c478bd9Sstevel@tonic-gate ** Do basic argv usage checking
1717c478bd9Sstevel@tonic-gate */
1727c478bd9Sstevel@tonic-gate
1737c478bd9Sstevel@tonic-gate prg = argv[0];
1747c478bd9Sstevel@tonic-gate
1757c478bd9Sstevel@tonic-gate if (argc != 3 || strcmp(argv[1], "-c") != 0)
1767c478bd9Sstevel@tonic-gate {
1777c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1787c478bd9Sstevel@tonic-gate "Usage: %s -c command\n", prg);
1797c478bd9Sstevel@tonic-gate #ifndef DEBUG
1807c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "usage");
1817c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1827c478bd9Sstevel@tonic-gate exit(EX_USAGE);
1837c478bd9Sstevel@tonic-gate }
1847c478bd9Sstevel@tonic-gate
1857c478bd9Sstevel@tonic-gate par = argv[2];
1867c478bd9Sstevel@tonic-gate
1877c478bd9Sstevel@tonic-gate /*
1887c478bd9Sstevel@tonic-gate ** Disallow special shell syntax. This is overly restrictive,
1897c478bd9Sstevel@tonic-gate ** but it should shut down all attacks.
1907c478bd9Sstevel@tonic-gate ** Be sure to include 8-bit versions, since many shells strip
1917c478bd9Sstevel@tonic-gate ** the address to 7 bits before checking.
1927c478bd9Sstevel@tonic-gate */
1937c478bd9Sstevel@tonic-gate
1947c478bd9Sstevel@tonic-gate if (strlen(SPECIALS) * 2 >= sizeof specialbuf)
1957c478bd9Sstevel@tonic-gate {
1967c478bd9Sstevel@tonic-gate #ifndef DEBUG
1977c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "too many specials: %.40s", SPECIALS);
1987c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1997c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
2007c478bd9Sstevel@tonic-gate }
2017c478bd9Sstevel@tonic-gate (void) sm_strlcpy(specialbuf, SPECIALS, sizeof specialbuf);
2027c478bd9Sstevel@tonic-gate for (p = specialbuf; *p != '\0'; p++)
2037c478bd9Sstevel@tonic-gate *p |= '\200';
2047c478bd9Sstevel@tonic-gate (void) sm_strlcat(specialbuf, SPECIALS, sizeof specialbuf);
2057c478bd9Sstevel@tonic-gate
2067c478bd9Sstevel@tonic-gate /*
2077c478bd9Sstevel@tonic-gate ** Do a quick sanity check on command line length.
2087c478bd9Sstevel@tonic-gate */
2097c478bd9Sstevel@tonic-gate
2107c478bd9Sstevel@tonic-gate if (strlen(par) > (sizeof newcmdbuf - sizeof CMDDIR - 2))
2117c478bd9Sstevel@tonic-gate {
2127c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2137c478bd9Sstevel@tonic-gate "%s: command too long: %s\n", prg, par);
2147c478bd9Sstevel@tonic-gate #ifndef DEBUG
2157c478bd9Sstevel@tonic-gate syslog(LOG_WARNING, "command too long: %.40s", par);
2167c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2177c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
2187c478bd9Sstevel@tonic-gate }
2197c478bd9Sstevel@tonic-gate
2207c478bd9Sstevel@tonic-gate q = par;
2217c478bd9Sstevel@tonic-gate newcmdbuf[0] = '\0';
2227c478bd9Sstevel@tonic-gate isexec = false;
2237c478bd9Sstevel@tonic-gate
2247c478bd9Sstevel@tonic-gate while (*q != '\0')
2257c478bd9Sstevel@tonic-gate {
2267c478bd9Sstevel@tonic-gate /*
2277c478bd9Sstevel@tonic-gate ** Strip off a leading pathname on the command name. For
2287c478bd9Sstevel@tonic-gate ** example, change /usr/ucb/vacation to vacation.
2297c478bd9Sstevel@tonic-gate */
2307c478bd9Sstevel@tonic-gate
2317c478bd9Sstevel@tonic-gate /* strip leading spaces */
2327c478bd9Sstevel@tonic-gate while (*q != '\0' && isascii(*q) && isspace(*q))
2337c478bd9Sstevel@tonic-gate q++;
2347c478bd9Sstevel@tonic-gate if (*q == '\0')
2357c478bd9Sstevel@tonic-gate {
2367c478bd9Sstevel@tonic-gate if (isexec)
2377c478bd9Sstevel@tonic-gate {
2387c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2397c478bd9Sstevel@tonic-gate "%s: missing command to exec\n",
2407c478bd9Sstevel@tonic-gate prg);
2417c478bd9Sstevel@tonic-gate #ifndef DEBUG
2427c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: missing command to exec", (int) getuid());
2437c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2447c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
2457c478bd9Sstevel@tonic-gate }
2467c478bd9Sstevel@tonic-gate break;
2477c478bd9Sstevel@tonic-gate }
2487c478bd9Sstevel@tonic-gate
2497c478bd9Sstevel@tonic-gate /* find the end of the command name */
2507c478bd9Sstevel@tonic-gate p = strpbrk(q, " \t");
2517c478bd9Sstevel@tonic-gate if (p == NULL)
2527c478bd9Sstevel@tonic-gate cmd = &q[strlen(q)];
2537c478bd9Sstevel@tonic-gate else
2547c478bd9Sstevel@tonic-gate {
2557c478bd9Sstevel@tonic-gate *p = '\0';
2567c478bd9Sstevel@tonic-gate cmd = p;
2577c478bd9Sstevel@tonic-gate }
2587c478bd9Sstevel@tonic-gate /* search backwards for last / (allow for 0200 bit) */
2597c478bd9Sstevel@tonic-gate while (cmd > q)
2607c478bd9Sstevel@tonic-gate {
2617c478bd9Sstevel@tonic-gate if ((*--cmd & 0177) == '/')
2627c478bd9Sstevel@tonic-gate {
2637c478bd9Sstevel@tonic-gate cmd++;
2647c478bd9Sstevel@tonic-gate break;
2657c478bd9Sstevel@tonic-gate }
2667c478bd9Sstevel@tonic-gate }
2677c478bd9Sstevel@tonic-gate /* cmd now points at final component of path name */
2687c478bd9Sstevel@tonic-gate
2697c478bd9Sstevel@tonic-gate /* allow a few shell builtins */
2707c478bd9Sstevel@tonic-gate if (strcmp(q, "exec") == 0 && p != NULL)
2717c478bd9Sstevel@tonic-gate {
2727c478bd9Sstevel@tonic-gate addcmd("exec ", false, strlen("exec "));
2737c478bd9Sstevel@tonic-gate
2747c478bd9Sstevel@tonic-gate /* test _next_ arg */
2757c478bd9Sstevel@tonic-gate q = ++p;
2767c478bd9Sstevel@tonic-gate isexec = true;
2777c478bd9Sstevel@tonic-gate continue;
2787c478bd9Sstevel@tonic-gate }
2797c478bd9Sstevel@tonic-gate else if (strcmp(q, "exit") == 0 || strcmp(q, "echo") == 0)
2807c478bd9Sstevel@tonic-gate {
2817c478bd9Sstevel@tonic-gate addcmd(cmd, false, strlen(cmd));
2827c478bd9Sstevel@tonic-gate
2837c478bd9Sstevel@tonic-gate /* test following chars */
2847c478bd9Sstevel@tonic-gate }
2857c478bd9Sstevel@tonic-gate else
2867c478bd9Sstevel@tonic-gate {
2877c478bd9Sstevel@tonic-gate char cmdbuf[MAXPATHLEN];
2887c478bd9Sstevel@tonic-gate
2897c478bd9Sstevel@tonic-gate /*
2907c478bd9Sstevel@tonic-gate ** Check to see if the command name is legal.
2917c478bd9Sstevel@tonic-gate */
2927c478bd9Sstevel@tonic-gate
2937c478bd9Sstevel@tonic-gate if (sm_strlcpyn(cmdbuf, sizeof cmdbuf, 3, CMDDIR,
2947c478bd9Sstevel@tonic-gate "/", cmd) >= sizeof cmdbuf)
2957c478bd9Sstevel@tonic-gate {
2967c478bd9Sstevel@tonic-gate /* too long */
2977c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2987c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (filename too long)\n",
2997c478bd9Sstevel@tonic-gate prg, cmd);
3007c478bd9Sstevel@tonic-gate if (p != NULL)
3017c478bd9Sstevel@tonic-gate *p = ' ';
3027c478bd9Sstevel@tonic-gate #ifndef DEBUG
3037c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (filename too long)",
3047c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3057c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3067c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3077c478bd9Sstevel@tonic-gate }
3087c478bd9Sstevel@tonic-gate
3097c478bd9Sstevel@tonic-gate #ifdef DEBUG
3107c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3117c478bd9Sstevel@tonic-gate "Trying %s\n", cmdbuf);
3127c478bd9Sstevel@tonic-gate #endif /* DEBUG */
3137c478bd9Sstevel@tonic-gate if (stat(cmdbuf, &st) < 0)
3147c478bd9Sstevel@tonic-gate {
3157c478bd9Sstevel@tonic-gate /* can't stat it */
3167c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3177c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (stat failed)\n",
3187c478bd9Sstevel@tonic-gate prg, cmd);
3197c478bd9Sstevel@tonic-gate if (p != NULL)
3207c478bd9Sstevel@tonic-gate *p = ' ';
3217c478bd9Sstevel@tonic-gate #ifndef DEBUG
3227c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (stat failed)",
3237c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3247c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3257c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3267c478bd9Sstevel@tonic-gate }
3277c478bd9Sstevel@tonic-gate if (!S_ISREG(st.st_mode)
3287c478bd9Sstevel@tonic-gate #ifdef S_ISLNK
3297c478bd9Sstevel@tonic-gate && !S_ISLNK(st.st_mode)
3307c478bd9Sstevel@tonic-gate #endif /* S_ISLNK */
3317c478bd9Sstevel@tonic-gate )
3327c478bd9Sstevel@tonic-gate {
3337c478bd9Sstevel@tonic-gate /* can't stat it */
3347c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3357c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs (not a file)\n",
3367c478bd9Sstevel@tonic-gate prg, cmd);
3377c478bd9Sstevel@tonic-gate if (p != NULL)
3387c478bd9Sstevel@tonic-gate *p = ' ';
3397c478bd9Sstevel@tonic-gate #ifndef DEBUG
3407c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (not a file)",
3417c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3427c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3437c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3447c478bd9Sstevel@tonic-gate }
3457c478bd9Sstevel@tonic-gate if (access(cmdbuf, X_OK) < 0)
3467c478bd9Sstevel@tonic-gate {
3477c478bd9Sstevel@tonic-gate /* oops.... crack attack possiblity */
3487c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3497c478bd9Sstevel@tonic-gate "%s: \"%s\" not available for sendmail programs\n",
3507c478bd9Sstevel@tonic-gate prg, cmd);
3517c478bd9Sstevel@tonic-gate if (p != NULL)
3527c478bd9Sstevel@tonic-gate *p = ' ';
3537c478bd9Sstevel@tonic-gate #ifndef DEBUG
3547c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use \"%s\"",
3557c478bd9Sstevel@tonic-gate (int) getuid(), cmd);
3567c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3577c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
3587c478bd9Sstevel@tonic-gate }
3597c478bd9Sstevel@tonic-gate
3607c478bd9Sstevel@tonic-gate /*
3617c478bd9Sstevel@tonic-gate ** Create the actual shell input.
3627c478bd9Sstevel@tonic-gate */
3637c478bd9Sstevel@tonic-gate
3647c478bd9Sstevel@tonic-gate addcmd(cmd, true, strlen(cmd));
3657c478bd9Sstevel@tonic-gate }
3667c478bd9Sstevel@tonic-gate isexec = false;
3677c478bd9Sstevel@tonic-gate
3687c478bd9Sstevel@tonic-gate if (p != NULL)
3697c478bd9Sstevel@tonic-gate *p = ' ';
3707c478bd9Sstevel@tonic-gate else
3717c478bd9Sstevel@tonic-gate break;
3727c478bd9Sstevel@tonic-gate
3737c478bd9Sstevel@tonic-gate r = strpbrk(p, specialbuf);
3747c478bd9Sstevel@tonic-gate if (r == NULL)
3757c478bd9Sstevel@tonic-gate {
3767c478bd9Sstevel@tonic-gate addcmd(p, false, strlen(p));
3777c478bd9Sstevel@tonic-gate break;
3787c478bd9Sstevel@tonic-gate }
3797c478bd9Sstevel@tonic-gate #if ALLOWSEMI
3807c478bd9Sstevel@tonic-gate if (*r == ';')
3817c478bd9Sstevel@tonic-gate {
3827c478bd9Sstevel@tonic-gate addcmd(p, false, r - p + 1);
3837c478bd9Sstevel@tonic-gate q = r + 1;
3847c478bd9Sstevel@tonic-gate continue;
3857c478bd9Sstevel@tonic-gate }
3867c478bd9Sstevel@tonic-gate #endif /* ALLOWSEMI */
3877c478bd9Sstevel@tonic-gate if ((*r == '&' && *(r + 1) == '&') ||
3887c478bd9Sstevel@tonic-gate (*r == '|' && *(r + 1) == '|'))
3897c478bd9Sstevel@tonic-gate {
3907c478bd9Sstevel@tonic-gate addcmd(p, false, r - p + 2);
3917c478bd9Sstevel@tonic-gate q = r + 2;
3927c478bd9Sstevel@tonic-gate continue;
3937c478bd9Sstevel@tonic-gate }
3947c478bd9Sstevel@tonic-gate
3957c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3967c478bd9Sstevel@tonic-gate "%s: cannot use %c in command\n", prg, *r);
3977c478bd9Sstevel@tonic-gate #ifndef DEBUG
3987c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s",
3997c478bd9Sstevel@tonic-gate (int) getuid(), *r, par);
4007c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4017c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
4027c478bd9Sstevel@tonic-gate }
4037c478bd9Sstevel@tonic-gate if (isexec)
4047c478bd9Sstevel@tonic-gate {
4057c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4067c478bd9Sstevel@tonic-gate "%s: missing command to exec\n", prg);
4077c478bd9Sstevel@tonic-gate #ifndef DEBUG
4087c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "uid %d: missing command to exec",
4097c478bd9Sstevel@tonic-gate (int) getuid());
4107c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4117c478bd9Sstevel@tonic-gate exit(EX_UNAVAILABLE);
4127c478bd9Sstevel@tonic-gate }
4137c478bd9Sstevel@tonic-gate /* make sure we created something */
4147c478bd9Sstevel@tonic-gate if (newcmdbuf[0] == '\0')
4157c478bd9Sstevel@tonic-gate {
4167c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4177c478bd9Sstevel@tonic-gate "Usage: %s -c command\n", prg);
4187c478bd9Sstevel@tonic-gate #ifndef DEBUG
4197c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "usage");
4207c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4217c478bd9Sstevel@tonic-gate exit(EX_USAGE);
4227c478bd9Sstevel@tonic-gate }
4237c478bd9Sstevel@tonic-gate
4247c478bd9Sstevel@tonic-gate /*
4257c478bd9Sstevel@tonic-gate ** Now invoke the shell
4267c478bd9Sstevel@tonic-gate */
4277c478bd9Sstevel@tonic-gate
4287c478bd9Sstevel@tonic-gate #ifdef DEBUG
4297c478bd9Sstevel@tonic-gate (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT, "%s\n", newcmdbuf);
4307c478bd9Sstevel@tonic-gate #endif /* DEBUG */
4317c478bd9Sstevel@tonic-gate (void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf,
4327c478bd9Sstevel@tonic-gate (char *)NULL, newenv);
4337c478bd9Sstevel@tonic-gate save_errno = errno;
4347c478bd9Sstevel@tonic-gate #ifndef DEBUG
4357c478bd9Sstevel@tonic-gate syslog(LOG_CRIT, "Cannot exec /bin/sh: %s", sm_errstring(errno));
4367c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4377c478bd9Sstevel@tonic-gate errno = save_errno;
4387c478bd9Sstevel@tonic-gate sm_perror("/bin/sh");
4397c478bd9Sstevel@tonic-gate exit(EX_OSFILE);
4407c478bd9Sstevel@tonic-gate /* NOTREACHED */
4417c478bd9Sstevel@tonic-gate return EX_OSFILE;
4427c478bd9Sstevel@tonic-gate }
443