xref: /illumos-gate/usr/src/cmd/sendmail/util/smrsh.c (revision 955eb5e1)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.
37c478bd9Sstevel@tonic-gate  *	All rights reserved.
47c478bd9Sstevel@tonic-gate  * Copyright (c) 1993 Eric P. Allman.  All rights reserved.
57c478bd9Sstevel@tonic-gate  * Copyright (c) 1993
67c478bd9Sstevel@tonic-gate  *	The Regents of the University of California.  All rights reserved.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * By using this file, you agree to the terms and conditions set
97c478bd9Sstevel@tonic-gate  * forth in the LICENSE file which can be found at the top level of
107c478bd9Sstevel@tonic-gate  * the sendmail distribution.
117c478bd9Sstevel@tonic-gate  *
127c478bd9Sstevel@tonic-gate  */
137c478bd9Sstevel@tonic-gate 
147c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
157c478bd9Sstevel@tonic-gate 
167c478bd9Sstevel@tonic-gate #include <sm/gen.h>
177c478bd9Sstevel@tonic-gate 
187c478bd9Sstevel@tonic-gate SM_IDSTR(copyright,
197c478bd9Sstevel@tonic-gate "@(#) Copyright (c) 1998-2004 Sendmail, Inc. and its suppliers.\n\
207c478bd9Sstevel@tonic-gate 	All rights reserved.\n\
217c478bd9Sstevel@tonic-gate      Copyright (c) 1993 Eric P. Allman.  All rights reserved.\n\
227c478bd9Sstevel@tonic-gate      Copyright (c) 1993\n\
237c478bd9Sstevel@tonic-gate 	The Regents of the University of California.  All rights reserved.\n")
247c478bd9Sstevel@tonic-gate 
257c478bd9Sstevel@tonic-gate SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.65 2004/08/06 18:54:22 ca Exp $")
267c478bd9Sstevel@tonic-gate 
277c478bd9Sstevel@tonic-gate /*
287c478bd9Sstevel@tonic-gate **  SMRSH -- sendmail restricted shell
297c478bd9Sstevel@tonic-gate **
307c478bd9Sstevel@tonic-gate **	This is a patch to get around the prog mailer bugs in most
317c478bd9Sstevel@tonic-gate **	versions of sendmail.
327c478bd9Sstevel@tonic-gate **
337c478bd9Sstevel@tonic-gate **	Use this in place of /bin/sh in the "prog" mailer definition
347c478bd9Sstevel@tonic-gate **	in your sendmail.cf file.  You then create CMDDIR (owned by
357c478bd9Sstevel@tonic-gate **	root, mode 755) and put links to any programs you want
367c478bd9Sstevel@tonic-gate **	available to prog mailers in that directory.  This should
377c478bd9Sstevel@tonic-gate **	include things like "vacation" and "procmail", but not "sed"
387c478bd9Sstevel@tonic-gate **	or "sh".
397c478bd9Sstevel@tonic-gate **
407c478bd9Sstevel@tonic-gate **	Leading pathnames are stripped from program names so that
417c478bd9Sstevel@tonic-gate **	existing .forward files that reference things like
427c478bd9Sstevel@tonic-gate **	"/usr/bin/vacation" will continue to work.
437c478bd9Sstevel@tonic-gate **
447c478bd9Sstevel@tonic-gate **	The following characters are completely illegal:
457c478bd9Sstevel@tonic-gate **		<  >  ^  &  `  (  ) \n \r
467c478bd9Sstevel@tonic-gate **	The following characters are sometimes illegal:
477c478bd9Sstevel@tonic-gate **		|  &
487c478bd9Sstevel@tonic-gate **	This is more restrictive than strictly necessary.
497c478bd9Sstevel@tonic-gate **
507c478bd9Sstevel@tonic-gate **	To use this, add FEATURE(`smrsh') to your .mc file.
517c478bd9Sstevel@tonic-gate **
527c478bd9Sstevel@tonic-gate **	This can be used on any version of sendmail.
537c478bd9Sstevel@tonic-gate **
547c478bd9Sstevel@tonic-gate **	In loving memory of RTM.  11/02/93.
557c478bd9Sstevel@tonic-gate */
567c478bd9Sstevel@tonic-gate 
577c478bd9Sstevel@tonic-gate #include <unistd.h>
587c478bd9Sstevel@tonic-gate #include <sm/io.h>
597c478bd9Sstevel@tonic-gate #include <sm/limits.h>
607c478bd9Sstevel@tonic-gate #include <sm/string.h>
617c478bd9Sstevel@tonic-gate #include <sys/file.h>
627c478bd9Sstevel@tonic-gate #include <sys/types.h>
637c478bd9Sstevel@tonic-gate #include <sys/stat.h>
647c478bd9Sstevel@tonic-gate #include <string.h>
657c478bd9Sstevel@tonic-gate #include <ctype.h>
667c478bd9Sstevel@tonic-gate #include <errno.h>
677c478bd9Sstevel@tonic-gate #ifdef EX_OK
687c478bd9Sstevel@tonic-gate # undef EX_OK
697c478bd9Sstevel@tonic-gate #endif /* EX_OK */
707c478bd9Sstevel@tonic-gate #include <sysexits.h>
717c478bd9Sstevel@tonic-gate #include <syslog.h>
727c478bd9Sstevel@tonic-gate #include <stdlib.h>
737c478bd9Sstevel@tonic-gate 
747c478bd9Sstevel@tonic-gate #include <sm/conf.h>
757c478bd9Sstevel@tonic-gate #include <sm/errstring.h>
767c478bd9Sstevel@tonic-gate 
777c478bd9Sstevel@tonic-gate /* directory in which all commands must reside */
787c478bd9Sstevel@tonic-gate #ifndef CMDDIR
797c478bd9Sstevel@tonic-gate # ifdef SMRSH_CMDDIR
807c478bd9Sstevel@tonic-gate #  define CMDDIR	SMRSH_CMDDIR
817c478bd9Sstevel@tonic-gate # else /* SMRSH_CMDDIR */
827c478bd9Sstevel@tonic-gate #  define CMDDIR	"/usr/adm/sm.bin"
837c478bd9Sstevel@tonic-gate # endif /* SMRSH_CMDDIR */
847c478bd9Sstevel@tonic-gate #endif /* ! CMDDIR */
857c478bd9Sstevel@tonic-gate 
867c478bd9Sstevel@tonic-gate /* characters disallowed in the shell "-c" argument */
877c478bd9Sstevel@tonic-gate #define SPECIALS	"<|>^();&`$\r\n"
887c478bd9Sstevel@tonic-gate 
897c478bd9Sstevel@tonic-gate /* default search path */
907c478bd9Sstevel@tonic-gate #ifndef PATH
917c478bd9Sstevel@tonic-gate # ifdef SMRSH_PATH
927c478bd9Sstevel@tonic-gate #  define PATH		SMRSH_PATH
937c478bd9Sstevel@tonic-gate # else /* SMRSH_PATH */
947c478bd9Sstevel@tonic-gate #  define PATH		"/bin:/usr/bin:/usr/ucb"
957c478bd9Sstevel@tonic-gate # endif /* SMRSH_PATH */
967c478bd9Sstevel@tonic-gate #endif /* ! PATH */
977c478bd9Sstevel@tonic-gate 
987c478bd9Sstevel@tonic-gate char newcmdbuf[1000];
997c478bd9Sstevel@tonic-gate char *prg, *par;
1007c478bd9Sstevel@tonic-gate 
1017c478bd9Sstevel@tonic-gate static void	addcmd __P((char *, bool, size_t));
1027c478bd9Sstevel@tonic-gate 
1037c478bd9Sstevel@tonic-gate /*
1047c478bd9Sstevel@tonic-gate **  ADDCMD -- add a string to newcmdbuf, check for overflow
1057c478bd9Sstevel@tonic-gate **
1067c478bd9Sstevel@tonic-gate **    Parameters:
1077c478bd9Sstevel@tonic-gate **	s -- string to add
1087c478bd9Sstevel@tonic-gate **	cmd -- it's a command: prepend CMDDIR/
1097c478bd9Sstevel@tonic-gate **	len -- length of string to add
1107c478bd9Sstevel@tonic-gate **
1117c478bd9Sstevel@tonic-gate **    Side Effects:
1127c478bd9Sstevel@tonic-gate **	changes newcmdbuf or exits with a failure.
1137c478bd9Sstevel@tonic-gate **
1147c478bd9Sstevel@tonic-gate */
1157c478bd9Sstevel@tonic-gate 
1167c478bd9Sstevel@tonic-gate static void
addcmd(s,cmd,len)1177c478bd9Sstevel@tonic-gate addcmd(s, cmd, len)
1187c478bd9Sstevel@tonic-gate 	char *s;
1197c478bd9Sstevel@tonic-gate 	bool cmd;
1207c478bd9Sstevel@tonic-gate 	size_t len;
1217c478bd9Sstevel@tonic-gate {
1227c478bd9Sstevel@tonic-gate 	if (s == NULL || *s == '\0')
1237c478bd9Sstevel@tonic-gate 		return;
1247c478bd9Sstevel@tonic-gate 
1257c478bd9Sstevel@tonic-gate 	/* enough space for s (len) and CMDDIR + "/" and '\0'? */
1267c478bd9Sstevel@tonic-gate 	if (sizeof newcmdbuf - strlen(newcmdbuf) <=
1277c478bd9Sstevel@tonic-gate 	    len + 1 + (cmd ? (strlen(CMDDIR) + 1) : 0))
1287c478bd9Sstevel@tonic-gate 	{
1297c478bd9Sstevel@tonic-gate 		(void)sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1307c478bd9Sstevel@tonic-gate 				    "%s: command too long: %s\n", prg, par);
1317c478bd9Sstevel@tonic-gate #ifndef DEBUG
1327c478bd9Sstevel@tonic-gate 		syslog(LOG_WARNING, "command too long: %.40s", par);
1337c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1347c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
1357c478bd9Sstevel@tonic-gate 	}
1367c478bd9Sstevel@tonic-gate 	if (cmd)
1377c478bd9Sstevel@tonic-gate 		(void) sm_strlcat2(newcmdbuf, CMDDIR, "/", sizeof newcmdbuf);
1387c478bd9Sstevel@tonic-gate 	(void) strncat(newcmdbuf, s, len);
1397c478bd9Sstevel@tonic-gate }
1407c478bd9Sstevel@tonic-gate 
1417c478bd9Sstevel@tonic-gate int
main(argc,argv)1427c478bd9Sstevel@tonic-gate main(argc, argv)
1437c478bd9Sstevel@tonic-gate 	int argc;
1447c478bd9Sstevel@tonic-gate 	char **argv;
1457c478bd9Sstevel@tonic-gate {
1467c478bd9Sstevel@tonic-gate 	register char *p;
1477c478bd9Sstevel@tonic-gate 	register char *q;
1487c478bd9Sstevel@tonic-gate 	register char *r;
1497c478bd9Sstevel@tonic-gate 	register char *cmd;
1507c478bd9Sstevel@tonic-gate 	int isexec;
1517c478bd9Sstevel@tonic-gate 	int save_errno;
1527c478bd9Sstevel@tonic-gate 	char *newenv[2];
1537c478bd9Sstevel@tonic-gate 	char pathbuf[1000];
1547c478bd9Sstevel@tonic-gate 	char specialbuf[32];
1557c478bd9Sstevel@tonic-gate 	struct stat st;
1567c478bd9Sstevel@tonic-gate 
1577c478bd9Sstevel@tonic-gate #ifndef DEBUG
1587c478bd9Sstevel@tonic-gate # ifndef LOG_MAIL
1597c478bd9Sstevel@tonic-gate 	openlog("smrsh", 0);
1607c478bd9Sstevel@tonic-gate # else /* ! LOG_MAIL */
1617c478bd9Sstevel@tonic-gate 	openlog("smrsh", LOG_ODELAY|LOG_CONS, LOG_MAIL);
1627c478bd9Sstevel@tonic-gate # endif /* ! LOG_MAIL */
1637c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1647c478bd9Sstevel@tonic-gate 
1657c478bd9Sstevel@tonic-gate 	(void) sm_strlcpyn(pathbuf, sizeof pathbuf, 2, "PATH=", PATH);
1667c478bd9Sstevel@tonic-gate 	newenv[0] = pathbuf;
1677c478bd9Sstevel@tonic-gate 	newenv[1] = NULL;
1687c478bd9Sstevel@tonic-gate 
1697c478bd9Sstevel@tonic-gate 	/*
1707c478bd9Sstevel@tonic-gate 	**  Do basic argv usage checking
1717c478bd9Sstevel@tonic-gate 	*/
1727c478bd9Sstevel@tonic-gate 
1737c478bd9Sstevel@tonic-gate 	prg = argv[0];
1747c478bd9Sstevel@tonic-gate 
1757c478bd9Sstevel@tonic-gate 	if (argc != 3 || strcmp(argv[1], "-c") != 0)
1767c478bd9Sstevel@tonic-gate 	{
1777c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
1787c478bd9Sstevel@tonic-gate 				     "Usage: %s -c command\n", prg);
1797c478bd9Sstevel@tonic-gate #ifndef DEBUG
1807c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "usage");
1817c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1827c478bd9Sstevel@tonic-gate 		exit(EX_USAGE);
1837c478bd9Sstevel@tonic-gate 	}
1847c478bd9Sstevel@tonic-gate 
1857c478bd9Sstevel@tonic-gate 	par = argv[2];
1867c478bd9Sstevel@tonic-gate 
1877c478bd9Sstevel@tonic-gate 	/*
1887c478bd9Sstevel@tonic-gate 	**  Disallow special shell syntax.  This is overly restrictive,
1897c478bd9Sstevel@tonic-gate 	**  but it should shut down all attacks.
1907c478bd9Sstevel@tonic-gate 	**  Be sure to include 8-bit versions, since many shells strip
1917c478bd9Sstevel@tonic-gate 	**  the address to 7 bits before checking.
1927c478bd9Sstevel@tonic-gate 	*/
1937c478bd9Sstevel@tonic-gate 
1947c478bd9Sstevel@tonic-gate 	if (strlen(SPECIALS) * 2 >= sizeof specialbuf)
1957c478bd9Sstevel@tonic-gate 	{
1967c478bd9Sstevel@tonic-gate #ifndef DEBUG
1977c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "too many specials: %.40s", SPECIALS);
1987c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
1997c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
2007c478bd9Sstevel@tonic-gate 	}
2017c478bd9Sstevel@tonic-gate 	(void) sm_strlcpy(specialbuf, SPECIALS, sizeof specialbuf);
2027c478bd9Sstevel@tonic-gate 	for (p = specialbuf; *p != '\0'; p++)
2037c478bd9Sstevel@tonic-gate 		*p |= '\200';
2047c478bd9Sstevel@tonic-gate 	(void) sm_strlcat(specialbuf, SPECIALS, sizeof specialbuf);
2057c478bd9Sstevel@tonic-gate 
2067c478bd9Sstevel@tonic-gate 	/*
2077c478bd9Sstevel@tonic-gate 	**  Do a quick sanity check on command line length.
2087c478bd9Sstevel@tonic-gate 	*/
2097c478bd9Sstevel@tonic-gate 
2107c478bd9Sstevel@tonic-gate 	if (strlen(par) > (sizeof newcmdbuf - sizeof CMDDIR - 2))
2117c478bd9Sstevel@tonic-gate 	{
2127c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2137c478bd9Sstevel@tonic-gate 				     "%s: command too long: %s\n", prg, par);
2147c478bd9Sstevel@tonic-gate #ifndef DEBUG
2157c478bd9Sstevel@tonic-gate 		syslog(LOG_WARNING, "command too long: %.40s", par);
2167c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2177c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
2187c478bd9Sstevel@tonic-gate 	}
2197c478bd9Sstevel@tonic-gate 
2207c478bd9Sstevel@tonic-gate 	q = par;
2217c478bd9Sstevel@tonic-gate 	newcmdbuf[0] = '\0';
2227c478bd9Sstevel@tonic-gate 	isexec = false;
2237c478bd9Sstevel@tonic-gate 
2247c478bd9Sstevel@tonic-gate 	while (*q != '\0')
2257c478bd9Sstevel@tonic-gate 	{
2267c478bd9Sstevel@tonic-gate 		/*
2277c478bd9Sstevel@tonic-gate 		**  Strip off a leading pathname on the command name.  For
2287c478bd9Sstevel@tonic-gate 		**  example, change /usr/ucb/vacation to vacation.
2297c478bd9Sstevel@tonic-gate 		*/
2307c478bd9Sstevel@tonic-gate 
2317c478bd9Sstevel@tonic-gate 		/* strip leading spaces */
2327c478bd9Sstevel@tonic-gate 		while (*q != '\0' && isascii(*q) && isspace(*q))
2337c478bd9Sstevel@tonic-gate 			q++;
2347c478bd9Sstevel@tonic-gate 		if (*q == '\0')
2357c478bd9Sstevel@tonic-gate 		{
2367c478bd9Sstevel@tonic-gate 			if (isexec)
2377c478bd9Sstevel@tonic-gate 			{
2387c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2397c478bd9Sstevel@tonic-gate 						     "%s: missing command to exec\n",
2407c478bd9Sstevel@tonic-gate 						     prg);
2417c478bd9Sstevel@tonic-gate #ifndef DEBUG
2427c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: missing command to exec", (int) getuid());
2437c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
2447c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
2457c478bd9Sstevel@tonic-gate 			}
2467c478bd9Sstevel@tonic-gate 			break;
2477c478bd9Sstevel@tonic-gate 		}
2487c478bd9Sstevel@tonic-gate 
2497c478bd9Sstevel@tonic-gate 		/* find the end of the command name */
2507c478bd9Sstevel@tonic-gate 		p = strpbrk(q, " \t");
2517c478bd9Sstevel@tonic-gate 		if (p == NULL)
2527c478bd9Sstevel@tonic-gate 			cmd = &q[strlen(q)];
2537c478bd9Sstevel@tonic-gate 		else
2547c478bd9Sstevel@tonic-gate 		{
2557c478bd9Sstevel@tonic-gate 			*p = '\0';
2567c478bd9Sstevel@tonic-gate 			cmd = p;
2577c478bd9Sstevel@tonic-gate 		}
2587c478bd9Sstevel@tonic-gate 		/* search backwards for last / (allow for 0200 bit) */
2597c478bd9Sstevel@tonic-gate 		while (cmd > q)
2607c478bd9Sstevel@tonic-gate 		{
2617c478bd9Sstevel@tonic-gate 			if ((*--cmd & 0177) == '/')
2627c478bd9Sstevel@tonic-gate 			{
2637c478bd9Sstevel@tonic-gate 				cmd++;
2647c478bd9Sstevel@tonic-gate 				break;
2657c478bd9Sstevel@tonic-gate 			}
2667c478bd9Sstevel@tonic-gate 		}
2677c478bd9Sstevel@tonic-gate 		/* cmd now points at final component of path name */
2687c478bd9Sstevel@tonic-gate 
2697c478bd9Sstevel@tonic-gate 		/* allow a few shell builtins */
2707c478bd9Sstevel@tonic-gate 		if (strcmp(q, "exec") == 0 && p != NULL)
2717c478bd9Sstevel@tonic-gate 		{
2727c478bd9Sstevel@tonic-gate 			addcmd("exec ", false, strlen("exec "));
2737c478bd9Sstevel@tonic-gate 
2747c478bd9Sstevel@tonic-gate 			/* test _next_ arg */
2757c478bd9Sstevel@tonic-gate 			q = ++p;
2767c478bd9Sstevel@tonic-gate 			isexec = true;
2777c478bd9Sstevel@tonic-gate 			continue;
2787c478bd9Sstevel@tonic-gate 		}
2797c478bd9Sstevel@tonic-gate 		else if (strcmp(q, "exit") == 0 || strcmp(q, "echo") == 0)
2807c478bd9Sstevel@tonic-gate 		{
2817c478bd9Sstevel@tonic-gate 			addcmd(cmd, false, strlen(cmd));
2827c478bd9Sstevel@tonic-gate 
2837c478bd9Sstevel@tonic-gate 			/* test following chars */
2847c478bd9Sstevel@tonic-gate 		}
2857c478bd9Sstevel@tonic-gate 		else
2867c478bd9Sstevel@tonic-gate 		{
2877c478bd9Sstevel@tonic-gate 			char cmdbuf[MAXPATHLEN];
2887c478bd9Sstevel@tonic-gate 
2897c478bd9Sstevel@tonic-gate 			/*
2907c478bd9Sstevel@tonic-gate 			**  Check to see if the command name is legal.
2917c478bd9Sstevel@tonic-gate 			*/
2927c478bd9Sstevel@tonic-gate 
2937c478bd9Sstevel@tonic-gate 			if (sm_strlcpyn(cmdbuf, sizeof cmdbuf, 3, CMDDIR,
2947c478bd9Sstevel@tonic-gate 					"/", cmd) >= sizeof cmdbuf)
2957c478bd9Sstevel@tonic-gate 			{
2967c478bd9Sstevel@tonic-gate 				/* too long */
2977c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
2987c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (filename too long)\n",
2997c478bd9Sstevel@tonic-gate 						      prg, cmd);
3007c478bd9Sstevel@tonic-gate 				if (p != NULL)
3017c478bd9Sstevel@tonic-gate 					*p = ' ';
3027c478bd9Sstevel@tonic-gate #ifndef DEBUG
3037c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (filename too long)",
3047c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3057c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3067c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3077c478bd9Sstevel@tonic-gate 			}
3087c478bd9Sstevel@tonic-gate 
3097c478bd9Sstevel@tonic-gate #ifdef DEBUG
3107c478bd9Sstevel@tonic-gate 			(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3117c478bd9Sstevel@tonic-gate 					     "Trying %s\n", cmdbuf);
3127c478bd9Sstevel@tonic-gate #endif /* DEBUG */
3137c478bd9Sstevel@tonic-gate 			if (stat(cmdbuf, &st) < 0)
3147c478bd9Sstevel@tonic-gate 			{
3157c478bd9Sstevel@tonic-gate 				/* can't stat it */
3167c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3177c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (stat failed)\n",
3187c478bd9Sstevel@tonic-gate 						      prg, cmd);
3197c478bd9Sstevel@tonic-gate 				if (p != NULL)
3207c478bd9Sstevel@tonic-gate 					*p = ' ';
3217c478bd9Sstevel@tonic-gate #ifndef DEBUG
3227c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (stat failed)",
3237c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3247c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3257c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3267c478bd9Sstevel@tonic-gate 			}
3277c478bd9Sstevel@tonic-gate 			if (!S_ISREG(st.st_mode)
3287c478bd9Sstevel@tonic-gate #ifdef S_ISLNK
3297c478bd9Sstevel@tonic-gate 			    && !S_ISLNK(st.st_mode)
3307c478bd9Sstevel@tonic-gate #endif /* S_ISLNK */
3317c478bd9Sstevel@tonic-gate 			   )
3327c478bd9Sstevel@tonic-gate 			{
3337c478bd9Sstevel@tonic-gate 				/* can't stat it */
3347c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3357c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs (not a file)\n",
3367c478bd9Sstevel@tonic-gate 						      prg, cmd);
3377c478bd9Sstevel@tonic-gate 				if (p != NULL)
3387c478bd9Sstevel@tonic-gate 					*p = ' ';
3397c478bd9Sstevel@tonic-gate #ifndef DEBUG
3407c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\" (not a file)",
3417c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3427c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3437c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3447c478bd9Sstevel@tonic-gate 			}
3457c478bd9Sstevel@tonic-gate 			if (access(cmdbuf, X_OK) < 0)
3467c478bd9Sstevel@tonic-gate 			{
3477c478bd9Sstevel@tonic-gate 				/* oops....  crack attack possiblity */
3487c478bd9Sstevel@tonic-gate 				(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3497c478bd9Sstevel@tonic-gate 						     "%s: \"%s\" not available for sendmail programs\n",
3507c478bd9Sstevel@tonic-gate 						      prg, cmd);
3517c478bd9Sstevel@tonic-gate 				if (p != NULL)
3527c478bd9Sstevel@tonic-gate 					*p = ' ';
3537c478bd9Sstevel@tonic-gate #ifndef DEBUG
3547c478bd9Sstevel@tonic-gate 				syslog(LOG_CRIT, "uid %d: attempt to use \"%s\"",
3557c478bd9Sstevel@tonic-gate 				       (int) getuid(), cmd);
3567c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
3577c478bd9Sstevel@tonic-gate 				exit(EX_UNAVAILABLE);
3587c478bd9Sstevel@tonic-gate 			}
3597c478bd9Sstevel@tonic-gate 
3607c478bd9Sstevel@tonic-gate 			/*
3617c478bd9Sstevel@tonic-gate 			**  Create the actual shell input.
3627c478bd9Sstevel@tonic-gate 			*/
3637c478bd9Sstevel@tonic-gate 
3647c478bd9Sstevel@tonic-gate 			addcmd(cmd, true, strlen(cmd));
3657c478bd9Sstevel@tonic-gate 		}
3667c478bd9Sstevel@tonic-gate 		isexec = false;
3677c478bd9Sstevel@tonic-gate 
3687c478bd9Sstevel@tonic-gate 		if (p != NULL)
3697c478bd9Sstevel@tonic-gate 			*p = ' ';
3707c478bd9Sstevel@tonic-gate 		else
3717c478bd9Sstevel@tonic-gate 			break;
3727c478bd9Sstevel@tonic-gate 
3737c478bd9Sstevel@tonic-gate 		r = strpbrk(p, specialbuf);
3747c478bd9Sstevel@tonic-gate 		if (r == NULL)
3757c478bd9Sstevel@tonic-gate 		{
3767c478bd9Sstevel@tonic-gate 			addcmd(p, false, strlen(p));
3777c478bd9Sstevel@tonic-gate 			break;
3787c478bd9Sstevel@tonic-gate 		}
3797c478bd9Sstevel@tonic-gate #if ALLOWSEMI
3807c478bd9Sstevel@tonic-gate 		if (*r == ';')
3817c478bd9Sstevel@tonic-gate 		{
3827c478bd9Sstevel@tonic-gate 			addcmd(p, false,  r - p + 1);
3837c478bd9Sstevel@tonic-gate 			q = r + 1;
3847c478bd9Sstevel@tonic-gate 			continue;
3857c478bd9Sstevel@tonic-gate 		}
3867c478bd9Sstevel@tonic-gate #endif /* ALLOWSEMI */
3877c478bd9Sstevel@tonic-gate 		if ((*r == '&' && *(r + 1) == '&') ||
3887c478bd9Sstevel@tonic-gate 		    (*r == '|' && *(r + 1) == '|'))
3897c478bd9Sstevel@tonic-gate 		{
3907c478bd9Sstevel@tonic-gate 			addcmd(p, false,  r - p + 2);
3917c478bd9Sstevel@tonic-gate 			q = r + 2;
3927c478bd9Sstevel@tonic-gate 			continue;
3937c478bd9Sstevel@tonic-gate 		}
3947c478bd9Sstevel@tonic-gate 
3957c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
3967c478bd9Sstevel@tonic-gate 				     "%s: cannot use %c in command\n", prg, *r);
3977c478bd9Sstevel@tonic-gate #ifndef DEBUG
3987c478bd9Sstevel@tonic-gate 		syslog(LOG_CRIT, "uid %d: attempt to use %c in command: %s",
3997c478bd9Sstevel@tonic-gate 		       (int) getuid(), *r, par);
4007c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4017c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
4027c478bd9Sstevel@tonic-gate 	}
4037c478bd9Sstevel@tonic-gate 	if (isexec)
4047c478bd9Sstevel@tonic-gate 	{
4057c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4067c478bd9Sstevel@tonic-gate 				     "%s: missing command to exec\n", prg);
4077c478bd9Sstevel@tonic-gate #ifndef DEBUG
4087c478bd9Sstevel@tonic-gate 		syslog(LOG_CRIT, "uid %d: missing command to exec",
4097c478bd9Sstevel@tonic-gate 		       (int) getuid());
4107c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4117c478bd9Sstevel@tonic-gate 		exit(EX_UNAVAILABLE);
4127c478bd9Sstevel@tonic-gate 	}
4137c478bd9Sstevel@tonic-gate 	/* make sure we created something */
4147c478bd9Sstevel@tonic-gate 	if (newcmdbuf[0] == '\0')
4157c478bd9Sstevel@tonic-gate 	{
4167c478bd9Sstevel@tonic-gate 		(void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
4177c478bd9Sstevel@tonic-gate 				     "Usage: %s -c command\n", prg);
4187c478bd9Sstevel@tonic-gate #ifndef DEBUG
4197c478bd9Sstevel@tonic-gate 		syslog(LOG_ERR, "usage");
4207c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4217c478bd9Sstevel@tonic-gate 		exit(EX_USAGE);
4227c478bd9Sstevel@tonic-gate 	}
4237c478bd9Sstevel@tonic-gate 
4247c478bd9Sstevel@tonic-gate 	/*
4257c478bd9Sstevel@tonic-gate 	**  Now invoke the shell
4267c478bd9Sstevel@tonic-gate 	*/
4277c478bd9Sstevel@tonic-gate 
4287c478bd9Sstevel@tonic-gate #ifdef DEBUG
4297c478bd9Sstevel@tonic-gate 	(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT, "%s\n", newcmdbuf);
4307c478bd9Sstevel@tonic-gate #endif /* DEBUG */
4317c478bd9Sstevel@tonic-gate 	(void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf,
4327c478bd9Sstevel@tonic-gate 		      (char *)NULL, newenv);
4337c478bd9Sstevel@tonic-gate 	save_errno = errno;
4347c478bd9Sstevel@tonic-gate #ifndef DEBUG
4357c478bd9Sstevel@tonic-gate 	syslog(LOG_CRIT, "Cannot exec /bin/sh: %s", sm_errstring(errno));
4367c478bd9Sstevel@tonic-gate #endif /* ! DEBUG */
4377c478bd9Sstevel@tonic-gate 	errno = save_errno;
4387c478bd9Sstevel@tonic-gate 	sm_perror("/bin/sh");
4397c478bd9Sstevel@tonic-gate 	exit(EX_OSFILE);
4407c478bd9Sstevel@tonic-gate 	/* NOTREACHED */
4417c478bd9Sstevel@tonic-gate 	return EX_OSFILE;
4427c478bd9Sstevel@tonic-gate }
443