/*	$OpenBSD: mail.local.c,v 1.43 2024/05/09 08:35:03 florian Exp $	*/

/*-
 * Copyright (c) 1996-1998 Theo de Raadt <deraadt@theos.com>
 * Copyright (c) 1996-1998 David Mazieres <dm@lcs.mit.edu>
 * Copyright (c) 1990 The Regents of the University of California.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <sysexits.h>
#include <syslog.h>
#include <fcntl.h>
#include <netdb.h>
#include <pwd.h>
#include <time.h>
#include <unistd.h>
#include <limits.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include "pathnames.h"
#include "mail.local.h"

int
main(int argc, char *argv[])
{
	struct passwd *pw;
	int ch, fd, eval, lockfile=1;
	uid_t uid;
	char *from;

	openlog("mail.local", LOG_PERROR, LOG_MAIL);

	from = NULL;
	while ((ch = getopt(argc, argv, "lLdf:r:")) != -1)
		switch (ch) {
		case 'd':		/* backward compatible */
			break;
		case 'f':
		case 'r':		/* backward compatible */
			if (from)
				merr(EX_USAGE, "multiple -f options");
			from = optarg;
			break;
		case 'l':
			lockfile=1;
			break;
		case 'L':
			lockfile=0;
			break;
		default:
			usage();
		}
	argc -= optind;
	argv += optind;

	if (!*argv)
		usage();

	/*
	 * If from not specified, use the name from getlogin() if the
	 * uid matches, otherwise, use the name from the password file
	 * corresponding to the uid.
	 */
	uid = getuid();
	if (!from && (!(from = getlogin()) ||
	    !(pw = getpwnam(from)) || pw->pw_uid != uid))
		from = (pw = getpwuid(uid)) ? pw->pw_name : "???";

	fd = storemail(from);
	for (eval = 0; *argv; ++argv) {
		if ((ch = deliver(fd, *argv, lockfile)) != 0)
			eval = ch;
	}
	exit(eval);
}

int
storemail(char *from)
{
	FILE *fp = NULL;
	time_t tval;
	int fd, eline = 1;
	char *tbuf, *line = NULL, *cnow;
	size_t linesize = 0;
	ssize_t linelen;

	if ((tbuf = strdup(_PATH_LOCTMP)) == NULL)
		merr(EX_OSERR, "unable to allocate memory");
	if ((fd = mkstemp(tbuf)) == -1 || !(fp = fdopen(fd, "w+")))
		merr(EX_OSERR, "unable to open temporary file");
	(void)unlink(tbuf);
	free(tbuf);

	(void)time(&tval);
	cnow = ctime(&tval);
	(void)fprintf(fp, "From %s %s", from, cnow ? cnow : "?\n");

	while ((linelen = getline(&line, &linesize, stdin)) != -1) {
		if (line[linelen - 1] == '\n')
			line[linelen - 1] = '\0';
		if (line[0] == '\0')
			eline = 1;
		else {
			if (eline && !strncmp(line, "From ", 5))
				(void)putc('>', fp);
			eline = 0;
		}
		(void)fprintf(fp, "%s\n", line);
		if (ferror(fp))
			break;
	}
	free(line);

	/* Output a newline; note, empty messages are allowed. */
	(void)putc('\n', fp);
	(void)fflush(fp);
	if (ferror(fp))
		merr(EX_OSERR, "temporary file write error");
	return(fd);
}

int
deliver(int fd, char *name, int lockfile)
{
	struct stat sb, fsb;
	struct passwd *pw;
	int mbfd=-1, lfd=-1, rval=EX_OSERR;
	char biffmsg[100], buf[8*1024], path[PATH_MAX];
	off_t curoff;
	size_t off;
	ssize_t nr, nw;

	/*
	 * Disallow delivery to unknown names -- special mailboxes can be
	 * handled in the sendmail aliases file.
	 */
	if (!(pw = getpwnam(name))) {
		mwarn("unknown name: %s", name);
		return(EX_NOUSER);
	}

	(void)snprintf(path, sizeof path, "%s/%s", _PATH_MAILDIR, name);

	if (lockfile) {
		lfd = lockspool(name, pw);
		if (lfd == -1)
			return(EX_OSERR);
	}

	/* after this point, always exit via bad to remove lockfile */
retry:
	if (lstat(path, &sb)) {
		if (errno != ENOENT) {
			mwarn("%s: %s", path, strerror(errno));
			goto bad;
		}
		if ((mbfd = open(path, O_APPEND|O_CREAT|O_EXCL|O_WRONLY|O_EXLOCK,
		    S_IRUSR|S_IWUSR)) == -1) {
			if (errno == EEXIST) {
				/* file appeared since lstat */
				goto retry;
			} else {
				mwarn("%s: %s", path, strerror(errno));
				rval = EX_CANTCREAT;
				goto bad;
			}
		}
		/*
		 * Set the owner and group.  Historically, binmail repeated
		 * this at each mail delivery.  We no longer do this, assuming
		 * that if the ownership or permissions were changed there
		 * was a reason for doing so.
		 */
		if (fchown(mbfd, pw->pw_uid, pw->pw_gid) == -1) {
			mwarn("chown %u:%u: %s", pw->pw_uid, pw->pw_gid, name);
			goto bad;
		}
	} else {
		if (sb.st_nlink != 1 || !S_ISREG(sb.st_mode)) {
			mwarn("%s: linked or special file", path);
			goto bad;
		}
		if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK,
		    S_IRUSR|S_IWUSR)) == -1) {
			mwarn("%s: %s", path, strerror(errno));
			goto bad;
		}
		if (fstat(mbfd, &fsb) == -1) {
			/* relating error to path may be bad style */
			mwarn("%s: %s", path, strerror(errno));
			goto bad;
		}
		if (sb.st_dev != fsb.st_dev || sb.st_ino != fsb.st_ino) {
			mwarn("%s: changed after open", path);
			goto bad;
		}
		/* paranoia? */
		if (fsb.st_nlink != 1 || !S_ISREG(fsb.st_mode)) {
			mwarn("%s: linked or special file", path);
			rval = EX_CANTCREAT;
			goto bad;
		}
	}

	curoff = lseek(mbfd, 0, SEEK_END);
	(void)snprintf(biffmsg, sizeof biffmsg, "%s@%lld\n", name,
	    (long long)curoff);
	if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
		mwarn("temporary file: %s", strerror(errno));
		goto bad;
	}

	while ((nr = read(fd, buf, sizeof(buf))) > 0)
		for (off = 0; off < nr;  off += nw)
			if ((nw = write(mbfd, buf + off, nr - off)) == -1) {
				mwarn("%s: %s", path, strerror(errno));
				(void)ftruncate(mbfd, curoff);
				goto bad;
			}

	if (nr == 0) {
		rval = 0;
	} else {
		(void)ftruncate(mbfd, curoff);
		mwarn("temporary file: %s", strerror(errno));
	}

bad:
	if (lfd != -1)
		unlockspool();

	if (mbfd != -1) {
		(void)fsync(mbfd);		/* Don't wait for update. */
		(void)close(mbfd);		/* Implicit unlock. */
	}

	if (!rval)
		notifybiff(biffmsg);
	return(rval);
}

void
notifybiff(char *msg)
{
	static struct addrinfo *res0;
	struct addrinfo hints, *res;
	static int f = -1;
	size_t len;
	int error;

	if (res0 == NULL) {
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = PF_UNSPEC;
		hints.ai_socktype = SOCK_DGRAM;

		error = getaddrinfo("localhost", "biff", &hints, &res0);
		if (error) {
			/* Be silent if biff service not available. */
			if (error != EAI_SERVICE) {
				mwarn("localhost: %s", gai_strerror(error));
			}
			return;
		}
	}

	if (f == -1) {
		for (res = res0; res != NULL; res = res->ai_next) {
			f = socket(res->ai_family, res->ai_socktype,
			    res->ai_protocol);
			if (f != -1)
				break;
		}
	}
	if (f == -1) {
		mwarn("socket: %s", strerror(errno));
		return;
	}

	len = strlen(msg) + 1;	/* XXX */
	if (sendto(f, msg, len, 0, res->ai_addr, res->ai_addrlen) != len)
		mwarn("sendto biff: %s", strerror(errno));
}

static int lockfd = -1;
static pid_t lockpid = -1;

int
lockspool(const char *name, struct passwd *pw)
{
	int pfd[2];
	char ch;

	if (geteuid() == 0)
		return getlock(name, pw);

	/* If not privileged, open pipe to lockspool(1) instead */
	if (pipe2(pfd, O_CLOEXEC) == -1) {
		merr(EX_OSERR, "pipe: %s", strerror(errno));
		return -1;
	}

	signal(SIGPIPE, SIG_IGN);
	switch ((lockpid = fork())) {
	case -1:
		merr(EX_OSERR, "fork: %s", strerror(errno));
		return -1;
	case 0:
		/* child */
		close(pfd[0]);
		dup2(pfd[1], STDOUT_FILENO);
		execl(_PATH_LOCKSPOOL, "lockspool", (char *)NULL);
		merr(EX_OSERR, "execl: lockspool: %s", strerror(errno));
		/* NOTREACHED */
		break;
	default:
		/* parent */
		close(pfd[1]);
		lockfd = pfd[0];
		break;
	}

	if (read(lockfd, &ch, 1) != 1 || ch != '1') {
		unlockspool();
		merr(EX_OSERR, "lockspool: unable to get lock");
	}

	return lockfd;
}

void
unlockspool(void)
{
	if (lockpid != -1) {
		waitpid(lockpid, NULL, 0);
		lockpid = -1;
	} else {
		rellock();
	}
	close(lockfd);
	lockfd = -1;
}

void
usage(void)
{
	merr(EX_USAGE, "usage: mail.local [-Ll] [-f from] user ...");
}