1/* 2 * Copyright (c) 1998-2003, 2006 Proofpoint, Inc. and its suppliers. 3 * All rights reserved. 4 * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. 5 * Copyright (c) 1988, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * By using this file, you agree to the terms and conditions set 9 * forth in the LICENSE file which can be found at the top level of 10 * the sendmail distribution. 11 * 12 */ 13 14#include <sendmail.h> 15 16SM_RCSID("@(#)$Id: recipient.c,v 8.351 2013-11-22 20:51:56 ca Exp $") 17 18static void includetimeout __P((int)); 19static ADDRESS *self_reference __P((ADDRESS *)); 20static int sortexpensive __P((ADDRESS *, ADDRESS *)); 21static int sortbysignature __P((ADDRESS *, ADDRESS *)); 22static int sorthost __P((ADDRESS *, ADDRESS *)); 23 24typedef int sortfn_t __P((ADDRESS *, ADDRESS *)); 25 26/* 27** SORTHOST -- strcmp()-like func for host portion of an ADDRESS 28** 29** Parameters: 30** xx -- first ADDRESS 31** yy -- second ADDRESS 32** 33** Returns: 34** <0 when xx->q_host is less than yy->q_host 35** >0 when xx->q_host is greater than yy->q_host 36** 0 when equal 37*/ 38 39static int 40sorthost(xx, yy) 41 register ADDRESS *xx; 42 register ADDRESS *yy; 43{ 44#if _FFR_HOST_SORT_REVERSE 45 /* XXX maybe compare hostnames from the end? */ 46 return sm_strrevcasecmp(xx->q_host, yy->q_host); 47#else 48 return sm_strcasecmp(xx->q_host, yy->q_host); 49#endif 50} 51 52/* 53** SORTEXPENSIVE -- strcmp()-like func for expensive mailers 54** 55** The mailer has been noted already as "expensive" for 'xx'. This 56** will give a result relative to 'yy'. Expensive mailers get rated 57** "greater than" non-expensive mailers because during the delivery phase 58** it will get queued -- no use it getting in the way of less expensive 59** recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are 60** expensive since an MX RR lookup happens when extracted from the queue 61** later. 62** 63** Parameters: 64** xx -- first ADDRESS 65** yy -- second ADDRESS 66** 67** Returns: 68** <0 when xx->q_host is less than yy->q_host and both are 69** expensive 70** >0 when xx->q_host is greater than yy->q_host, or when 71** 'yy' is non-expensive 72** 0 when equal (by expense and q_host) 73*/ 74 75static int 76sortexpensive(xx, yy) 77 ADDRESS *xx; 78 ADDRESS *yy; 79{ 80 if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags)) 81 return 1; /* xx should go later */ 82#if _FFR_HOST_SORT_REVERSE 83 /* XXX maybe compare hostnames from the end? */ 84 return sm_strrevcasecmp(xx->q_host, yy->q_host); 85#else 86 return sm_strcasecmp(xx->q_host, yy->q_host); 87#endif 88} 89 90/* 91** SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS 92** 93** Parameters: 94** xx -- first ADDRESS 95** yy -- second ADDRESS 96** 97** Returns: 98** 0 when the "signature"'s are same 99** <0 when xx->q_signature is less than yy->q_signature 100** >0 when xx->q_signature is greater than yy->q_signature 101** 102** Side Effect: 103** May set ADDRESS pointer for q_signature if not already set. 104*/ 105 106static int 107sortbysignature(xx, yy) 108 ADDRESS *xx; 109 ADDRESS *yy; 110{ 111 register int ret; 112 113 /* Let's avoid redoing the signature over and over again */ 114 if (xx->q_signature == NULL) 115 xx->q_signature = hostsignature(xx->q_mailer, xx->q_host, xx->q_flags & QSECURE); 116 if (yy->q_signature == NULL) 117 yy->q_signature = hostsignature(yy->q_mailer, yy->q_host, yy->q_flags & QSECURE); 118 ret = strcmp(xx->q_signature, yy->q_signature); 119 120 /* 121 ** If the two signatures are the same then we will return a sort 122 ** value based on 'q_user'. But note that we have reversed xx and yy 123 ** on purpose. This additional compare helps reduce the number of 124 ** sameaddr() calls and loops in recipient() for the case when 125 ** the rcpt list has been provided already in-order. 126 */ 127 128 if (ret == 0) 129 return strcmp(yy->q_user, xx->q_user); 130 else 131 return ret; 132} 133 134/* 135** SENDTOLIST -- Designate a send list. 136** 137** The parameter is a comma-separated list of people to send to. 138** This routine arranges to send to all of them. 139** 140** Parameters: 141** list -- the send list. 142** ctladdr -- the address template for the person to 143** send to -- effective uid/gid are important. 144** This is typically the alias that caused this 145** expansion. 146** sendq -- a pointer to the head of a queue to put 147** these people into. 148** aliaslevel -- the current alias nesting depth -- to 149** diagnose loops. 150** e -- the envelope in which to add these recipients. 151** 152** Returns: 153** The number of addresses actually on the list. 154*/ 155 156/* q_flags bits inherited from ctladdr */ 157#define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY) 158 159int 160sendtolist(list, ctladdr, sendq, aliaslevel, e) 161 char *list; 162 ADDRESS *ctladdr; 163 ADDRESS **sendq; 164 int aliaslevel; 165 register ENVELOPE *e; 166{ 167 register char *p; 168 register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */ 169 SM_NONVOLATILE char delimiter; /* the address delimiter */ 170 SM_NONVOLATILE int naddrs; 171 SM_NONVOLATILE int i; 172 char *endp; 173 char *oldto = e->e_to; 174 char *SM_NONVOLATILE bufp; 175 char buf[MAXNAME + 1]; 176 177 if (list == NULL) 178 { 179 syserr("sendtolist: null list"); 180 return 0; 181 } 182 183 if (tTd(25, 1)) 184 { 185 sm_dprintf("sendto: %s\n ctladdr=", list); 186 printaddr(sm_debug_file(), ctladdr, false); 187 } 188 189 /* heuristic to determine old versus new style addresses */ 190 if (ctladdr == NULL && 191 (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 192 strchr(list, '<') != NULL || strchr(list, '(') != NULL)) 193 e->e_flags &= ~EF_OLDSTYLE; 194 delimiter = ' '; 195 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL) 196 delimiter = ','; 197 198 al = NULL; 199 naddrs = 0; 200 201 /* make sure we have enough space to copy the string */ 202 i = strlen(list) + 1; 203 if (i <= sizeof(buf)) 204 { 205 bufp = buf; 206 i = sizeof(buf); 207 } 208 else 209 bufp = sm_malloc_x(i); 210 endp = bufp + i; 211 212 SM_TRY 213 { 214 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 215 216 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 217 for (p = bufp; *p != '\0'; ) 218 { 219 auto char *delimptr; 220 register ADDRESS *a; 221 222 SM_ASSERT(p < endp); 223 224 /* parse the address */ 225 while ((SM_ISSPACE(*p)) || *p == ',') 226 p++; 227 SM_ASSERT(p < endp); 228 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, 229 &delimptr, e, true); 230 p = delimptr; 231 SM_ASSERT(p < endp); 232 if (a == NULL) 233 continue; 234 a->q_next = al; 235 a->q_alias = ctladdr; 236 237 /* arrange to inherit attributes from parent */ 238 if (ctladdr != NULL) 239 { 240 ADDRESS *b; 241 242 /* self reference test */ 243 if (sameaddr(ctladdr, a)) 244 { 245 if (tTd(27, 5)) 246 { 247 sm_dprintf("sendtolist: QSELFREF "); 248 printaddr(sm_debug_file(), ctladdr, false); 249 } 250 ctladdr->q_flags |= QSELFREF; 251 } 252 253 /* check for address loops */ 254 b = self_reference(a); 255 if (b != NULL) 256 { 257 b->q_flags |= QSELFREF; 258 if (tTd(27, 5)) 259 { 260 sm_dprintf("sendtolist: QSELFREF "); 261 printaddr(sm_debug_file(), b, false); 262 } 263 if (a != b) 264 { 265 if (tTd(27, 5)) 266 { 267 sm_dprintf("sendtolist: QS_DONTSEND "); 268 printaddr(sm_debug_file(), a, false); 269 } 270 a->q_state = QS_DONTSEND; 271 b->q_flags |= a->q_flags & QNOTREMOTE; 272 continue; 273 } 274 } 275 276 /* full name */ 277 if (a->q_fullname == NULL) 278 a->q_fullname = ctladdr->q_fullname; 279 280 /* various flag bits */ 281 a->q_flags &= ~QINHERITEDBITS; 282 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS; 283 284 /* DSN recipient information */ 285 a->q_finalrcpt = ctladdr->q_finalrcpt; 286 a->q_orcpt = ctladdr->q_orcpt; 287 } 288 289 al = a; 290 } 291 292 /* arrange to send to everyone on the local send list */ 293 while (al != NULL) 294 { 295 register ADDRESS *a = al; 296 297 al = a->q_next; 298 a = recipient(a, sendq, aliaslevel, e); 299 naddrs++; 300 } 301 } 302 SM_FINALLY 303 { 304 e->e_to = oldto; 305 if (bufp != buf) 306 sm_free(bufp); 307 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 308 } 309 SM_END_TRY 310 return naddrs; 311} 312 313#if MILTER 314/* 315** REMOVEFROMLIST -- Remove addresses from a send list. 316** 317** The parameter is a comma-separated list of recipients to remove. 318** Note that it only deletes matching addresses. If those addresses 319** have been expanded already in the sendq, it won't mark the 320** expanded recipients as QS_REMOVED. 321** 322** Parameters: 323** list -- the list to remove. 324** sendq -- a pointer to the head of a queue to remove 325** these addresses from. 326** e -- the envelope in which to remove these recipients. 327** 328** Returns: 329** The number of addresses removed from the list. 330** 331*/ 332 333int 334removefromlist(list, sendq, e) 335 char *list; 336 ADDRESS **sendq; 337 ENVELOPE *e; 338{ 339 SM_NONVOLATILE char delimiter; /* the address delimiter */ 340 SM_NONVOLATILE int naddrs; 341 SM_NONVOLATILE int i; 342 char *p; 343 char *oldto = e->e_to; 344 char *SM_NONVOLATILE bufp; 345 char buf[MAXNAME + 1]; 346 347 if (list == NULL) 348 { 349 syserr("removefromlist: null list"); 350 return 0; 351 } 352 353 if (tTd(25, 1)) 354 sm_dprintf("removefromlist: %s\n", list); 355 356 /* heuristic to determine old versus new style addresses */ 357 if (strchr(list, ',') != NULL || strchr(list, ';') != NULL || 358 strchr(list, '<') != NULL || strchr(list, '(') != NULL) 359 e->e_flags &= ~EF_OLDSTYLE; 360 delimiter = ' '; 361 if (!bitset(EF_OLDSTYLE, e->e_flags)) 362 delimiter = ','; 363 364 naddrs = 0; 365 366 /* make sure we have enough space to copy the string */ 367 i = strlen(list) + 1; 368 if (i <= sizeof(buf)) 369 { 370 bufp = buf; 371 i = sizeof(buf); 372 } 373 else 374 bufp = sm_malloc_x(i); 375 376 SM_TRY 377 { 378 (void) sm_strlcpy(bufp, denlstring(list, false, true), i); 379 380#if _FFR_ADDR_TYPE_MODES 381 if (AddrTypeModes) 382 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), 383 "e r d"); 384 else 385#endif /* _FFR_ADDR_TYPE_MODES */ 386 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r"); 387 for (p = bufp; *p != '\0'; ) 388 { 389 ADDRESS a; /* parsed address to be removed */ 390 ADDRESS *q; 391 ADDRESS **pq; 392 char *delimptr; 393 394 /* parse the address */ 395 while ((SM_ISSPACE(*p)) || *p == ',') 396 p++; 397 if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR, 398 delimiter, &delimptr, e, true) == NULL) 399 { 400 p = delimptr; 401 continue; 402 } 403 p = delimptr; 404 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 405 { 406 if (!QS_IS_DEAD(q->q_state) && 407 (sameaddr(q, &a) || 408 strcmp(q->q_paddr, a.q_paddr) == 0)) 409 { 410 if (tTd(25, 5)) 411 { 412 sm_dprintf("removefromlist: QS_REMOVED "); 413 printaddr(sm_debug_file(), &a, false); 414 } 415 q->q_state = QS_REMOVED; 416 naddrs++; 417 break; 418 } 419 } 420 } 421 } 422 SM_FINALLY 423 { 424 e->e_to = oldto; 425 if (bufp != buf) 426 sm_free(bufp); 427 macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL); 428 } 429 SM_END_TRY 430 return naddrs; 431} 432#endif /* MILTER */ 433 434/* 435** RECIPIENT -- Designate a message recipient 436** Saves the named person for future mailing (after some checks). 437** 438** Parameters: 439** new -- the (preparsed) address header for the recipient. 440** sendq -- a pointer to the head of a queue to put the 441** recipient in. Duplicate suppression is done 442** in this queue. 443** aliaslevel -- the current alias nesting depth. 444** e -- the current envelope. 445** 446** Returns: 447** The actual address in the queue. This will be "a" if 448** the address is not a duplicate, else the original address. 449** 450*/ 451 452ADDRESS * 453recipient(new, sendq, aliaslevel, e) 454 register ADDRESS *new; 455 register ADDRESS **sendq; 456 int aliaslevel; 457 register ENVELOPE *e; 458{ 459 register ADDRESS *q; 460 ADDRESS **pq; 461 ADDRESS **prev; 462 register struct mailer *m; 463 register char *p; 464 int i, buflen; 465 bool quoted; /* set if the addr has a quote bit */ 466 bool insert; 467 int findusercount; 468 bool initialdontsend; 469 char *buf; 470 char buf0[MAXNAME + 1]; /* unquoted image of the user name */ 471 sortfn_t *sortfn; 472 473 p = NULL; 474 quoted = false; 475 insert = false; 476 findusercount = 0; 477 initialdontsend = QS_IS_DEAD(new->q_state); 478 e->e_to = new->q_paddr; 479 m = new->q_mailer; 480 errno = 0; 481 if (aliaslevel == 0) 482 new->q_flags |= QPRIMARY; 483 if (tTd(26, 1)) 484 { 485 sm_dprintf("\nrecipient (%d): ", aliaslevel); 486 printaddr(sm_debug_file(), new, false); 487 } 488 489 /* if this is primary, use it as original recipient */ 490 if (new->q_alias == NULL) 491 { 492 if (e->e_origrcpt == NULL) 493 e->e_origrcpt = new->q_paddr; 494 else if (e->e_origrcpt != new->q_paddr) 495 e->e_origrcpt = ""; 496 } 497 498 /* find parent recipient for finalrcpt and orcpt */ 499 for (q = new; q->q_alias != NULL; q = q->q_alias) 500 continue; 501 502 /* find final recipient DSN address */ 503 if (new->q_finalrcpt == NULL && 504 e->e_from.q_mailer != NULL) 505 { 506 char frbuf[MAXLINE]; 507 508 p = e->e_from.q_mailer->m_addrtype; 509 if (p == NULL) 510 p = "rfc822"; 511#if _FFR_EAI 512 if (sm_strcasecmp(p, "rfc822") == 0 && 513 !addr_is_ascii(q->q_user)) 514 p = "utf-8"; 515#endif 516 if (sm_strcasecmp(p, "rfc822") != 0) 517 { 518 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 519 q->q_mailer->m_addrtype, 520 q->q_user); 521 } 522 else if (strchr(q->q_user, '@') != NULL) 523 { 524 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 525 p, q->q_user); 526 } 527 else if (strchr(q->q_paddr, '@') != NULL) 528 { 529 char *qp; 530 bool b; 531 532 qp = q->q_paddr; 533 534 /* strip brackets from address */ 535 b = false; 536 if (*qp == '<') 537 { 538 b = qp[strlen(qp) - 1] == '>'; 539 if (b) 540 qp[strlen(qp) - 1] = '\0'; 541 qp++; 542 } 543 (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s", 544 p, qp); 545 546 /* undo damage */ 547 if (b) 548 qp[strlen(qp)] = '>'; 549 } 550 else 551 { 552 (void) sm_snprintf(frbuf, sizeof(frbuf), 553 "%s; %.700s@%.100s", 554 p, q->q_user, MyHostName); 555 } 556 new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf); 557 } 558 559#if _FFR_GEN_ORCPT 560 /* set ORCPT DSN arg if not already set */ 561 if (new->q_orcpt == NULL) 562 { 563 /* check for an existing ORCPT */ 564 if (q->q_orcpt != NULL) 565 new->q_orcpt = q->q_orcpt; 566 else 567 { 568 /* make our own */ 569 bool b = false; 570 char *qp; 571 char obuf[MAXLINE]; 572 573 if (e->e_from.q_mailer != NULL) 574 p = e->e_from.q_mailer->m_addrtype; 575 if (p == NULL) 576 p = "rfc822"; 577 (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";"); 578 579 qp = q->q_paddr; 580 581 /* FFR: Needs to strip comments from stdin addrs */ 582 583 /* strip brackets from address */ 584 if (*qp == '<') 585 { 586 b = qp[strlen(qp) - 1] == '>'; 587 if (b) 588 qp[strlen(qp) - 1] = '\0'; 589 qp++; 590 } 591 592 p = xtextify(denlstring(qp, true, false), "="); 593 594 if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf)) 595 { 596 /* if too big, don't use it */ 597 obuf[0] = '\0'; 598 } 599 600 /* undo damage */ 601 if (b) 602 qp[strlen(qp)] = '>'; 603 604 if (obuf[0] != '\0') 605 new->q_orcpt = 606 sm_rpool_strdup_x(e->e_rpool, obuf); 607 } 608 } 609#endif /* _FFR_GEN_ORCPT */ 610 611 /* break aliasing loops */ 612 if (aliaslevel > MaxAliasRecursion) 613 { 614 new->q_state = QS_BADADDR; 615 new->q_status = "5.4.6"; 616 if (new->q_alias != NULL) 617 { 618 new->q_alias->q_state = QS_BADADDR; 619 new->q_alias->q_status = "5.4.6"; 620 } 621 if ((SuprErrs || !LogUsrErrs) && LogLevel > 0) 622 { 623 sm_syslog(LOG_ERR, e->e_id, 624 "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)", 625 FileName != NULL ? FileName : "", aliaslevel, 626 MaxAliasRecursion); 627 } 628 usrerrenh(new->q_status, 629 "554 aliasing/forwarding loop broken (%d aliases deep; %d max)", 630 aliaslevel, MaxAliasRecursion); 631 return new; 632 } 633 634 /* 635 ** Finish setting up address structure. 636 */ 637 638 /* get unquoted user for file, program or user.name check */ 639 i = strlen(new->q_user); 640 if (i >= sizeof(buf0)) 641 { 642 buflen = i + 1; 643 buf = xalloc(buflen); 644 } 645 else 646 { 647 buf = buf0; 648 buflen = sizeof(buf0); 649 } 650 (void) sm_strlcpy(buf, new->q_user, buflen); 651 for (p = buf; *p != '\0' && !quoted; p++) 652 { 653 if (*p == '\\') 654 quoted = true; 655 } 656 stripquotes(buf); 657 658 /* check for direct mailing to restricted mailers */ 659 if (m == ProgMailer) 660 { 661 if (new->q_alias == NULL || UseMSP || 662 bitset(EF_UNSAFE, e->e_flags)) 663 { 664 new->q_state = QS_BADADDR; 665 new->q_status = "5.7.1"; 666 usrerrenh(new->q_status, 667 "550 Cannot mail directly to programs"); 668 } 669 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 670 { 671 new->q_state = QS_BADADDR; 672 new->q_status = "5.7.1"; 673 if (new->q_alias->q_ruser == NULL) 674 usrerrenh(new->q_status, 675 "550 UID %ld is an unknown user: cannot mail to programs", 676 (long) new->q_alias->q_uid); 677 else 678 usrerrenh(new->q_status, 679 "550 User %s@%s doesn't have a valid shell for mailing to programs", 680 new->q_alias->q_ruser, MyHostName); 681 } 682 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 683 { 684 new->q_state = QS_BADADDR; 685 new->q_status = "5.7.1"; 686 new->q_rstatus = "550 Unsafe for mailing to programs"; 687 usrerrenh(new->q_status, 688 "550 Address %s is unsafe for mailing to programs", 689 new->q_alias->q_paddr); 690 } 691 } 692 693 /* 694 ** Look up this person in the recipient list. 695 ** If they are there already, return, otherwise continue. 696 ** If the list is empty, just add it. Notice the cute 697 ** hack to make from addresses suppress things correctly: 698 ** the QS_DUPLICATE state will be set in the send list. 699 ** [Please note: the emphasis is on "hack."] 700 */ 701 702 prev = NULL; 703 704 /* 705 ** If this message is going to the queue or FastSplit is set 706 ** and it is the first try and the envelope hasn't split, then we 707 ** avoid doing an MX RR lookup now because one will be done when the 708 ** message is extracted from the queue later. It can go to the queue 709 ** because all messages are going to the queue or this mailer of 710 ** the current recipient is marked expensive. 711 */ 712 713 if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) || 714 (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 && 715 FastSplit > 0)) 716 sortfn = sorthost; 717 else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags)) 718 sortfn = sortexpensive; 719 else 720 sortfn = sortbysignature; 721 722 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next) 723 { 724 /* 725 ** If address is "less than" it should be inserted now. 726 ** If address is "greater than" current comparison it'll 727 ** insert later in the list; so loop again (if possible). 728 ** If address is "equal" (different equal than sameaddr() 729 ** call) then check if sameaddr() will be true. 730 ** Because this list is now sorted, it'll mean fewer 731 ** comparisons and fewer loops which is important for more 732 ** recipients. 733 */ 734 735 i = (*sortfn)(new, q); 736 if (i == 0) /* equal */ 737 { 738 /* 739 ** Sortbysignature() has said that the two have 740 ** equal MX RR's and the same user. Calling sameaddr() 741 ** now checks if the two hosts are as identical as the 742 ** MX RR's are (which might not be the case) 743 ** before saying these are the identical addresses. 744 */ 745 746 if (sameaddr(q, new) && 747 (bitset(QRCPTOK, q->q_flags) || 748 !bitset(QPRIMARY, q->q_flags))) 749 { 750 if (tTd(26, 1)) 751 { 752 sm_dprintf("%s in sendq: ", 753 new->q_paddr); 754 printaddr(sm_debug_file(), q, false); 755 } 756 if (!bitset(QPRIMARY, q->q_flags)) 757 { 758 if (!QS_IS_DEAD(new->q_state)) 759 message("duplicate suppressed"); 760 else 761 q->q_state = QS_DUPLICATE; 762 q->q_flags |= new->q_flags; 763 } 764 else if (bitset(QSELFREF, q->q_flags) 765 || q->q_state == QS_REMOVED) 766 { 767 /* 768 ** If an earlier milter removed the 769 ** address, a later one can still add 770 ** it back. 771 */ 772 773 q->q_state = new->q_state; 774 q->q_flags |= new->q_flags; 775 } 776 new = q; 777 goto done; 778 } 779 } 780 else if (i < 0) /* less than */ 781 { 782 insert = true; 783 break; 784 } 785 prev = pq; 786 } 787 788 /* pq should point to an address, never NULL */ 789 SM_ASSERT(pq != NULL); 790 791 /* add address on list */ 792 if (insert) 793 { 794 /* 795 ** insert before 'pq'. Only possible when at least 1 796 ** ADDRESS is in the list already. 797 */ 798 799 new->q_next = *pq; 800 if (prev == NULL) 801 *sendq = new; /* To be the first ADDRESS */ 802 else 803 (*prev)->q_next = new; 804 } 805 else 806 { 807 /* 808 ** Place in list at current 'pq' position. Possible 809 ** when there are 0 or more ADDRESS's in the list. 810 */ 811 812 new->q_next = NULL; 813 *pq = new; 814 } 815 816 /* added a new address: clear split flag */ 817 e->e_flags &= ~EF_SPLIT; 818 819 /* 820 ** Alias the name and handle special mailer types. 821 */ 822 823 trylocaluser: 824 if (tTd(29, 7)) 825 { 826 sm_dprintf("at trylocaluser: "); 827 printaddr(sm_debug_file(), new, false); 828 } 829 830 if (!QS_IS_OK(new->q_state)) 831 { 832 if (QS_IS_UNDELIVERED(new->q_state)) 833 e->e_nrcpts++; 834 goto testselfdestruct; 835 } 836 837 if (m == InclMailer) 838 { 839 new->q_state = QS_INCLUDED; 840 if (new->q_alias == NULL || UseMSP || 841 bitset(EF_UNSAFE, e->e_flags)) 842 { 843 new->q_state = QS_BADADDR; 844 new->q_status = "5.7.1"; 845 usrerrenh(new->q_status, 846 "550 Cannot mail directly to :include:s"); 847 } 848 else 849 { 850 int ret; 851 852 message("including file %s", new->q_user); 853 ret = include(new->q_user, false, new, 854 sendq, aliaslevel, e); 855 if (transienterror(ret)) 856 { 857 if (LogLevel > 2) 858 sm_syslog(LOG_ERR, e->e_id, 859 "include %s: transient error: %s", 860 shortenstring(new->q_user, 861 MAXSHORTSTR), 862 sm_errstring(ret)); 863 new->q_state = QS_QUEUEUP; 864 usrerr("451 4.2.4 Cannot open %s: %s", 865 shortenstring(new->q_user, 866 MAXSHORTSTR), 867 sm_errstring(ret)); 868 } 869 else if (ret != 0) 870 { 871 new->q_state = QS_BADADDR; 872 new->q_status = "5.2.4"; 873 usrerrenh(new->q_status, 874 "550 Cannot open %s: %s", 875 shortenstring(new->q_user, 876 MAXSHORTSTR), 877 sm_errstring(ret)); 878 } 879 } 880 } 881 else if (m == FileMailer) 882 { 883 /* check if allowed */ 884 if (new->q_alias == NULL || UseMSP || 885 bitset(EF_UNSAFE, e->e_flags)) 886 { 887 new->q_state = QS_BADADDR; 888 new->q_status = "5.7.1"; 889 usrerrenh(new->q_status, 890 "550 Cannot mail directly to files"); 891 } 892 else if (bitset(QBOGUSSHELL, new->q_alias->q_flags)) 893 { 894 new->q_state = QS_BADADDR; 895 new->q_status = "5.7.1"; 896 if (new->q_alias->q_ruser == NULL) 897 usrerrenh(new->q_status, 898 "550 UID %ld is an unknown user: cannot mail to files", 899 (long) new->q_alias->q_uid); 900 else 901 usrerrenh(new->q_status, 902 "550 User %s@%s doesn't have a valid shell for mailing to files", 903 new->q_alias->q_ruser, MyHostName); 904 } 905 else if (bitset(QUNSAFEADDR, new->q_alias->q_flags)) 906 { 907 new->q_state = QS_BADADDR; 908 new->q_status = "5.7.1"; 909 new->q_rstatus = "550 Unsafe for mailing to files"; 910 usrerrenh(new->q_status, 911 "550 Address %s is unsafe for mailing to files", 912 new->q_alias->q_paddr); 913 } 914 } 915 916 /* try aliasing */ 917 if (!quoted && QS_IS_OK(new->q_state) && 918 bitnset(M_ALIASABLE, m->m_flags)) 919 alias(new, sendq, aliaslevel, e); 920 921#if USERDB 922 /* if not aliased, look it up in the user database */ 923 if (!bitset(QNOTREMOTE, new->q_flags) && 924 QS_IS_SENDABLE(new->q_state) && 925 bitnset(M_CHECKUDB, m->m_flags)) 926 { 927 if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL) 928 { 929 new->q_state = QS_QUEUEUP; 930 if (e->e_message == NULL) 931 e->e_message = sm_rpool_strdup_x(e->e_rpool, 932 "Deferred: user database error"); 933 if (new->q_message == NULL) 934 new->q_message = "Deferred: user database error"; 935 if (LogLevel > 8) 936 sm_syslog(LOG_INFO, e->e_id, 937 "deferred: udbexpand: %s", 938 sm_errstring(errno)); 939 message("queued (user database error): %s", 940 sm_errstring(errno)); 941 e->e_nrcpts++; 942 goto testselfdestruct; 943 } 944 } 945#endif /* USERDB */ 946 947 /* 948 ** If we have a level two config file, then pass the name through 949 ** Ruleset 5 before sending it off. Ruleset 5 has the right 950 ** to rewrite it to another mailer. This gives us a hook 951 ** after local aliasing has been done. 952 */ 953 954 if (tTd(29, 5)) 955 { 956 sm_dprintf("recipient: testing local? cl=%d, rr5=%p\n\t", 957 ConfigLevel, (void *)RewriteRules[5]); 958 printaddr(sm_debug_file(), new, false); 959 } 960 if (ConfigLevel >= 2 && RewriteRules[5] != NULL && 961 bitnset(M_TRYRULESET5, m->m_flags) && 962 !bitset(QNOTREMOTE, new->q_flags) && 963 QS_IS_OK(new->q_state)) 964 { 965 maplocaluser(new, sendq, aliaslevel + 1, e); 966 } 967 968 /* 969 ** If it didn't get rewritten to another mailer, go ahead 970 ** and deliver it. 971 */ 972 973 if (QS_IS_OK(new->q_state) && 974 bitnset(M_HASPWENT, m->m_flags)) 975 { 976 auto bool fuzzy; 977 SM_MBDB_T user; 978 int status; 979 980 /* warning -- finduser may trash buf */ 981 status = finduser(buf, &fuzzy, &user); 982 switch (status) 983 { 984 case EX_TEMPFAIL: 985 new->q_state = QS_QUEUEUP; 986 new->q_status = "4.5.2"; 987 giveresponse(EX_TEMPFAIL, new->q_status, m, NULL, 988 new->q_alias, (time_t) 0, e, new); 989 break; 990 default: 991 new->q_state = QS_BADADDR; 992 new->q_status = "5.1.1"; 993 new->q_rstatus = "550 5.1.1 User unknown"; 994 giveresponse(EX_NOUSER, new->q_status, m, NULL, 995 new->q_alias, (time_t) 0, e, new); 996 break; 997 case EX_OK: 998 if (fuzzy) 999 { 1000 /* name was a fuzzy match */ 1001 new->q_user = sm_rpool_strdup_x(e->e_rpool, 1002 user.mbdb_name); 1003 if (findusercount++ > 3) 1004 { 1005 new->q_state = QS_BADADDR; 1006 new->q_status = "5.4.6"; 1007 usrerrenh(new->q_status, 1008 "554 aliasing/forwarding loop for %s broken", 1009 user.mbdb_name); 1010 goto done; 1011 } 1012 1013 /* see if it aliases */ 1014 (void) sm_strlcpy(buf, user.mbdb_name, buflen); 1015 goto trylocaluser; 1016 } 1017 if (*user.mbdb_homedir == '\0') 1018 new->q_home = NULL; 1019 else if (strcmp(user.mbdb_homedir, "/") == 0) 1020 new->q_home = ""; 1021 else 1022 new->q_home = sm_rpool_strdup_x(e->e_rpool, 1023 user.mbdb_homedir); 1024 if (user.mbdb_uid != SM_NO_UID) 1025 { 1026 new->q_uid = user.mbdb_uid; 1027 new->q_gid = user.mbdb_gid; 1028 new->q_flags |= QGOODUID; 1029 } 1030 new->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1031 user.mbdb_name); 1032 if (user.mbdb_fullname[0] != '\0') 1033 new->q_fullname = sm_rpool_strdup_x(e->e_rpool, 1034 user.mbdb_fullname); 1035 if (!usershellok(user.mbdb_name, user.mbdb_shell)) 1036 { 1037 new->q_flags |= QBOGUSSHELL; 1038 } 1039 if (bitset(EF_VRFYONLY, e->e_flags)) 1040 { 1041 /* don't do any more now */ 1042 new->q_state = QS_VERIFIED; 1043 } 1044 else if (!quoted) 1045 forward(new, sendq, aliaslevel, e); 1046 } 1047 } 1048 if (!QS_IS_DEAD(new->q_state)) 1049 e->e_nrcpts++; 1050 1051 testselfdestruct: 1052 new->q_flags |= QTHISPASS; 1053 if (tTd(26, 8)) 1054 { 1055 sm_dprintf("testselfdestruct: "); 1056 printaddr(sm_debug_file(), new, false); 1057 if (tTd(26, 10)) 1058 { 1059 sm_dprintf("SENDQ:\n"); 1060 printaddr(sm_debug_file(), *sendq, true); 1061 sm_dprintf("----\n"); 1062 } 1063 } 1064 if (new->q_alias == NULL && new != &e->e_from && 1065 QS_IS_DEAD(new->q_state)) 1066 { 1067 for (q = *sendq; q != NULL; q = q->q_next) 1068 { 1069 if (!QS_IS_DEAD(q->q_state)) 1070 break; 1071 } 1072 if (q == NULL) 1073 { 1074 new->q_state = QS_BADADDR; 1075 new->q_status = "5.4.6"; 1076 usrerrenh(new->q_status, 1077 "554 aliasing/forwarding loop broken"); 1078 } 1079 } 1080 1081 done: 1082 new->q_flags |= QTHISPASS; 1083 if (buf != buf0) 1084 sm_free(buf); /* XXX leak if above code raises exception */ 1085 1086 /* 1087 ** If we are at the top level, check to see if this has 1088 ** expanded to exactly one address. If so, it can inherit 1089 ** the primaryness of the address. 1090 ** 1091 ** While we're at it, clear the QTHISPASS bits. 1092 */ 1093 1094 if (aliaslevel == 0) 1095 { 1096 int nrcpts = 0; 1097 ADDRESS *only = NULL; 1098 1099 for (q = *sendq; q != NULL; q = q->q_next) 1100 { 1101 if (bitset(QTHISPASS, q->q_flags) && 1102 QS_IS_SENDABLE(q->q_state)) 1103 { 1104 nrcpts++; 1105 only = q; 1106 } 1107 q->q_flags &= ~QTHISPASS; 1108 } 1109 if (nrcpts == 1) 1110 { 1111 /* check to see if this actually got a new owner */ 1112 q = only; 1113 while ((q = q->q_alias) != NULL) 1114 { 1115 if (q->q_owner != NULL) 1116 break; 1117 } 1118 if (q == NULL) 1119 only->q_flags |= QPRIMARY; 1120 } 1121 else if (!initialdontsend && nrcpts > 0) 1122 { 1123 /* arrange for return receipt */ 1124 e->e_flags |= EF_SENDRECEIPT; 1125 new->q_flags |= QEXPANDED; 1126 if (e->e_xfp != NULL && 1127 bitset(QPINGONSUCCESS, new->q_flags)) 1128 (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, 1129 "%s... expanded to multiple addresses\n", 1130 new->q_paddr); 1131 } 1132 } 1133 new->q_flags |= QRCPTOK; 1134 (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts); 1135 macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0); 1136 return new; 1137} 1138 1139/* 1140** FINDUSER -- find the password entry for a user. 1141** 1142** This looks a lot like getpwnam, except that it may want to 1143** do some fancier pattern matching in /etc/passwd. 1144** 1145** This routine contains most of the time of many sendmail runs. 1146** It deserves to be optimized. 1147** 1148** Parameters: 1149** name -- the name to match against. 1150** fuzzyp -- an outarg that is set to true if this entry 1151** was found using the fuzzy matching algorithm; 1152** set to false otherwise. 1153** user -- structure to fill in if user is found 1154** 1155** Returns: 1156** On success, fill in *user, set *fuzzyp and return EX_OK. 1157** If the user was not found, return EX_NOUSER. 1158** On error, return EX_TEMPFAIL or EX_OSERR. 1159** 1160** Side Effects: 1161** may modify name. 1162*/ 1163 1164int 1165finduser(name, fuzzyp, user) 1166 char *name; 1167 bool *fuzzyp; 1168 SM_MBDB_T *user; 1169{ 1170#if MATCHGECOS 1171 register struct passwd *pw; 1172#endif 1173 register char *p; 1174 bool tryagain; 1175 int status; 1176 1177 if (tTd(29, 4)) 1178 sm_dprintf("finduser(%s): ", name); 1179 1180 *fuzzyp = false; 1181 1182#if HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN 1183 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */ 1184 for (p = name; *p != '\0'; p++) 1185 if (!isascii(*p) || !isdigit(*p)) 1186 break; 1187 if (*p == '\0') 1188 { 1189 if (tTd(29, 4)) 1190 sm_dprintf("failed (numeric input)\n"); 1191 return EX_NOUSER; 1192 } 1193#endif /* HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN */ 1194 1195 /* look up this login name using fast path */ 1196 status = sm_mbdb_lookup(name, user); 1197 if (status != EX_NOUSER) 1198 { 1199 if (tTd(29, 4)) 1200 sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status)); 1201 return status; 1202 } 1203 1204 /* try mapping it to lower case */ 1205 tryagain = false; 1206 for (p = name; *p != '\0'; p++) 1207 { 1208 if (isascii(*p) && isupper(*p)) 1209 { 1210 *p = tolower(*p); 1211 tryagain = true; 1212 } 1213 } 1214 if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER) 1215 { 1216 if (tTd(29, 4)) 1217 sm_dprintf("%s (lower case)\n", sm_strexit(status)); 1218 *fuzzyp = true; 1219 return status; 1220 } 1221 1222#if MATCHGECOS 1223 /* see if fuzzy matching allowed */ 1224 if (!MatchGecos) 1225 { 1226 if (tTd(29, 4)) 1227 sm_dprintf("not found (fuzzy disabled)\n"); 1228 return EX_NOUSER; 1229 } 1230 1231 /* search for a matching full name instead */ 1232 for (p = name; *p != '\0'; p++) 1233 { 1234 if (*p == (SpaceSub & 0177) || *p == '_') 1235 *p = ' '; 1236 } 1237 (void) setpwent(); 1238 while ((pw = getpwent()) != NULL) 1239 { 1240 char buf[MAXNAME + 1]; 1241 1242# if 0 1243 if (sm_strcasecmp(pw->pw_name, name) == 0) 1244 { 1245 if (tTd(29, 4)) 1246 sm_dprintf("found (case wrapped)\n"); 1247 break; 1248 } 1249# endif /* 0 */ 1250 1251 sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf)); 1252 if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0) 1253 { 1254 if (tTd(29, 4)) 1255 sm_dprintf("fuzzy matches %s\n", pw->pw_name); 1256 message("sending to login name %s", pw->pw_name); 1257 break; 1258 } 1259 } 1260 if (pw != NULL) 1261 *fuzzyp = true; 1262 else if (tTd(29, 4)) 1263 sm_dprintf("no fuzzy match found\n"); 1264# if DEC_OSF_BROKEN_GETPWENT /* DEC OSF/1 3.2 or earlier */ 1265 endpwent(); 1266# endif 1267 if (pw == NULL) 1268 return EX_NOUSER; 1269 sm_mbdb_frompw(user, pw); 1270 return EX_OK; 1271#else /* MATCHGECOS */ 1272 if (tTd(29, 4)) 1273 sm_dprintf("not found (fuzzy disabled)\n"); 1274 return EX_NOUSER; 1275#endif /* MATCHGECOS */ 1276} 1277 1278/* 1279** WRITABLE -- predicate returning if the file is writable. 1280** 1281** This routine must duplicate the algorithm in sys/fio.c. 1282** Unfortunately, we cannot use the access call since we 1283** won't necessarily be the real uid when we try to 1284** actually open the file. 1285** 1286** Notice that ANY file with ANY execute bit is automatically 1287** not writable. This is also enforced by mailfile. 1288** 1289** Parameters: 1290** filename -- the file name to check. 1291** ctladdr -- the controlling address for this file. 1292** flags -- SFF_* flags to control the function. 1293** 1294** Returns: 1295** true -- if we will be able to write this file. 1296** false -- if we cannot write this file. 1297** 1298** Side Effects: 1299** none. 1300*/ 1301 1302bool 1303writable(filename, ctladdr, flags) 1304 char *filename; 1305 ADDRESS *ctladdr; 1306 long flags; 1307{ 1308 uid_t euid = 0; 1309 gid_t egid = 0; 1310 char *user = NULL; 1311 1312 if (tTd(44, 5)) 1313 sm_dprintf("writable(%s, 0x%lx)\n", filename, flags); 1314 1315 /* 1316 ** File does exist -- check that it is writable. 1317 */ 1318 1319 if (geteuid() != 0) 1320 { 1321 euid = geteuid(); 1322 egid = getegid(); 1323 user = NULL; 1324 } 1325 else if (ctladdr != NULL) 1326 { 1327 euid = ctladdr->q_uid; 1328 egid = ctladdr->q_gid; 1329 user = ctladdr->q_user; 1330 } 1331 else if (bitset(SFF_RUNASREALUID, flags)) 1332 { 1333 euid = RealUid; 1334 egid = RealGid; 1335 user = RealUserName; 1336 } 1337 else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags)) 1338 { 1339 if (FileMailer->m_uid == NO_UID) 1340 { 1341 euid = DefUid; 1342 user = DefUser; 1343 } 1344 else 1345 { 1346 euid = FileMailer->m_uid; 1347 user = NULL; 1348 } 1349 if (FileMailer->m_gid == NO_GID) 1350 egid = DefGid; 1351 else 1352 egid = FileMailer->m_gid; 1353 } 1354 else 1355 { 1356 euid = egid = 0; 1357 user = NULL; 1358 } 1359 if (!bitset(SFF_ROOTOK, flags)) 1360 { 1361 if (euid == 0) 1362 { 1363 euid = DefUid; 1364 user = DefUser; 1365 } 1366 if (egid == 0) 1367 egid = DefGid; 1368 } 1369 if (geteuid() == 0 && 1370 (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags))) 1371 flags |= SFF_SETUIDOK; 1372 1373 if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail)) 1374 flags |= SFF_NOSLINK; 1375 if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail)) 1376 flags |= SFF_NOHLINK; 1377 1378 errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL); 1379 return errno == 0; 1380} 1381 1382/* 1383** INCLUDE -- handle :include: specification. 1384** 1385** Parameters: 1386** fname -- filename to include. 1387** forwarding -- if true, we are reading a .forward file. 1388** if false, it's a :include: file. 1389** ctladdr -- address template to use to fill in these 1390** addresses -- effective user/group id are 1391** the important things. 1392** sendq -- a pointer to the head of the send queue 1393** to put these addresses in. 1394** aliaslevel -- the alias nesting depth. 1395** e -- the current envelope. 1396** 1397** Returns: 1398** open error status 1399** 1400** Side Effects: 1401** reads the :include: file and sends to everyone 1402** listed in that file. 1403** 1404** Security Note: 1405** If you have restricted chown (that is, you can't 1406** give a file away), it is reasonable to allow programs 1407** and files called from this :include: file to be to be 1408** run as the owner of the :include: file. This is bogus 1409** if there is any chance of someone giving away a file. 1410** We assume that pre-POSIX systems can give away files. 1411** 1412** There is an additional restriction that if you 1413** forward to a :include: file, it will not take on 1414** the ownership of the :include: file. This may not 1415** be necessary, but shouldn't hurt. 1416*/ 1417 1418static jmp_buf CtxIncludeTimeout; 1419 1420int 1421include(fname, forwarding, ctladdr, sendq, aliaslevel, e) 1422 char *fname; 1423 bool forwarding; 1424 ADDRESS *ctladdr; 1425 ADDRESS **sendq; 1426 int aliaslevel; 1427 ENVELOPE *e; 1428{ 1429 SM_FILE_T *volatile fp = NULL; 1430 char *oldto = e->e_to; 1431 char *oldfilename = FileName; 1432 int oldlinenumber = LineNumber; 1433 register SM_EVENT *ev = NULL; 1434 int nincludes; 1435 int mode; 1436 volatile bool maxreached = false; 1437 register ADDRESS *ca; 1438 volatile uid_t saveduid; 1439 volatile gid_t savedgid; 1440 volatile uid_t uid; 1441 volatile gid_t gid; 1442 char *volatile user; 1443 int rval = 0; 1444 volatile long sfflags = SFF_REGONLY; 1445 register char *p; 1446 bool safechown = false; 1447 volatile bool safedir = false; 1448 struct stat st; 1449 char buf[MAXLINE]; 1450 1451 if (tTd(27, 2)) 1452 sm_dprintf("include(%s)\n", fname); 1453 if (tTd(27, 4)) 1454 sm_dprintf(" ruid=%ld euid=%ld\n", 1455 (long) getuid(), (long) geteuid()); 1456 if (tTd(27, 14)) 1457 { 1458 sm_dprintf("ctladdr "); 1459 printaddr(sm_debug_file(), ctladdr, false); 1460 } 1461 1462 if (tTd(27, 9)) 1463 sm_dprintf("include: old uid = %ld/%ld\n", 1464 (long) getuid(), (long) geteuid()); 1465 1466 if (forwarding) 1467 { 1468 sfflags |= SFF_MUSTOWN|SFF_ROOTOK; 1469 if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail)) 1470 sfflags |= SFF_NOGWFILES; 1471 if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail)) 1472 sfflags |= SFF_NOWWFILES; 1473 } 1474 else 1475 { 1476 if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail)) 1477 sfflags |= SFF_NOGWFILES; 1478 if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail)) 1479 sfflags |= SFF_NOWWFILES; 1480 } 1481 1482 /* 1483 ** If RunAsUser set, won't be able to run programs as user 1484 ** so mark them as unsafe unless the administrator knows better. 1485 */ 1486 1487 if ((geteuid() != 0 || RunAsUid != 0) && 1488 !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail)) 1489 { 1490 if (tTd(27, 4)) 1491 sm_dprintf("include: not safe (euid=%ld, RunAsUid=%ld)\n", 1492 (long) geteuid(), (long) RunAsUid); 1493 ctladdr->q_flags |= QUNSAFEADDR; 1494 } 1495 1496 ca = getctladdr(ctladdr); 1497 if (ca == NULL || 1498 (ca->q_uid == DefUid && ca->q_gid == 0)) 1499 { 1500 uid = DefUid; 1501 gid = DefGid; 1502 user = DefUser; 1503 } 1504 else 1505 { 1506 uid = ca->q_uid; 1507 gid = ca->q_gid; 1508 user = ca->q_user; 1509 } 1510#if MAILER_SETUID_METHOD != USE_SETUID 1511 saveduid = geteuid(); 1512 savedgid = getegid(); 1513 if (saveduid == 0) 1514 { 1515 if (!DontInitGroups) 1516 { 1517 if (initgroups(user, gid) == -1) 1518 { 1519 rval = EAGAIN; 1520 syserr("include: initgroups(%s, %ld) failed", 1521 user, (long) gid); 1522 goto resetuid; 1523 } 1524 } 1525 else 1526 { 1527 GIDSET_T gidset[1]; 1528 1529 gidset[0] = gid; 1530 if (setgroups(1, gidset) == -1) 1531 { 1532 rval = EAGAIN; 1533 syserr("include: setgroups() failed"); 1534 goto resetuid; 1535 } 1536 } 1537 1538 if (gid != 0 && setgid(gid) < -1) 1539 { 1540 rval = EAGAIN; 1541 syserr("setgid(%ld) failure", (long) gid); 1542 goto resetuid; 1543 } 1544 if (uid != 0) 1545 { 1546# if MAILER_SETUID_METHOD == USE_SETEUID 1547 if (seteuid(uid) < 0) 1548 { 1549 rval = EAGAIN; 1550 syserr("seteuid(%ld) failure (real=%ld, eff=%ld)", 1551 (long) uid, (long) getuid(), (long) geteuid()); 1552 goto resetuid; 1553 } 1554# endif /* MAILER_SETUID_METHOD == USE_SETEUID */ 1555# if MAILER_SETUID_METHOD == USE_SETREUID 1556 if (setreuid(0, uid) < 0) 1557 { 1558 rval = EAGAIN; 1559 syserr("setreuid(0, %ld) failure (real=%ld, eff=%ld)", 1560 (long) uid, (long) getuid(), (long) geteuid()); 1561 goto resetuid; 1562 } 1563# endif /* MAILER_SETUID_METHOD == USE_SETREUID */ 1564 } 1565 } 1566#endif /* MAILER_SETUID_METHOD != USE_SETUID */ 1567 1568 if (tTd(27, 9)) 1569 sm_dprintf("include: new uid = %ld/%ld\n", 1570 (long) getuid(), (long) geteuid()); 1571 1572 /* 1573 ** If home directory is remote mounted but server is down, 1574 ** this can hang or give errors; use a timeout to avoid this 1575 */ 1576 1577 if (setjmp(CtxIncludeTimeout) != 0) 1578 { 1579 ctladdr->q_state = QS_QUEUEUP; 1580 errno = 0; 1581 1582 /* return pseudo-error code */ 1583 rval = E_SM_OPENTIMEOUT; 1584 goto resetuid; 1585 } 1586 if (TimeOuts.to_fileopen > 0) 1587 ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0); 1588 else 1589 ev = NULL; 1590 1591 1592 /* check for writable parent directory */ 1593 p = strrchr(fname, '/'); 1594 if (p != NULL) 1595 { 1596 int ret; 1597 1598 *p = '\0'; 1599 ret = safedirpath(fname, uid, gid, user, 1600 sfflags|SFF_SAFEDIRPATH, 0, 0); 1601 if (ret == 0) 1602 { 1603 /* in safe directory: relax chown & link rules */ 1604 safedir = true; 1605 sfflags |= SFF_NOPATHCHECK; 1606 } 1607 else 1608 { 1609 if (bitnset((forwarding ? 1610 DBS_FORWARDFILEINUNSAFEDIRPATH : 1611 DBS_INCLUDEFILEINUNSAFEDIRPATH), 1612 DontBlameSendmail)) 1613 sfflags |= SFF_NOPATHCHECK; 1614 else if (bitnset((forwarding ? 1615 DBS_FORWARDFILEINGROUPWRITABLEDIRPATH : 1616 DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH), 1617 DontBlameSendmail) && 1618 ret == E_SM_GWDIR) 1619 { 1620 setbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1621 DontBlameSendmail); 1622 ret = safedirpath(fname, uid, gid, user, 1623 sfflags|SFF_SAFEDIRPATH, 1624 0, 0); 1625 clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE, 1626 DontBlameSendmail); 1627 if (ret == 0) 1628 sfflags |= SFF_NOPATHCHECK; 1629 else 1630 sfflags |= SFF_SAFEDIRPATH; 1631 } 1632 else 1633 sfflags |= SFF_SAFEDIRPATH; 1634 if (ret > E_PSEUDOBASE && 1635 !bitnset((forwarding ? 1636 DBS_FORWARDFILEINUNSAFEDIRPATHSAFE : 1637 DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE), 1638 DontBlameSendmail)) 1639 { 1640 if (LogLevel > 11) 1641 sm_syslog(LOG_INFO, e->e_id, 1642 "%s: unsafe directory path, marked unsafe", 1643 shortenstring(fname, MAXSHORTSTR)); 1644 ctladdr->q_flags |= QUNSAFEADDR; 1645 } 1646 } 1647 *p = '/'; 1648 } 1649 1650 /* allow links only in unwritable directories */ 1651 if (!safedir && 1652 !bitnset((forwarding ? 1653 DBS_LINKEDFORWARDFILEINWRITABLEDIR : 1654 DBS_LINKEDINCLUDEFILEINWRITABLEDIR), 1655 DontBlameSendmail)) 1656 sfflags |= SFF_NOLINK; 1657 1658 rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st); 1659 if (rval != 0) 1660 { 1661 /* don't use this :include: file */ 1662 if (tTd(27, 4)) 1663 sm_dprintf("include: not safe (uid=%ld): %s\n", 1664 (long) uid, sm_errstring(rval)); 1665 } 1666 else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname, 1667 SM_IO_RDONLY, NULL)) == NULL) 1668 { 1669 rval = errno; 1670 if (tTd(27, 4)) 1671 sm_dprintf("include: open: %s\n", sm_errstring(rval)); 1672 } 1673 else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st)) 1674 { 1675 rval = E_SM_FILECHANGE; 1676 if (tTd(27, 4)) 1677 sm_dprintf("include: file changed after open\n"); 1678 } 1679 if (ev != NULL) 1680 sm_clrevent(ev); 1681 1682resetuid: 1683 1684#if HASSETREUID || USESETEUID 1685 if (saveduid == 0) 1686 { 1687 if (uid != 0) 1688 { 1689# if USESETEUID 1690 if (seteuid(0) < 0) 1691 syserr("!seteuid(0) failure (real=%ld, eff=%ld)", 1692 (long) getuid(), (long) geteuid()); 1693# else /* USESETEUID */ 1694 if (setreuid(-1, 0) < 0) 1695 syserr("!setreuid(-1, 0) failure (real=%ld, eff=%ld)", 1696 (long) getuid(), (long) geteuid()); 1697 if (setreuid(RealUid, 0) < 0) 1698 syserr("!setreuid(%ld, 0) failure (real=%ld, eff=%ld)", 1699 (long) RealUid, (long) getuid(), 1700 (long) geteuid()); 1701# endif /* USESETEUID */ 1702 } 1703 if (setgid(savedgid) < 0) 1704 syserr("!setgid(%ld) failure (real=%ld eff=%ld)", 1705 (long) savedgid, (long) getgid(), 1706 (long) getegid()); 1707 } 1708#endif /* HASSETREUID || USESETEUID */ 1709 1710 if (tTd(27, 9)) 1711 sm_dprintf("include: reset uid = %ld/%ld\n", 1712 (long) getuid(), (long) geteuid()); 1713 1714 if (rval == E_SM_OPENTIMEOUT) 1715 usrerr("451 4.4.1 open timeout on %s", fname); 1716 1717 if (fp == NULL) 1718 return rval; 1719 1720 if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0) 1721 { 1722 rval = errno; 1723 syserr("Cannot fstat %s!", fname); 1724 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1725 return rval; 1726 } 1727 1728 /* if path was writable, check to avoid file giveaway tricks */ 1729 safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir); 1730 if (tTd(27, 6)) 1731 sm_dprintf("include: parent of %s is %s, chown is %ssafe\n", 1732 fname, safedir ? "safe" : "dangerous", 1733 safechown ? "" : "un"); 1734 1735 /* if no controlling user or coming from an alias delivery */ 1736 if (safechown && 1737 (ca == NULL || 1738 (ca->q_uid == DefUid && ca->q_gid == 0))) 1739 { 1740 ctladdr->q_uid = st.st_uid; 1741 ctladdr->q_gid = st.st_gid; 1742 ctladdr->q_flags |= QGOODUID; 1743 } 1744 if (ca != NULL && ca->q_uid == st.st_uid) 1745 { 1746 /* optimization -- avoid getpwuid if we already have info */ 1747 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL; 1748 ctladdr->q_ruser = ca->q_ruser; 1749 } 1750 else if (!forwarding) 1751 { 1752 register struct passwd *pw; 1753 1754 pw = sm_getpwuid(st.st_uid); 1755 if (pw == NULL) 1756 { 1757 ctladdr->q_uid = st.st_uid; 1758 ctladdr->q_flags |= QBOGUSSHELL; 1759 } 1760 else 1761 { 1762 char *sh; 1763 1764 ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool, 1765 pw->pw_name); 1766 if (safechown) 1767 sh = pw->pw_shell; 1768 else 1769 sh = "/SENDMAIL/ANY/SHELL/"; 1770 if (!usershellok(pw->pw_name, sh)) 1771 { 1772 if (LogLevel > 11) 1773 sm_syslog(LOG_INFO, e->e_id, 1774 "%s: user %s has bad shell %s, marked %s", 1775 shortenstring(fname, 1776 MAXSHORTSTR), 1777 pw->pw_name, sh, 1778 safechown ? "bogus" : "unsafe"); 1779 if (safechown) 1780 ctladdr->q_flags |= QBOGUSSHELL; 1781 else 1782 ctladdr->q_flags |= QUNSAFEADDR; 1783 } 1784 } 1785 } 1786 1787 if (bitset(EF_VRFYONLY, e->e_flags)) 1788 { 1789 /* don't do any more now */ 1790 ctladdr->q_state = QS_VERIFIED; 1791 e->e_nrcpts++; 1792 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1793 return rval; 1794 } 1795 1796 /* 1797 ** Check to see if some bad guy can write this file 1798 ** 1799 ** Group write checking could be more clever, e.g., 1800 ** guessing as to which groups are actually safe ("sys" 1801 ** may be; "user" probably is not). 1802 */ 1803 1804 mode = S_IWOTH; 1805 if (!bitnset((forwarding ? 1806 DBS_GROUPWRITABLEFORWARDFILESAFE : 1807 DBS_GROUPWRITABLEINCLUDEFILESAFE), 1808 DontBlameSendmail)) 1809 mode |= S_IWGRP; 1810 1811 if (bitset(mode, st.st_mode)) 1812 { 1813 if (tTd(27, 6)) 1814 sm_dprintf("include: %s is %s writable, marked unsafe\n", 1815 shortenstring(fname, MAXSHORTSTR), 1816 bitset(S_IWOTH, st.st_mode) ? "world" 1817 : "group"); 1818 if (LogLevel > 11) 1819 sm_syslog(LOG_INFO, e->e_id, 1820 "%s: %s writable %s file, marked unsafe", 1821 shortenstring(fname, MAXSHORTSTR), 1822 bitset(S_IWOTH, st.st_mode) ? "world" : "group", 1823 forwarding ? "forward" : ":include:"); 1824 ctladdr->q_flags |= QUNSAFEADDR; 1825 } 1826 1827 /* read the file -- each line is a comma-separated list. */ 1828 FileName = fname; 1829 LineNumber = 0; 1830 ctladdr->q_flags &= ~QSELFREF; 1831 nincludes = 0; 1832 while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0 && 1833 !maxreached) 1834 { 1835 fixcrlf(buf, true); 1836 LineNumber++; 1837 if (buf[0] == '#' || buf[0] == '\0') 1838 continue; 1839 1840 /* <sp>#@# introduces a comment anywhere */ 1841 /* for Japanese character sets */ 1842 for (p = buf; (p = strchr(++p, '#')) != NULL; ) 1843 { 1844 if (p[1] == '@' && p[2] == '#' && 1845 isascii(p[-1]) && isspace(p[-1]) && 1846 (p[3] == '\0' || (SM_ISSPACE(p[3])))) 1847 { 1848 --p; 1849 while (p > buf && isascii(p[-1]) && 1850 isspace(p[-1])) 1851 --p; 1852 p[0] = '\0'; 1853 break; 1854 } 1855 } 1856 if (buf[0] == '\0') 1857 continue; 1858 1859 e->e_to = NULL; 1860 message("%s to %s", 1861 forwarding ? "forwarding" : "sending", buf); 1862 if (forwarding && LogLevel > 10) 1863 sm_syslog(LOG_INFO, e->e_id, 1864 "forward %.200s => %s", 1865 oldto, shortenstring(buf, MAXSHORTSTR)); 1866 1867 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e); 1868 1869 if (forwarding && 1870 MaxForwardEntries > 0 && 1871 nincludes >= MaxForwardEntries) 1872 { 1873 /* just stop reading and processing further entries */ 1874#if 0 1875 /* additional: (?) */ 1876 ctladdr->q_state = QS_DONTSEND; 1877#endif /* 0 */ 1878 1879 syserr("Attempt to forward to more than %d addresses (in %s)!", 1880 MaxForwardEntries, fname); 1881 maxreached = true; 1882 } 1883 } 1884 1885 if (sm_io_error(fp) && tTd(27, 3)) 1886 sm_dprintf("include: read error: %s\n", sm_errstring(errno)); 1887 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags)) 1888 { 1889 if (aliaslevel <= MaxAliasRecursion || 1890 ctladdr->q_state != QS_BADADDR) 1891 { 1892 ctladdr->q_state = QS_DONTSEND; 1893 if (tTd(27, 5)) 1894 { 1895 sm_dprintf("include: QS_DONTSEND "); 1896 printaddr(sm_debug_file(), ctladdr, false); 1897 } 1898 } 1899 } 1900 1901 (void) sm_io_close(fp, SM_TIME_DEFAULT); 1902 FileName = oldfilename; 1903 LineNumber = oldlinenumber; 1904 e->e_to = oldto; 1905 return rval; 1906} 1907 1908static void 1909includetimeout(ignore) 1910 int ignore; 1911{ 1912 /* 1913 ** NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER. DO NOT ADD 1914 ** ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE 1915 ** DOING. 1916 */ 1917 1918 errno = ETIMEDOUT; 1919 longjmp(CtxIncludeTimeout, 1); 1920} 1921 1922/* 1923** SENDTOARGV -- send to an argument vector. 1924** 1925** Parameters: 1926** argv -- argument vector to send to. 1927** e -- the current envelope. 1928** 1929** Returns: 1930** none. 1931** 1932** Side Effects: 1933** puts all addresses on the argument vector onto the 1934** send queue. 1935*/ 1936 1937void 1938sendtoargv(argv, e) 1939 register char **argv; 1940 register ENVELOPE *e; 1941{ 1942 register char *p; 1943 1944 while ((p = *argv++) != NULL) 1945 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e); 1946} 1947 1948/* 1949** GETCTLADDR -- get controlling address from an address header. 1950** 1951** If none, get one corresponding to the effective userid. 1952** 1953** Parameters: 1954** a -- the address to find the controller of. 1955** 1956** Returns: 1957** the controlling address. 1958*/ 1959 1960ADDRESS * 1961getctladdr(a) 1962 register ADDRESS *a; 1963{ 1964 while (a != NULL && !bitset(QGOODUID, a->q_flags)) 1965 a = a->q_alias; 1966 return a; 1967} 1968 1969/* 1970** SELF_REFERENCE -- check to see if an address references itself 1971** 1972** The check is done through a chain of aliases. If it is part of 1973** a loop, break the loop at the "best" address, that is, the one 1974** that exists as a real user. 1975** 1976** This is to handle the case of: 1977** awc: Andrew.Chang 1978** Andrew.Chang: awc@mail.server 1979** which is a problem only on mail.server. 1980** 1981** Parameters: 1982** a -- the address to check. 1983** 1984** Returns: 1985** The address that should be retained. 1986*/ 1987 1988static ADDRESS * 1989self_reference(a) 1990 ADDRESS *a; 1991{ 1992 ADDRESS *b; /* top entry in self ref loop */ 1993 ADDRESS *c; /* entry that point to a real mail box */ 1994 1995 if (tTd(27, 1)) 1996 sm_dprintf("self_reference(%s)\n", a->q_paddr); 1997 1998 for (b = a->q_alias; b != NULL; b = b->q_alias) 1999 { 2000 if (sameaddr(a, b)) 2001 break; 2002 } 2003 2004 if (b == NULL) 2005 { 2006 if (tTd(27, 1)) 2007 sm_dprintf("\t... no self ref\n"); 2008 return NULL; 2009 } 2010 2011 /* 2012 ** Pick the first address that resolved to a real mail box 2013 ** i.e has a mbdb entry. The returned value will be marked 2014 ** QSELFREF in recipient(), which in turn will disable alias() 2015 ** from marking it as QS_IS_DEAD(), which mean it will be used 2016 ** as a deliverable address. 2017 ** 2018 ** The 2 key thing to note here are: 2019 ** 1) we are in a recursive call sequence: 2020 ** alias->sendtolist->recipient->alias 2021 ** 2) normally, when we return back to alias(), the address 2022 ** will be marked QS_EXPANDED, since alias() assumes the 2023 ** expanded form will be used instead of the current address. 2024 ** This behaviour is turned off if the address is marked 2025 ** QSELFREF. We set QSELFREF when we return to recipient(). 2026 */ 2027 2028 c = a; 2029 while (c != NULL) 2030 { 2031 if (tTd(27, 10)) 2032 sm_dprintf(" %s", c->q_user); 2033 if (bitnset(M_HASPWENT, c->q_mailer->m_flags)) 2034 { 2035 SM_MBDB_T user; 2036 2037 if (tTd(27, 2)) 2038 sm_dprintf("\t... getpwnam(%s)... ", c->q_user); 2039 if (sm_mbdb_lookup(c->q_user, &user) == EX_OK) 2040 { 2041 if (tTd(27, 2)) 2042 sm_dprintf("found\n"); 2043 2044 /* ought to cache results here */ 2045 if (sameaddr(b, c)) 2046 return b; 2047 else 2048 return c; 2049 } 2050 if (tTd(27, 2)) 2051 sm_dprintf("failed\n"); 2052 } 2053 else 2054 { 2055 /* if local delivery, compare usernames */ 2056 if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) && 2057 b->q_mailer == c->q_mailer) 2058 { 2059 if (tTd(27, 2)) 2060 sm_dprintf("\t... local match (%s)\n", 2061 c->q_user); 2062 if (sameaddr(b, c)) 2063 return b; 2064 else 2065 return c; 2066 } 2067 } 2068 if (tTd(27, 10)) 2069 sm_dprintf("\n"); 2070 c = c->q_alias; 2071 } 2072 2073 if (tTd(27, 1)) 2074 sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr); 2075 2076 return NULL; 2077} 2078