1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.44.1.6 (Berkeley) 03/05/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** e -- the envelope in which to add these recipients.
31 **
32 ** Returns:
33 ** The number of addresses actually on the list.
34 **
35 ** Side Effects:
36 ** none.
37 */
38
39 # define MAXRCRSN 10
40
41 sendtolist(list, ctladdr, sendq, e)
42 char *list;
43 ADDRESS *ctladdr;
44 ADDRESS **sendq;
45 register ENVELOPE *e;
46 {
47 register char *p;
48 register ADDRESS *al; /* list of addresses to send to */
49 bool firstone; /* set on first address sent */
50 char delimiter; /* the address delimiter */
51 int naddrs;
52 int i;
53 char *oldto = e->e_to;
54 char *bufp;
55 char buf[MAXNAME + 1];
56
57 if (list == NULL)
58 {
59 syserr("sendtolist: null list");
60 return 0;
61 }
62
63 if (tTd(25, 1))
64 {
65 printf("sendto: %s\n ctladdr=", list);
66 printaddr(ctladdr, FALSE);
67 }
68
69 /* heuristic to determine old versus new style addresses */
70 if (ctladdr == NULL &&
71 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
72 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
73 e->e_flags &= ~EF_OLDSTYLE;
74 delimiter = ' ';
75 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
76 delimiter = ',';
77
78 firstone = TRUE;
79 al = NULL;
80 naddrs = 0;
81
82 /* make sure we have enough space to copy the string */
83 i = strlen(list) + 1;
84 if (i <= sizeof buf)
85 bufp = buf;
86 else
87 bufp = xalloc(i);
88 strcpy(bufp, denlstring(list, FALSE, TRUE));
89
90 for (p = bufp; *p != '\0'; )
91 {
92 auto char *delimptr;
93 register ADDRESS *a;
94
95 /* parse the address */
96 while ((isascii(*p) && isspace(*p)) || *p == ',')
97 p++;
98 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
99 p = delimptr;
100 if (a == NULL)
101 continue;
102 a->q_next = al;
103 a->q_alias = ctladdr;
104
105 /* see if this should be marked as a primary address */
106 if (ctladdr == NULL ||
107 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
108 a->q_flags |= QPRIMARY;
109
110 if (ctladdr != NULL && sameaddr(ctladdr, a))
111 ctladdr->q_flags |= QSELFREF;
112 al = a;
113 firstone = FALSE;
114 }
115
116 /* arrange to send to everyone on the local send list */
117 while (al != NULL)
118 {
119 register ADDRESS *a = al;
120
121 al = a->q_next;
122 a = recipient(a, sendq, e);
123
124 /* arrange to inherit full name */
125 if (a->q_fullname == NULL && ctladdr != NULL)
126 a->q_fullname = ctladdr->q_fullname;
127 naddrs++;
128 }
129
130 e->e_to = oldto;
131 if (bufp != buf)
132 free(bufp);
133 return (naddrs);
134 }
135 �/*
136 ** RECIPIENT -- Designate a message recipient
137 **
138 ** Saves the named person for future mailing.
139 **
140 ** Parameters:
141 ** a -- the (preparsed) address header for the recipient.
142 ** sendq -- a pointer to the head of a queue to put the
143 ** recipient in. Duplicate supression is done
144 ** in this queue.
145 ** e -- the current envelope.
146 **
147 ** Returns:
148 ** The actual address in the queue. This will be "a" if
149 ** the address is not a duplicate, else the original address.
150 **
151 ** Side Effects:
152 ** none.
153 */
154
155 ADDRESS *
156 recipient(a, sendq, e)
157 register ADDRESS *a;
158 register ADDRESS **sendq;
159 register ENVELOPE *e;
160 {
161 register ADDRESS *q;
162 ADDRESS **pq;
163 register struct mailer *m;
164 register char *p;
165 bool quoted = FALSE; /* set if the addr has a quote bit */
166 int findusercount = 0;
167 char buf[MAXNAME]; /* unquoted image of the user name */
168 extern int safefile();
169
170 e->e_to = a->q_paddr;
171 m = a->q_mailer;
172 errno = 0;
173 if (tTd(26, 1))
174 {
175 printf("\nrecipient: ");
176 printaddr(a, FALSE);
177 }
178
179 /* if this is primary, add it to the original recipient list */
180 if (a->q_alias == NULL)
181 {
182 if (e->e_origrcpt == NULL)
183 e->e_origrcpt = a->q_paddr;
184 else if (e->e_origrcpt != a->q_paddr)
185 e->e_origrcpt = "";
186 }
187
188 /* break aliasing loops */
189 if (AliasLevel > MAXRCRSN)
190 {
191 usrerr("554 aliasing/forwarding loop broken");
192 return (a);
193 }
194
195 /*
196 ** Finish setting up address structure.
197 */
198
199 /* set the queue timeout */
200 a->q_timeout = TimeOuts.to_q_return;
201
202 /* get unquoted user for file, program or user.name check */
203 (void) strcpy(buf, a->q_user);
204 for (p = buf; *p != '\0' && !quoted; p++)
205 {
206 if (*p == '\\')
207 quoted = TRUE;
208 }
209 stripquotes(buf);
210
211 /* check for direct mailing to restricted mailers */
212 if (m == ProgMailer)
213 {
214 if (a->q_alias == NULL)
215 {
216 a->q_flags |= QBADADDR;
217 usrerr("550 Cannot mail directly to programs");
218 }
219 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
220 {
221 a->q_flags |= QBADADDR;
222 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
223 a->q_alias->q_ruser, MyHostName);
224 }
225 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
226 {
227 a->q_flags |= QBADADDR;
228 usrerr("550 Address %s is unsafe for mailing to programs",
229 a->q_alias->q_paddr);
230 }
231 }
232
233 /*
234 ** Look up this person in the recipient list.
235 ** If they are there already, return, otherwise continue.
236 ** If the list is empty, just add it. Notice the cute
237 ** hack to make from addresses suppress things correctly:
238 ** the QDONTSEND bit will be set in the send list.
239 ** [Please note: the emphasis is on "hack."]
240 */
241
242 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
243 {
244 if (sameaddr(q, a))
245 {
246 if (tTd(26, 1))
247 {
248 printf("%s in sendq: ", a->q_paddr);
249 printaddr(q, FALSE);
250 }
251 if (!bitset(QPRIMARY, q->q_flags))
252 {
253 if (!bitset(QDONTSEND, a->q_flags))
254 message("duplicate suppressed");
255 q->q_flags |= a->q_flags;
256 }
257 else if (bitset(QSELFREF, q->q_flags))
258 q->q_flags |= a->q_flags & ~QDONTSEND;
259 a = q;
260 goto testselfdestruct;
261 }
262 }
263
264 /* add address on list */
265 *pq = a;
266 a->q_next = NULL;
267
268 /*
269 ** Alias the name and handle special mailer types.
270 */
271
272 trylocaluser:
273 if (tTd(29, 7))
274 printf("at trylocaluser %s\n", a->q_user);
275
276 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
277 goto testselfdestruct;
278
279 if (m == InclMailer)
280 {
281 a->q_flags |= QDONTSEND;
282 if (a->q_alias == NULL)
283 {
284 a->q_flags |= QBADADDR;
285 usrerr("550 Cannot mail directly to :include:s");
286 }
287 else
288 {
289 int ret;
290
291 message("including file %s", a->q_user);
292 ret = include(a->q_user, FALSE, a, sendq, e);
293 if (transienterror(ret))
294 {
295 #ifdef LOG
296 if (LogLevel > 2)
297 syslog(LOG_ERR, "%s: include %s: transient error: %s",
298 e->e_id == NULL ? "NOQUEUE" : e->e_id,
299 a->q_user, errstring(ret));
300 #endif
301 a->q_flags |= QQUEUEUP;
302 a->q_flags &= ~QDONTSEND;
303 usrerr("451 Cannot open %s: %s",
304 a->q_user, errstring(ret));
305 }
306 else if (ret != 0)
307 {
308 a->q_flags |= QBADADDR;
309 usrerr("550 Cannot open %s: %s",
310 a->q_user, errstring(ret));
311 }
312 }
313 }
314 else if (m == FileMailer)
315 {
316 extern bool writable();
317
318 /* check if writable or creatable */
319 if (a->q_alias == NULL)
320 {
321 a->q_flags |= QBADADDR;
322 usrerr("550 Cannot mail directly to files");
323 }
324 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
325 {
326 a->q_flags |= QBADADDR;
327 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
328 a->q_alias->q_ruser, MyHostName);
329 }
330 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
331 {
332 a->q_flags |= QBADADDR;
333 usrerr("550 Address %s is unsafe for mailing to files",
334 a->q_alias->q_paddr);
335 }
336 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
337 {
338 a->q_flags |= QBADADDR;
339 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias, e);
340 }
341 }
342
343 if (m != LocalMailer)
344 {
345 if (!bitset(QDONTSEND, a->q_flags))
346 e->e_nrcpts++;
347 goto testselfdestruct;
348 }
349
350 /* try aliasing */
351 alias(a, sendq, e);
352
353 # ifdef USERDB
354 /* if not aliased, look it up in the user database */
355 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags))
356 {
357 extern int udbexpand();
358
359 if (udbexpand(a, sendq, e) == EX_TEMPFAIL)
360 {
361 a->q_flags |= QQUEUEUP;
362 if (e->e_message == NULL)
363 e->e_message = newstr("Deferred: user database error");
364 # ifdef LOG
365 if (LogLevel > 8)
366 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
367 e->e_id == NULL ? "NOQUEUE" : e->e_id,
368 errstring(errno));
369 # endif
370 message("queued (user database error): %s",
371 errstring(errno));
372 e->e_nrcpts++;
373 goto testselfdestruct;
374 }
375 }
376 # endif
377
378 /* if it was an alias or a UDB expansion, just return now */
379 if (bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags))
380 goto testselfdestruct;
381
382 /*
383 ** If we have a level two config file, then pass the name through
384 ** Ruleset 5 before sending it off. Ruleset 5 has the right
385 ** to send rewrite it to another mailer. This gives us a hook
386 ** after local aliasing has been done.
387 */
388
389 if (tTd(29, 5))
390 {
391 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
392 ConfigLevel, RewriteRules[5]);
393 printaddr(a, FALSE);
394 }
395 if (!bitset(QNOTREMOTE, a->q_flags) && ConfigLevel >= 2 &&
396 RewriteRules[5] != NULL)
397 {
398 maplocaluser(a, sendq, e);
399 }
400
401 /*
402 ** If it didn't get rewritten to another mailer, go ahead
403 ** and deliver it.
404 */
405
406 if (!bitset(QDONTSEND|QQUEUEUP, a->q_flags))
407 {
408 auto bool fuzzy;
409 register struct passwd *pw;
410 extern struct passwd *finduser();
411
412 /* warning -- finduser may trash buf */
413 pw = finduser(buf, &fuzzy);
414 if (pw == NULL)
415 {
416 a->q_flags |= QBADADDR;
417 giveresponse(EX_NOUSER, m, NULL, a->q_alias, e);
418 }
419 else
420 {
421 char nbuf[MAXNAME];
422
423 if (fuzzy)
424 {
425 /* name was a fuzzy match */
426 a->q_user = newstr(pw->pw_name);
427 if (findusercount++ > 3)
428 {
429 a->q_flags |= QBADADDR;
430 usrerr("554 aliasing/forwarding loop for %s broken",
431 pw->pw_name);
432 return (a);
433 }
434
435 /* see if it aliases */
436 (void) strcpy(buf, pw->pw_name);
437 goto trylocaluser;
438 }
439 if (strcmp(pw->pw_dir, "/") == 0)
440 a->q_home = "";
441 else
442 a->q_home = newstr(pw->pw_dir);
443 a->q_uid = pw->pw_uid;
444 a->q_gid = pw->pw_gid;
445 a->q_ruser = newstr(pw->pw_name);
446 a->q_flags |= QGOODUID;
447 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
448 if (nbuf[0] != '\0')
449 a->q_fullname = newstr(nbuf);
450 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
451 !usershellok(pw->pw_shell))
452 {
453 a->q_flags |= QBOGUSSHELL;
454 }
455 if (!quoted)
456 forward(a, sendq, e);
457 }
458 }
459 if (!bitset(QDONTSEND, a->q_flags))
460 e->e_nrcpts++;
461
462 testselfdestruct:
463 if (tTd(26, 8))
464 {
465 printf("testselfdestruct: ");
466 printaddr(a, TRUE);
467 }
468 if (a->q_alias == NULL && a != &e->e_from &&
469 bitset(QDONTSEND, a->q_flags))
470 {
471 q = *sendq;
472 while (q != NULL && bitset(QDONTSEND, q->q_flags))
473 q = q->q_next;
474 if (q == NULL)
475 {
476 a->q_flags |= QBADADDR;
477 usrerr("554 aliasing/forwarding loop broken");
478 }
479 }
480 return (a);
481 }
482 �/*
483 ** FINDUSER -- find the password entry for a user.
484 **
485 ** This looks a lot like getpwnam, except that it may want to
486 ** do some fancier pattern matching in /etc/passwd.
487 **
488 ** This routine contains most of the time of many sendmail runs.
489 ** It deserves to be optimized.
490 **
491 ** Parameters:
492 ** name -- the name to match against.
493 ** fuzzyp -- an outarg that is set to TRUE if this entry
494 ** was found using the fuzzy matching algorithm;
495 ** set to FALSE otherwise.
496 **
497 ** Returns:
498 ** A pointer to a pw struct.
499 ** NULL if name is unknown or ambiguous.
500 **
501 ** Side Effects:
502 ** may modify name.
503 */
504
505 struct passwd *
506 finduser(name, fuzzyp)
507 char *name;
508 bool *fuzzyp;
509 {
510 register struct passwd *pw;
511 register char *p;
512 extern struct passwd *getpwent();
513 extern struct passwd *getpwnam();
514
515 if (tTd(29, 4))
516 printf("finduser(%s): ", name);
517
518 *fuzzyp = FALSE;
519
520 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
521 for (p = name; *p != '\0'; p++)
522 if (!isascii(*p) || !isdigit(*p))
523 break;
524 if (*p == '\0')
525 {
526 if (tTd(29, 4))
527 printf("failed (numeric input)\n");
528 return NULL;
529 }
530
531 /* look up this login name using fast path */
532 if ((pw = getpwnam(name)) != NULL)
533 {
534 if (tTd(29, 4))
535 printf("found (non-fuzzy)\n");
536 return (pw);
537 }
538
539 #ifdef MATCHGECOS
540 /* see if fuzzy matching allowed */
541 if (!MatchGecos)
542 {
543 if (tTd(29, 4))
544 printf("not found (fuzzy disabled)\n");
545 return NULL;
546 }
547
548 /* search for a matching full name instead */
549 for (p = name; *p != '\0'; p++)
550 {
551 if (*p == (SpaceSub & 0177) || *p == '_')
552 *p = ' ';
553 }
554 (void) setpwent();
555 while ((pw = getpwent()) != NULL)
556 {
557 char buf[MAXNAME];
558
559 buildfname(pw->pw_gecos, pw->pw_name, buf);
560 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
561 {
562 if (tTd(29, 4))
563 printf("fuzzy matches %s\n", pw->pw_name);
564 message("sending to login name %s", pw->pw_name);
565 *fuzzyp = TRUE;
566 return (pw);
567 }
568 }
569 if (tTd(29, 4))
570 printf("no fuzzy match found\n");
571 #else
572 if (tTd(29, 4))
573 printf("not found (fuzzy disabled)\n");
574 #endif
575 return (NULL);
576 }
577 �/*
578 ** WRITABLE -- predicate returning if the file is writable.
579 **
580 ** This routine must duplicate the algorithm in sys/fio.c.
581 ** Unfortunately, we cannot use the access call since we
582 ** won't necessarily be the real uid when we try to
583 ** actually open the file.
584 **
585 ** Notice that ANY file with ANY execute bit is automatically
586 ** not writable. This is also enforced by mailfile.
587 **
588 ** Parameters:
589 ** filename -- the file name to check.
590 ** ctladdr -- the controlling address for this file.
591 ** flags -- SFF_* flags to control the function.
592 **
593 ** Returns:
594 ** TRUE -- if we will be able to write this file.
595 ** FALSE -- if we cannot write this file.
596 **
597 ** Side Effects:
598 ** none.
599 */
600
601 bool
602 writable(filename, ctladdr, flags)
603 char *filename;
604 ADDRESS *ctladdr;
605 int flags;
606 {
607 uid_t euid;
608 gid_t egid;
609 int bits;
610 register char *p;
611 char *uname;
612 struct stat stb;
613 extern char RealUserName[];
614
615 if (tTd(29, 5))
616 printf("writable(%s, %x)\n", filename, flags);
617
618 #ifdef HASLSTAT
619 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
620 : stat(filename, &stb)) < 0)
621 #else
622 if (stat(filename, &stb) < 0)
623 #endif
624 {
625 /* file does not exist -- see if directory is safe */
626 p = strrchr(filename, '/');
627 if (p == NULL)
628 {
629 errno = ENOTDIR;
630 return FALSE;
631 }
632 *p = '\0';
633 errno = safefile(filename, RealUid, RealGid, RealUserName,
634 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
635 *p = '/';
636 return errno == 0;
637 }
638
639 #ifdef SUID_ROOT_FILES_OK
640 /* really ought to be passed down -- and not a good idea */
641 flags |= SFF_ROOTOK;
642 #endif
643
644 /*
645 ** File does exist -- check that it is writable.
646 */
647
648 if (bitset(0111, stb.st_mode))
649 {
650 if (tTd(29, 5))
651 printf("failed (mode %o: x bits)\n", stb.st_mode);
652 errno = EPERM;
653 return (FALSE);
654 }
655
656 if (ctladdr != NULL && geteuid() == 0)
657 {
658 euid = ctladdr->q_uid;
659 egid = ctladdr->q_gid;
660 uname = ctladdr->q_user;
661 }
662 else
663 {
664 euid = RealUid;
665 egid = RealGid;
666 uname = RealUserName;
667 }
668 if (euid == 0)
669 {
670 euid = DefUid;
671 uname = DefUser;
672 }
673 if (egid == 0)
674 egid = DefGid;
675 if (geteuid() == 0)
676 {
677 if (bitset(S_ISUID, stb.st_mode) &&
678 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
679 {
680 euid = stb.st_uid;
681 uname = NULL;
682 }
683 if (bitset(S_ISGID, stb.st_mode) &&
684 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
685 egid = stb.st_gid;
686 }
687
688 if (tTd(29, 5))
689 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
690 euid, egid, stb.st_uid, stb.st_gid);
691
692 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
693 return errno == 0;
694 }
695 �/*
696 ** INCLUDE -- handle :include: specification.
697 **
698 ** Parameters:
699 ** fname -- filename to include.
700 ** forwarding -- if TRUE, we are reading a .forward file.
701 ** if FALSE, it's a :include: file.
702 ** ctladdr -- address template to use to fill in these
703 ** addresses -- effective user/group id are
704 ** the important things.
705 ** sendq -- a pointer to the head of the send queue
706 ** to put these addresses in.
707 **
708 ** Returns:
709 ** open error status
710 **
711 ** Side Effects:
712 ** reads the :include: file and sends to everyone
713 ** listed in that file.
714 **
715 ** Security Note:
716 ** If you have restricted chown (that is, you can't
717 ** give a file away), it is reasonable to allow programs
718 ** and files called from this :include: file to be to be
719 ** run as the owner of the :include: file. This is bogus
720 ** if there is any chance of someone giving away a file.
721 ** We assume that pre-POSIX systems can give away files.
722 **
723 ** There is an additional restriction that if you
724 ** forward to a :include: file, it will not take on
725 ** the ownership of the :include: file. This may not
726 ** be necessary, but shouldn't hurt.
727 */
728
729 static jmp_buf CtxIncludeTimeout;
730 static int includetimeout();
731
732 #ifndef S_IWOTH
733 # define S_IWOTH (S_IWRITE >> 6)
734 #endif
735
736 int
737 include(fname, forwarding, ctladdr, sendq, e)
738 char *fname;
739 bool forwarding;
740 ADDRESS *ctladdr;
741 ADDRESS **sendq;
742 ENVELOPE *e;
743 {
744 register FILE *fp = NULL;
745 char *oldto = e->e_to;
746 char *oldfilename = FileName;
747 int oldlinenumber = LineNumber;
748 register EVENT *ev = NULL;
749 int nincludes;
750 register ADDRESS *ca;
751 uid_t saveduid, uid;
752 gid_t savedgid, gid;
753 char *uname;
754 int rval = 0;
755 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
756 struct stat st;
757 char buf[MAXLINE];
758 #ifdef _POSIX_CHOWN_RESTRICTED
759 # if _POSIX_CHOWN_RESTRICTED == -1
760 # define safechown FALSE
761 # else
762 # define safechown TRUE
763 # endif
764 #else
765 # ifdef _PC_CHOWN_RESTRICTED
766 bool safechown;
767 # else
768 # ifdef BSD
769 # define safechown TRUE
770 # else
771 # define safechown FALSE
772 # endif
773 # endif
774 #endif
775 extern bool chownsafe();
776
777 if (tTd(27, 2))
778 printf("include(%s)\n", fname);
779 if (tTd(27, 4))
780 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
781 if (tTd(27, 14))
782 {
783 printf("ctladdr ");
784 printaddr(ctladdr, FALSE);
785 }
786
787 if (tTd(27, 9))
788 printf("include: old uid = %d/%d\n", getuid(), geteuid());
789
790 ca = getctladdr(ctladdr);
791 if (ca == NULL)
792 {
793 uid = DefUid;
794 gid = DefGid;
795 uname = DefUser;
796 saveduid = -1;
797 }
798 else
799 {
800 uid = ca->q_uid;
801 gid = ca->q_gid;
802 uname = ca->q_user;
803 #ifdef HASSETREUID
804 saveduid = geteuid();
805 savedgid = getegid();
806 if (saveduid == 0)
807 {
808 initgroups(uname, gid);
809 if (uid != 0)
810 (void) setreuid(0, uid);
811 }
812 #endif
813 }
814
815 if (tTd(27, 9))
816 printf("include: new uid = %d/%d\n", getuid(), geteuid());
817
818 /*
819 ** If home directory is remote mounted but server is down,
820 ** this can hang or give errors; use a timeout to avoid this
821 */
822
823 if (setjmp(CtxIncludeTimeout) != 0)
824 {
825 ctladdr->q_flags |= QQUEUEUP;
826 errno = 0;
827
828 /* return pseudo-error code */
829 rval = EOPENTIMEOUT;
830 goto resetuid;
831 }
832 ev = setevent((time_t) 60, includetimeout, 0);
833
834 /* the input file must be marked safe */
835 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
836 if (rval != 0)
837 {
838 /* don't use this :include: file */
839 if (tTd(27, 4))
840 printf("include: not safe (uid=%d): %s\n",
841 uid, errstring(rval));
842 }
843 else
844 {
845 fp = fopen(fname, "r");
846 if (fp == NULL)
847 {
848 rval = errno;
849 if (tTd(27, 4))
850 printf("include: open: %s\n", errstring(rval));
851 }
852 }
853 clrevent(ev);
854
855 resetuid:
856
857 #ifdef HASSETREUID
858 if (saveduid == 0)
859 {
860 if (uid != 0)
861 if (setreuid(-1, 0) < 0 || setreuid(RealUid, 0) < 0)
862 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
863 RealUid, getuid(), geteuid());
864 setgid(savedgid);
865 }
866 #endif
867
868 if (tTd(27, 9))
869 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
870
871 if (rval == EOPENTIMEOUT)
872 usrerr("451 open timeout on %s", fname);
873
874 if (fp == NULL)
875 return rval;
876
877 if (fstat(fileno(fp), &st) < 0)
878 {
879 rval = errno;
880 syserr("Cannot fstat %s!", fname);
881 return rval;
882 }
883
884 #ifndef safechown
885 safechown = chownsafe(fileno(fp));
886 #endif
887 if (ca == NULL && safechown)
888 {
889 ctladdr->q_uid = st.st_uid;
890 ctladdr->q_gid = st.st_gid;
891 ctladdr->q_flags |= QGOODUID;
892 }
893 if (ca != NULL && ca->q_uid == st.st_uid)
894 {
895 /* optimization -- avoid getpwuid if we already have info */
896 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
897 ctladdr->q_ruser = ca->q_ruser;
898 }
899 else
900 {
901 char *sh;
902 register struct passwd *pw;
903
904 sh = "/SENDMAIL/ANY/SHELL/";
905 pw = getpwuid(st.st_uid);
906 if (pw != NULL)
907 {
908 ctladdr->q_ruser = newstr(pw->pw_name);
909 if (safechown)
910 sh = pw->pw_shell;
911 }
912 if (pw == NULL)
913 ctladdr->q_flags |= QBOGUSSHELL;
914 else if(!usershellok(sh))
915 {
916 if (safechown)
917 ctladdr->q_flags |= QBOGUSSHELL;
918 else
919 ctladdr->q_flags |= QUNSAFEADDR;
920 }
921 }
922
923 if (bitset(EF_VRFYONLY, e->e_flags))
924 {
925 /* don't do any more now */
926 ctladdr->q_flags |= QVERIFIED;
927 e->e_nrcpts++;
928 xfclose(fp, "include", fname);
929 return rval;
930 }
931
932 /*
933 ** Check to see if some bad guy can write this file
934 **
935 ** This should really do something clever with group
936 ** permissions; currently we just view world writable
937 ** as unsafe. Also, we don't check for writable
938 ** directories in the path. We've got to leave
939 ** something for the local sysad to do.
940 */
941
942 if (bitset(S_IWOTH, st.st_mode))
943 ctladdr->q_flags |= QUNSAFEADDR;
944
945 /* read the file -- each line is a comma-separated list. */
946 FileName = fname;
947 LineNumber = 0;
948 ctladdr->q_flags &= ~QSELFREF;
949 nincludes = 0;
950 while (fgets(buf, sizeof buf, fp) != NULL)
951 {
952 register char *p = strchr(buf, '\n');
953
954 LineNumber++;
955 if (p != NULL)
956 *p = '\0';
957 if (buf[0] == '#' || buf[0] == '\0')
958 continue;
959 e->e_to = NULL;
960 message("%s to %s",
961 forwarding ? "forwarding" : "sending", buf);
962 #ifdef LOG
963 if (forwarding && LogLevel > 9)
964 syslog(LOG_INFO, "%s: forward %s => %s",
965 e->e_id == NULL ? "NOQUEUE" : e->e_id,
966 oldto, buf);
967 #endif
968
969 AliasLevel++;
970 nincludes += sendtolist(buf, ctladdr, sendq, e);
971 AliasLevel--;
972 }
973
974 if (ferror(fp) && tTd(27, 3))
975 printf("include: read error: %s\n", errstring(errno));
976 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
977 {
978 if (tTd(27, 5))
979 {
980 printf("include: QDONTSEND ");
981 printaddr(ctladdr, FALSE);
982 }
983 ctladdr->q_flags |= QDONTSEND;
984 }
985
986 (void) xfclose(fp, "include", fname);
987 FileName = oldfilename;
988 LineNumber = oldlinenumber;
989 e->e_to = oldto;
990 return rval;
991 }
992
993 static
994 includetimeout()
995 {
996 longjmp(CtxIncludeTimeout, 1);
997 }
998 �/*
999 ** SENDTOARGV -- send to an argument vector.
1000 **
1001 ** Parameters:
1002 ** argv -- argument vector to send to.
1003 ** e -- the current envelope.
1004 **
1005 ** Returns:
1006 ** none.
1007 **
1008 ** Side Effects:
1009 ** puts all addresses on the argument vector onto the
1010 ** send queue.
1011 */
1012
1013 sendtoargv(argv, e)
1014 register char **argv;
1015 register ENVELOPE *e;
1016 {
1017 register char *p;
1018
1019 while ((p = *argv++) != NULL)
1020 {
1021 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
1022 }
1023 }
1024 �/*
1025 ** GETCTLADDR -- get controlling address from an address header.
1026 **
1027 ** If none, get one corresponding to the effective userid.
1028 **
1029 ** Parameters:
1030 ** a -- the address to find the controller of.
1031 **
1032 ** Returns:
1033 ** the controlling address.
1034 **
1035 ** Side Effects:
1036 ** none.
1037 */
1038
1039 ADDRESS *
1040 getctladdr(a)
1041 register ADDRESS *a;
1042 {
1043 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1044 a = a->q_alias;
1045 return (a);
1046 }
1047