1 /*
2  * Copyright (c) 1983 Eric P. Allman
3  * Copyright (c) 1988, 1993
4  *	The Regents of the University of California.  All rights reserved.
5  *
6  * %sccs.include.redist.c%
7  */
8 
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c	8.69 (Berkeley) 03/05/95";
11 #endif /* not lint */
12 
13 # include "sendmail.h"
14 # include <pwd.h>
15 
16 /*
17 **  SENDTOLIST -- Designate a send list.
18 **
19 **	The parameter is a comma-separated list of people to send to.
20 **	This routine arranges to send to all of them.
21 **
22 **	Parameters:
23 **		list -- the send list.
24 **		ctladdr -- the address template for the person to
25 **			send to -- effective uid/gid are important.
26 **			This is typically the alias that caused this
27 **			expansion.
28 **		sendq -- a pointer to the head of a queue to put
29 **			these people into.
30 **		aliaslevel -- the current alias nesting depth -- to
31 **			diagnose loops.
32 **		e -- the envelope in which to add these recipients.
33 **
34 **	Returns:
35 **		The number of addresses actually on the list.
36 **
37 **	Side Effects:
38 **		none.
39 */
40 
41 #define MAXRCRSN	10	/* maximum levels of alias recursion */
42 
43 /* q_flags bits inherited from ctladdr */
44 #define QINHERITEDBITS	(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHAS_RET_PARAM|QRET_HDRS)
45 
46 int
47 sendtolist(list, ctladdr, sendq, aliaslevel, e)
48 	char *list;
49 	ADDRESS *ctladdr;
50 	ADDRESS **sendq;
51 	int aliaslevel;
52 	register ENVELOPE *e;
53 {
54 	register char *p;
55 	register ADDRESS *al;	/* list of addresses to send to */
56 	bool firstone;		/* set on first address sent */
57 	char delimiter;		/* the address delimiter */
58 	int naddrs;
59 	int i;
60 	char *oldto = e->e_to;
61 	char *bufp;
62 	char buf[MAXNAME + 1];
63 
64 	if (list == NULL)
65 	{
66 		syserr("sendtolist: null list");
67 		return 0;
68 	}
69 
70 	if (tTd(25, 1))
71 	{
72 		printf("sendto: %s\n   ctladdr=", list);
73 		printaddr(ctladdr, FALSE);
74 	}
75 
76 	/* heuristic to determine old versus new style addresses */
77 	if (ctladdr == NULL &&
78 	    (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
79 	     strchr(list, '<') != NULL || strchr(list, '(') != NULL))
80 		e->e_flags &= ~EF_OLDSTYLE;
81 	delimiter = ' ';
82 	if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
83 		delimiter = ',';
84 
85 	firstone = TRUE;
86 	al = NULL;
87 	naddrs = 0;
88 
89 	/* make sure we have enough space to copy the string */
90 	i = strlen(list) + 1;
91 	if (i <= sizeof buf)
92 		bufp = buf;
93 	else
94 		bufp = xalloc(i);
95 	strcpy(bufp, denlstring(list, FALSE, TRUE));
96 
97 	for (p = bufp; *p != '\0'; )
98 	{
99 		auto char *delimptr;
100 		register ADDRESS *a;
101 
102 		/* parse the address */
103 		while ((isascii(*p) && isspace(*p)) || *p == ',')
104 			p++;
105 		a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
106 		p = delimptr;
107 		if (a == NULL)
108 			continue;
109 		a->q_next = al;
110 		a->q_alias = ctladdr;
111 
112 		/* see if this should be marked as a primary address */
113 		if (ctladdr == NULL ||
114 		    (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
115 			a->q_flags |= QPRIMARY;
116 
117 		/* arrange to inherit attributes from parent */
118 		if (ctladdr != NULL)
119 		{
120 			/* self reference test */
121 			if (sameaddr(ctladdr, a))
122 				ctladdr->q_flags |= QSELFREF;
123 
124 			/* full name */
125 			if (a->q_fullname == NULL)
126 				a->q_fullname = ctladdr->q_fullname;
127 
128 			/* various flag bits */
129 			a->q_flags &= ~QINHERITEDBITS;
130 			a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
131 
132 			/* original recipient information */
133 			a->q_orcpt = ctladdr->q_orcpt;
134 		}
135 
136 		al = a;
137 		firstone = FALSE;
138 	}
139 
140 	/* arrange to send to everyone on the local send list */
141 	while (al != NULL)
142 	{
143 		register ADDRESS *a = al;
144 
145 		al = a->q_next;
146 		a = recipient(a, sendq, aliaslevel, e);
147 		naddrs++;
148 	}
149 
150 	e->e_to = oldto;
151 	if (bufp != buf)
152 		free(bufp);
153 	return (naddrs);
154 }
155 /*
156 **  RECIPIENT -- Designate a message recipient
157 **
158 **	Saves the named person for future mailing.
159 **
160 **	Parameters:
161 **		a -- the (preparsed) address header for the recipient.
162 **		sendq -- a pointer to the head of a queue to put the
163 **			recipient in.  Duplicate supression is done
164 **			in this queue.
165 **		aliaslevel -- the current alias nesting depth.
166 **		e -- the current envelope.
167 **
168 **	Returns:
169 **		The actual address in the queue.  This will be "a" if
170 **		the address is not a duplicate, else the original address.
171 **
172 **	Side Effects:
173 **		none.
174 */
175 
176 ADDRESS *
177 recipient(a, sendq, aliaslevel, e)
178 	register ADDRESS *a;
179 	register ADDRESS **sendq;
180 	int aliaslevel;
181 	register ENVELOPE *e;
182 {
183 	register ADDRESS *q;
184 	ADDRESS **pq;
185 	register struct mailer *m;
186 	register char *p;
187 	bool quoted = FALSE;		/* set if the addr has a quote bit */
188 	int findusercount = 0;
189 	int i;
190 	char *buf;
191 	char buf0[MAXNAME];		/* unquoted image of the user name */
192 	extern int safefile();
193 
194 	e->e_to = a->q_paddr;
195 	m = a->q_mailer;
196 	errno = 0;
197 	if (tTd(26, 1))
198 	{
199 		printf("\nrecipient: ");
200 		printaddr(a, FALSE);
201 	}
202 
203 	/* if this is primary, add it to the original recipient list */
204 	if (a->q_alias == NULL)
205 	{
206 		if (e->e_origrcpt == NULL)
207 			e->e_origrcpt = a->q_paddr;
208 		else if (e->e_origrcpt != a->q_paddr)
209 			e->e_origrcpt = "";
210 	}
211 
212 	/* break aliasing loops */
213 	if (aliaslevel > MAXRCRSN)
214 	{
215 		usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
216 			aliaslevel, MAXRCRSN);
217 		return (a);
218 	}
219 
220 	/*
221 	**  Finish setting up address structure.
222 	*/
223 
224 	/* get unquoted user for file, program or user.name check */
225 	i = strlen(a->q_user);
226 	if (i >= sizeof buf)
227 		buf = xalloc(i + 1);
228 	else
229 		buf = buf0;
230 	(void) strcpy(buf, a->q_user);
231 	for (p = buf; *p != '\0' && !quoted; p++)
232 	{
233 		if (*p == '\\')
234 			quoted = TRUE;
235 	}
236 	stripquotes(buf);
237 
238 	/* check for direct mailing to restricted mailers */
239 	if (m == ProgMailer)
240 	{
241 		if (a->q_alias == NULL)
242 		{
243 			a->q_flags |= QBADADDR;
244 			usrerr("550 Cannot mail directly to programs");
245 		}
246 		else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
247 		{
248 			a->q_flags |= QBADADDR;
249 			usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
250 				a->q_alias->q_ruser, MyHostName);
251 		}
252 		else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
253 		{
254 			a->q_flags |= QBADADDR;
255 			usrerr("550 Address %s is unsafe for mailing to programs",
256 				a->q_alias->q_paddr);
257 		}
258 	}
259 
260 	/*
261 	**  Look up this person in the recipient list.
262 	**	If they are there already, return, otherwise continue.
263 	**	If the list is empty, just add it.  Notice the cute
264 	**	hack to make from addresses suppress things correctly:
265 	**	the QDONTSEND bit will be set in the send list.
266 	**	[Please note: the emphasis is on "hack."]
267 	*/
268 
269 	for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
270 	{
271 		if (sameaddr(q, a))
272 		{
273 			if (tTd(26, 1))
274 			{
275 				printf("%s in sendq: ", a->q_paddr);
276 				printaddr(q, FALSE);
277 			}
278 			if (!bitset(QPRIMARY, q->q_flags))
279 			{
280 				if (!bitset(QDONTSEND, a->q_flags))
281 					message("duplicate suppressed");
282 				q->q_flags |= a->q_flags;
283 			}
284 			else if (bitset(QSELFREF, q->q_flags))
285 				q->q_flags |= a->q_flags & ~QDONTSEND;
286 			a = q;
287 			goto done;
288 		}
289 	}
290 
291 	/* add address on list */
292 	*pq = a;
293 	a->q_next = NULL;
294 
295 	/*
296 	**  Alias the name and handle special mailer types.
297 	*/
298 
299   trylocaluser:
300 	if (tTd(29, 7))
301 		printf("at trylocaluser %s\n", a->q_user);
302 
303 	if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
304 		goto testselfdestruct;
305 
306 	if (m == InclMailer)
307 	{
308 		a->q_flags |= QDONTSEND;
309 		if (a->q_alias == NULL)
310 		{
311 			a->q_flags |= QBADADDR;
312 			usrerr("550 Cannot mail directly to :include:s");
313 		}
314 		else
315 		{
316 			int ret;
317 
318 			message("including file %s", a->q_user);
319 			ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
320 			if (transienterror(ret))
321 			{
322 #ifdef LOG
323 				if (LogLevel > 2)
324 					syslog(LOG_ERR, "%s: include %s: transient error: %s",
325 						e->e_id == NULL ? "NOQUEUE" : e->e_id,
326 						a->q_user, errstring(ret));
327 #endif
328 				a->q_flags |= QQUEUEUP;
329 				a->q_flags &= ~QDONTSEND;
330 				usrerr("451 Cannot open %s: %s",
331 					a->q_user, errstring(ret));
332 			}
333 			else if (ret != 0)
334 			{
335 				a->q_flags |= QBADADDR;
336 				usrerr("550 Cannot open %s: %s",
337 					a->q_user, errstring(ret));
338 			}
339 		}
340 	}
341 	else if (m == FileMailer)
342 	{
343 		extern bool writable();
344 
345 		/* check if writable or creatable */
346 		if (a->q_alias == NULL)
347 		{
348 			a->q_flags |= QBADADDR;
349 			usrerr("550 Cannot mail directly to files");
350 		}
351 		else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
352 		{
353 			a->q_flags |= QBADADDR;
354 			usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
355 				a->q_alias->q_ruser, MyHostName);
356 		}
357 		else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
358 		{
359 			a->q_flags |= QBADADDR;
360 			usrerr("550 Address %s is unsafe for mailing to files",
361 				a->q_alias->q_paddr);
362 		}
363 		else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
364 		{
365 			a->q_flags |= QBADADDR;
366 			giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
367 				     (time_t) 0, e);
368 		}
369 	}
370 
371 	/* try aliasing */
372 	if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
373 		alias(a, sendq, aliaslevel, e);
374 
375 # ifdef USERDB
376 	/* if not aliased, look it up in the user database */
377 	if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
378 	    bitnset(M_CHECKUDB, m->m_flags))
379 	{
380 		extern int udbexpand();
381 
382 		if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
383 		{
384 			a->q_flags |= QQUEUEUP;
385 			if (e->e_message == NULL)
386 				e->e_message = newstr("Deferred: user database error");
387 # ifdef LOG
388 			if (LogLevel > 8)
389 				syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
390 					e->e_id == NULL ? "NOQUEUE" : e->e_id,
391 					errstring(errno));
392 # endif
393 			message("queued (user database error): %s",
394 				errstring(errno));
395 			e->e_nrcpts++;
396 			goto testselfdestruct;
397 		}
398 	}
399 # endif
400 
401 	/*
402 	**  If we have a level two config file, then pass the name through
403 	**  Ruleset 5 before sending it off.  Ruleset 5 has the right
404 	**  to send rewrite it to another mailer.  This gives us a hook
405 	**  after local aliasing has been done.
406 	*/
407 
408 	if (tTd(29, 5))
409 	{
410 		printf("recipient: testing local?  cl=%d, rr5=%x\n\t",
411 			ConfigLevel, RewriteRules[5]);
412 		printaddr(a, FALSE);
413 	}
414 	if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
415 	    ConfigLevel >= 2 && RewriteRules[5] != NULL &&
416 	    bitnset(M_TRYRULESET5, m->m_flags))
417 	{
418 		maplocaluser(a, sendq, aliaslevel, e);
419 	}
420 
421 	/*
422 	**  If it didn't get rewritten to another mailer, go ahead
423 	**  and deliver it.
424 	*/
425 
426 	if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
427 	    bitnset(M_HASPWENT, m->m_flags))
428 	{
429 		auto bool fuzzy;
430 		register struct passwd *pw;
431 		extern struct passwd *finduser();
432 
433 		/* warning -- finduser may trash buf */
434 		pw = finduser(buf, &fuzzy);
435 		if (pw == NULL)
436 		{
437 			a->q_flags |= QBADADDR;
438 			giveresponse(EX_NOUSER, m, NULL, a->q_alias,
439 				     (time_t) 0, e);
440 		}
441 		else
442 		{
443 			char nbuf[MAXNAME];
444 
445 			if (fuzzy)
446 			{
447 				/* name was a fuzzy match */
448 				a->q_user = newstr(pw->pw_name);
449 				if (findusercount++ > 3)
450 				{
451 					a->q_flags |= QBADADDR;
452 					usrerr("554 aliasing/forwarding loop for %s broken",
453 						pw->pw_name);
454 					goto done;
455 				}
456 
457 				/* see if it aliases */
458 				(void) strcpy(buf, pw->pw_name);
459 				goto trylocaluser;
460 			}
461 			if (strcmp(pw->pw_dir, "/") == 0)
462 				a->q_home = "";
463 			else
464 				a->q_home = newstr(pw->pw_dir);
465 			a->q_uid = pw->pw_uid;
466 			a->q_gid = pw->pw_gid;
467 			a->q_ruser = newstr(pw->pw_name);
468 			a->q_flags |= QGOODUID;
469 			buildfname(pw->pw_gecos, pw->pw_name, nbuf);
470 			if (nbuf[0] != '\0')
471 				a->q_fullname = newstr(nbuf);
472 			if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
473 			    !usershellok(pw->pw_shell))
474 			{
475 				a->q_flags |= QBOGUSSHELL;
476 			}
477 			if (!quoted)
478 				forward(a, sendq, aliaslevel, e);
479 		}
480 	}
481 	if (!bitset(QDONTSEND, a->q_flags))
482 		e->e_nrcpts++;
483 
484   testselfdestruct:
485 	if (tTd(26, 8))
486 	{
487 		printf("testselfdestruct: ");
488 		printaddr(a, TRUE);
489 	}
490 	if (a->q_alias == NULL && a != &e->e_from &&
491 	    bitset(QDONTSEND, a->q_flags))
492 	{
493 		q = *sendq;
494 		while (q != NULL && bitset(QDONTSEND, q->q_flags))
495 			q = q->q_next;
496 		if (q == NULL)
497 		{
498 			a->q_flags |= QBADADDR;
499 			usrerr("554 aliasing/forwarding loop broken");
500 		}
501 	}
502 
503   done:
504 	if (buf != buf0)
505 		free(buf);
506 	return (a);
507 }
508 /*
509 **  FINDUSER -- find the password entry for a user.
510 **
511 **	This looks a lot like getpwnam, except that it may want to
512 **	do some fancier pattern matching in /etc/passwd.
513 **
514 **	This routine contains most of the time of many sendmail runs.
515 **	It deserves to be optimized.
516 **
517 **	Parameters:
518 **		name -- the name to match against.
519 **		fuzzyp -- an outarg that is set to TRUE if this entry
520 **			was found using the fuzzy matching algorithm;
521 **			set to FALSE otherwise.
522 **
523 **	Returns:
524 **		A pointer to a pw struct.
525 **		NULL if name is unknown or ambiguous.
526 **
527 **	Side Effects:
528 **		may modify name.
529 */
530 
531 struct passwd *
532 finduser(name, fuzzyp)
533 	char *name;
534 	bool *fuzzyp;
535 {
536 	register struct passwd *pw;
537 	register char *p;
538 	extern struct passwd *getpwent();
539 	extern struct passwd *getpwnam();
540 
541 	if (tTd(29, 4))
542 		printf("finduser(%s): ", name);
543 
544 	*fuzzyp = FALSE;
545 
546 #ifdef HESIOD
547 	/* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
548 	for (p = name; *p != '\0'; p++)
549 		if (!isascii(*p) || !isdigit(*p))
550 			break;
551 	if (*p == '\0')
552 	{
553 		if (tTd(29, 4))
554 			printf("failed (numeric input)\n");
555 		return NULL;
556 	}
557 #endif
558 
559 	/* look up this login name using fast path */
560 	if ((pw = getpwnam(name)) != NULL)
561 	{
562 		if (tTd(29, 4))
563 			printf("found (non-fuzzy)\n");
564 		return (pw);
565 	}
566 
567 #ifdef MATCHGECOS
568 	/* see if fuzzy matching allowed */
569 	if (!MatchGecos)
570 	{
571 		if (tTd(29, 4))
572 			printf("not found (fuzzy disabled)\n");
573 		return NULL;
574 	}
575 
576 	/* search for a matching full name instead */
577 	for (p = name; *p != '\0'; p++)
578 	{
579 		if (*p == (SpaceSub & 0177) || *p == '_')
580 			*p = ' ';
581 	}
582 	(void) setpwent();
583 	while ((pw = getpwent()) != NULL)
584 	{
585 		char buf[MAXNAME];
586 
587 		buildfname(pw->pw_gecos, pw->pw_name, buf);
588 		if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
589 		{
590 			if (tTd(29, 4))
591 				printf("fuzzy matches %s\n", pw->pw_name);
592 			message("sending to login name %s", pw->pw_name);
593 			*fuzzyp = TRUE;
594 			return (pw);
595 		}
596 	}
597 	if (tTd(29, 4))
598 		printf("no fuzzy match found\n");
599 #else
600 	if (tTd(29, 4))
601 		printf("not found (fuzzy disabled)\n");
602 #endif
603 	return (NULL);
604 }
605 /*
606 **  WRITABLE -- predicate returning if the file is writable.
607 **
608 **	This routine must duplicate the algorithm in sys/fio.c.
609 **	Unfortunately, we cannot use the access call since we
610 **	won't necessarily be the real uid when we try to
611 **	actually open the file.
612 **
613 **	Notice that ANY file with ANY execute bit is automatically
614 **	not writable.  This is also enforced by mailfile.
615 **
616 **	Parameters:
617 **		filename -- the file name to check.
618 **		ctladdr -- the controlling address for this file.
619 **		flags -- SFF_* flags to control the function.
620 **
621 **	Returns:
622 **		TRUE -- if we will be able to write this file.
623 **		FALSE -- if we cannot write this file.
624 **
625 **	Side Effects:
626 **		none.
627 */
628 
629 bool
630 writable(filename, ctladdr, flags)
631 	char *filename;
632 	ADDRESS *ctladdr;
633 	int flags;
634 {
635 	uid_t euid;
636 	gid_t egid;
637 	int bits;
638 	register char *p;
639 	char *uname;
640 	struct stat stb;
641 	extern char RealUserName[];
642 
643 	if (tTd(29, 5))
644 		printf("writable(%s, %x)\n", filename, flags);
645 
646 #ifdef HASLSTAT
647 	if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
648 					: stat(filename, &stb)) < 0)
649 #else
650 	if (stat(filename, &stb) < 0)
651 #endif
652 	{
653 		/* file does not exist -- see if directory is safe */
654 		p = strrchr(filename, '/');
655 		if (p == NULL)
656 		{
657 			errno = ENOTDIR;
658 			return FALSE;
659 		}
660 		*p = '\0';
661 		errno = safefile(filename, RealUid, RealGid, RealUserName,
662 				 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
663 		*p = '/';
664 		return errno == 0;
665 	}
666 
667 #ifdef SUID_ROOT_FILES_OK
668 	/* really ought to be passed down -- and not a good idea */
669 	flags |= SFF_ROOTOK;
670 #endif
671 
672 	/*
673 	**  File does exist -- check that it is writable.
674 	*/
675 
676 	if (bitset(0111, stb.st_mode))
677 	{
678 		if (tTd(29, 5))
679 			printf("failed (mode %o: x bits)\n", stb.st_mode);
680 		errno = EPERM;
681 		return (FALSE);
682 	}
683 
684 	if (ctladdr != NULL && geteuid() == 0)
685 	{
686 		euid = ctladdr->q_uid;
687 		egid = ctladdr->q_gid;
688 		uname = ctladdr->q_user;
689 	}
690 #ifdef RUN_AS_REAL_UID
691 	else
692 	{
693 		euid = RealUid;
694 		egid = RealGid;
695 		uname = RealUserName;
696 	}
697 #else
698 	else if (FileMailer != NULL)
699 	{
700 		euid = FileMailer->m_uid;
701 		egid = FileMailer->m_gid;
702 	}
703 	else
704 	{
705 		euid = egid = 0;
706 	}
707 #endif
708 	if (euid == 0)
709 	{
710 		euid = DefUid;
711 		uname = DefUser;
712 	}
713 	if (egid == 0)
714 		egid = DefGid;
715 	if (geteuid() == 0)
716 	{
717 		if (bitset(S_ISUID, stb.st_mode) &&
718 		    (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
719 		{
720 			euid = stb.st_uid;
721 			uname = NULL;
722 		}
723 		if (bitset(S_ISGID, stb.st_mode) &&
724 		    (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
725 			egid = stb.st_gid;
726 	}
727 
728 	if (tTd(29, 5))
729 		printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
730 			euid, egid, stb.st_uid, stb.st_gid);
731 
732 	errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
733 	return errno == 0;
734 }
735 /*
736 **  INCLUDE -- handle :include: specification.
737 **
738 **	Parameters:
739 **		fname -- filename to include.
740 **		forwarding -- if TRUE, we are reading a .forward file.
741 **			if FALSE, it's a :include: file.
742 **		ctladdr -- address template to use to fill in these
743 **			addresses -- effective user/group id are
744 **			the important things.
745 **		sendq -- a pointer to the head of the send queue
746 **			to put these addresses in.
747 **		aliaslevel -- the alias nesting depth.
748 **		e -- the current envelope.
749 **
750 **	Returns:
751 **		open error status
752 **
753 **	Side Effects:
754 **		reads the :include: file and sends to everyone
755 **		listed in that file.
756 **
757 **	Security Note:
758 **		If you have restricted chown (that is, you can't
759 **		give a file away), it is reasonable to allow programs
760 **		and files called from this :include: file to be to be
761 **		run as the owner of the :include: file.  This is bogus
762 **		if there is any chance of someone giving away a file.
763 **		We assume that pre-POSIX systems can give away files.
764 **
765 **		There is an additional restriction that if you
766 **		forward to a :include: file, it will not take on
767 **		the ownership of the :include: file.  This may not
768 **		be necessary, but shouldn't hurt.
769 */
770 
771 static jmp_buf	CtxIncludeTimeout;
772 static void	includetimeout();
773 
774 #ifndef S_IWOTH
775 # define S_IWOTH	(S_IWRITE >> 6)
776 #endif
777 
778 int
779 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
780 	char *fname;
781 	bool forwarding;
782 	ADDRESS *ctladdr;
783 	ADDRESS **sendq;
784 	int aliaslevel;
785 	ENVELOPE *e;
786 {
787 	FILE *fp = NULL;
788 	char *oldto = e->e_to;
789 	char *oldfilename = FileName;
790 	int oldlinenumber = LineNumber;
791 	register EVENT *ev = NULL;
792 	int nincludes;
793 	register ADDRESS *ca;
794 	uid_t saveduid, uid;
795 	gid_t savedgid, gid;
796 	char *uname;
797 	int rval = 0;
798 	int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
799 	struct stat st;
800 	char buf[MAXLINE];
801 #ifdef _POSIX_CHOWN_RESTRICTED
802 # if _POSIX_CHOWN_RESTRICTED == -1
803 #  define safechown	FALSE
804 # else
805 #  define safechown	TRUE
806 # endif
807 #else
808 # ifdef _PC_CHOWN_RESTRICTED
809 	bool safechown;
810 # else
811 #  ifdef BSD
812 #   define safechown	TRUE
813 #  else
814 #   define safechown	FALSE
815 #  endif
816 # endif
817 #endif
818 	extern bool chownsafe();
819 
820 	if (tTd(27, 2))
821 		printf("include(%s)\n", fname);
822 	if (tTd(27, 4))
823 		printf("   ruid=%d euid=%d\n", getuid(), geteuid());
824 	if (tTd(27, 14))
825 	{
826 		printf("ctladdr ");
827 		printaddr(ctladdr, FALSE);
828 	}
829 
830 	if (tTd(27, 9))
831 		printf("include: old uid = %d/%d\n", getuid(), geteuid());
832 
833 	ca = getctladdr(ctladdr);
834 	if (ca == NULL)
835 	{
836 		uid = DefUid;
837 		gid = DefGid;
838 		uname = DefUser;
839 	}
840 	else
841 	{
842 		uid = ca->q_uid;
843 		gid = ca->q_gid;
844 		uname = ca->q_user;
845 	}
846 #ifdef HASSETREUID
847 	saveduid = geteuid();
848 	savedgid = getegid();
849 	if (saveduid == 0)
850 	{
851 		initgroups(uname, gid);
852 		if (uid != 0)
853 		{
854 			if (setreuid(0, uid) < 0)
855 				syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
856 					uid, getuid(), geteuid());
857 			else
858 				sfflags |= SFF_NOPATHCHECK;
859 		}
860 	}
861 #endif
862 
863 	if (tTd(27, 9))
864 		printf("include: new uid = %d/%d\n", getuid(), geteuid());
865 
866 	/*
867 	**  If home directory is remote mounted but server is down,
868 	**  this can hang or give errors; use a timeout to avoid this
869 	*/
870 
871 	if (setjmp(CtxIncludeTimeout) != 0)
872 	{
873 		ctladdr->q_flags |= QQUEUEUP;
874 		errno = 0;
875 
876 		/* return pseudo-error code */
877 		rval = EOPENTIMEOUT;
878 		goto resetuid;
879 	}
880 	if (TimeOuts.to_fileopen > 0)
881 		ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
882 	else
883 		ev = NULL;
884 
885 	/* the input file must be marked safe */
886 	rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
887 	if (rval != 0)
888 	{
889 		/* don't use this :include: file */
890 		if (tTd(27, 4))
891 			printf("include: not safe (uid=%d): %s\n",
892 				uid, errstring(rval));
893 	}
894 	else
895 	{
896 		fp = fopen(fname, "r");
897 		if (fp == NULL)
898 		{
899 			rval = errno;
900 			if (tTd(27, 4))
901 				printf("include: open: %s\n", errstring(rval));
902 		}
903 	}
904 	if (ev != NULL)
905 		clrevent(ev);
906 
907 resetuid:
908 
909 #ifdef HASSETREUID
910 	if (saveduid == 0)
911 	{
912 		if (uid != 0)
913 		{
914 			if (setreuid(-1, 0) < 0)
915 				syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
916 					getuid(), geteuid());
917 			if (setreuid(RealUid, 0) < 0)
918 				syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
919 					RealUid, getuid(), geteuid());
920 		}
921 		setgid(savedgid);
922 	}
923 #endif
924 
925 	if (tTd(27, 9))
926 		printf("include: reset uid = %d/%d\n", getuid(), geteuid());
927 
928 	if (rval == EOPENTIMEOUT)
929 		usrerr("451 open timeout on %s", fname);
930 
931 	if (fp == NULL)
932 		return rval;
933 
934 	if (fstat(fileno(fp), &st) < 0)
935 	{
936 		rval = errno;
937 		syserr("Cannot fstat %s!", fname);
938 		return rval;
939 	}
940 
941 #ifndef safechown
942 	safechown = chownsafe(fileno(fp));
943 #endif
944 	if (ca == NULL && safechown)
945 	{
946 		ctladdr->q_uid = st.st_uid;
947 		ctladdr->q_gid = st.st_gid;
948 		ctladdr->q_flags |= QGOODUID;
949 	}
950 	if (ca != NULL && ca->q_uid == st.st_uid)
951 	{
952 		/* optimization -- avoid getpwuid if we already have info */
953 		ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
954 		ctladdr->q_ruser = ca->q_ruser;
955 	}
956 	else
957 	{
958 		register struct passwd *pw;
959 
960 		pw = getpwuid(st.st_uid);
961 		if (pw == NULL)
962 			ctladdr->q_flags |= QBOGUSSHELL;
963 		else
964 		{
965 			char *sh;
966 
967 			ctladdr->q_ruser = newstr(pw->pw_name);
968 			if (safechown)
969 				sh = pw->pw_shell;
970 			else
971 				sh = "/SENDMAIL/ANY/SHELL/";
972 			if (!usershellok(sh))
973 			{
974 				if (safechown)
975 					ctladdr->q_flags |= QBOGUSSHELL;
976 				else
977 					ctladdr->q_flags |= QUNSAFEADDR;
978 			}
979 		}
980 	}
981 
982 	if (bitset(EF_VRFYONLY, e->e_flags))
983 	{
984 		/* don't do any more now */
985 		ctladdr->q_flags |= QVERIFIED;
986 		e->e_nrcpts++;
987 		xfclose(fp, "include", fname);
988 		return rval;
989 	}
990 
991 	/*
992 	** Check to see if some bad guy can write this file
993 	**
994 	**	This should really do something clever with group
995 	**	permissions; currently we just view world writable
996 	**	as unsafe.  Also, we don't check for writable
997 	**	directories in the path.  We've got to leave
998 	**	something for the local sysad to do.
999 	*/
1000 
1001 	if (bitset(S_IWOTH, st.st_mode))
1002 		ctladdr->q_flags |= QUNSAFEADDR;
1003 
1004 	/* read the file -- each line is a comma-separated list. */
1005 	FileName = fname;
1006 	LineNumber = 0;
1007 	ctladdr->q_flags &= ~QSELFREF;
1008 	nincludes = 0;
1009 	while (fgets(buf, sizeof buf, fp) != NULL)
1010 	{
1011 		register char *p = strchr(buf, '\n');
1012 
1013 		LineNumber++;
1014 		if (p != NULL)
1015 			*p = '\0';
1016 		if (buf[0] == '#' || buf[0] == '\0')
1017 			continue;
1018 		e->e_to = NULL;
1019 		message("%s to %s",
1020 			forwarding ? "forwarding" : "sending", buf);
1021 #ifdef LOG
1022 		if (forwarding && LogLevel > 9)
1023 			syslog(LOG_INFO, "%s: forward %s => %s",
1024 				e->e_id == NULL ? "NOQUEUE" : e->e_id,
1025 				oldto, buf);
1026 #endif
1027 
1028 		nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1029 	}
1030 
1031 	if (ferror(fp) && tTd(27, 3))
1032 		printf("include: read error: %s\n", errstring(errno));
1033 	if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1034 	{
1035 		if (tTd(27, 5))
1036 		{
1037 			printf("include: QDONTSEND ");
1038 			printaddr(ctladdr, FALSE);
1039 		}
1040 		ctladdr->q_flags |= QDONTSEND;
1041 	}
1042 
1043 	(void) xfclose(fp, "include", fname);
1044 	FileName = oldfilename;
1045 	LineNumber = oldlinenumber;
1046 	e->e_to = oldto;
1047 	return rval;
1048 }
1049 
1050 static void
1051 includetimeout()
1052 {
1053 	longjmp(CtxIncludeTimeout, 1);
1054 }
1055 /*
1056 **  SENDTOARGV -- send to an argument vector.
1057 **
1058 **	Parameters:
1059 **		argv -- argument vector to send to.
1060 **		e -- the current envelope.
1061 **
1062 **	Returns:
1063 **		none.
1064 **
1065 **	Side Effects:
1066 **		puts all addresses on the argument vector onto the
1067 **			send queue.
1068 */
1069 
1070 sendtoargv(argv, e)
1071 	register char **argv;
1072 	register ENVELOPE *e;
1073 {
1074 	register char *p;
1075 
1076 	while ((p = *argv++) != NULL)
1077 	{
1078 		(void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1079 	}
1080 }
1081 /*
1082 **  GETCTLADDR -- get controlling address from an address header.
1083 **
1084 **	If none, get one corresponding to the effective userid.
1085 **
1086 **	Parameters:
1087 **		a -- the address to find the controller of.
1088 **
1089 **	Returns:
1090 **		the controlling address.
1091 **
1092 **	Side Effects:
1093 **		none.
1094 */
1095 
1096 ADDRESS *
1097 getctladdr(a)
1098 	register ADDRESS *a;
1099 {
1100 	while (a != NULL && !bitset(QGOODUID, a->q_flags))
1101 		a = a->q_alias;
1102 	return (a);
1103 }
1104