1 /*
2 * Copyright (c) 1983 Eric P. Allman
3 * Copyright (c) 1988, 1993
4 * The Regents of the University of California. All rights reserved.
5 *
6 * %sccs.include.redist.c%
7 */
8
9 #ifndef lint
10 static char sccsid[] = "@(#)recipient.c 8.69 (Berkeley) 03/05/95";
11 #endif /* not lint */
12
13 # include "sendmail.h"
14 # include <pwd.h>
15
16 /*
17 ** SENDTOLIST -- Designate a send list.
18 **
19 ** The parameter is a comma-separated list of people to send to.
20 ** This routine arranges to send to all of them.
21 **
22 ** Parameters:
23 ** list -- the send list.
24 ** ctladdr -- the address template for the person to
25 ** send to -- effective uid/gid are important.
26 ** This is typically the alias that caused this
27 ** expansion.
28 ** sendq -- a pointer to the head of a queue to put
29 ** these people into.
30 ** aliaslevel -- the current alias nesting depth -- to
31 ** diagnose loops.
32 ** e -- the envelope in which to add these recipients.
33 **
34 ** Returns:
35 ** The number of addresses actually on the list.
36 **
37 ** Side Effects:
38 ** none.
39 */
40
41 #define MAXRCRSN 10 /* maximum levels of alias recursion */
42
43 /* q_flags bits inherited from ctladdr */
44 #define QINHERITEDBITS (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHAS_RET_PARAM|QRET_HDRS)
45
46 int
47 sendtolist(list, ctladdr, sendq, aliaslevel, e)
48 char *list;
49 ADDRESS *ctladdr;
50 ADDRESS **sendq;
51 int aliaslevel;
52 register ENVELOPE *e;
53 {
54 register char *p;
55 register ADDRESS *al; /* list of addresses to send to */
56 bool firstone; /* set on first address sent */
57 char delimiter; /* the address delimiter */
58 int naddrs;
59 int i;
60 char *oldto = e->e_to;
61 char *bufp;
62 char buf[MAXNAME + 1];
63
64 if (list == NULL)
65 {
66 syserr("sendtolist: null list");
67 return 0;
68 }
69
70 if (tTd(25, 1))
71 {
72 printf("sendto: %s\n ctladdr=", list);
73 printaddr(ctladdr, FALSE);
74 }
75
76 /* heuristic to determine old versus new style addresses */
77 if (ctladdr == NULL &&
78 (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
79 strchr(list, '<') != NULL || strchr(list, '(') != NULL))
80 e->e_flags &= ~EF_OLDSTYLE;
81 delimiter = ' ';
82 if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
83 delimiter = ',';
84
85 firstone = TRUE;
86 al = NULL;
87 naddrs = 0;
88
89 /* make sure we have enough space to copy the string */
90 i = strlen(list) + 1;
91 if (i <= sizeof buf)
92 bufp = buf;
93 else
94 bufp = xalloc(i);
95 strcpy(bufp, denlstring(list, FALSE, TRUE));
96
97 for (p = bufp; *p != '\0'; )
98 {
99 auto char *delimptr;
100 register ADDRESS *a;
101
102 /* parse the address */
103 while ((isascii(*p) && isspace(*p)) || *p == ',')
104 p++;
105 a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter, &delimptr, e);
106 p = delimptr;
107 if (a == NULL)
108 continue;
109 a->q_next = al;
110 a->q_alias = ctladdr;
111
112 /* see if this should be marked as a primary address */
113 if (ctladdr == NULL ||
114 (firstone && *p == '\0' && bitset(QPRIMARY, ctladdr->q_flags)))
115 a->q_flags |= QPRIMARY;
116
117 /* arrange to inherit attributes from parent */
118 if (ctladdr != NULL)
119 {
120 /* self reference test */
121 if (sameaddr(ctladdr, a))
122 ctladdr->q_flags |= QSELFREF;
123
124 /* full name */
125 if (a->q_fullname == NULL)
126 a->q_fullname = ctladdr->q_fullname;
127
128 /* various flag bits */
129 a->q_flags &= ~QINHERITEDBITS;
130 a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;
131
132 /* original recipient information */
133 a->q_orcpt = ctladdr->q_orcpt;
134 }
135
136 al = a;
137 firstone = FALSE;
138 }
139
140 /* arrange to send to everyone on the local send list */
141 while (al != NULL)
142 {
143 register ADDRESS *a = al;
144
145 al = a->q_next;
146 a = recipient(a, sendq, aliaslevel, e);
147 naddrs++;
148 }
149
150 e->e_to = oldto;
151 if (bufp != buf)
152 free(bufp);
153 return (naddrs);
154 }
155 �/*
156 ** RECIPIENT -- Designate a message recipient
157 **
158 ** Saves the named person for future mailing.
159 **
160 ** Parameters:
161 ** a -- the (preparsed) address header for the recipient.
162 ** sendq -- a pointer to the head of a queue to put the
163 ** recipient in. Duplicate supression is done
164 ** in this queue.
165 ** aliaslevel -- the current alias nesting depth.
166 ** e -- the current envelope.
167 **
168 ** Returns:
169 ** The actual address in the queue. This will be "a" if
170 ** the address is not a duplicate, else the original address.
171 **
172 ** Side Effects:
173 ** none.
174 */
175
176 ADDRESS *
177 recipient(a, sendq, aliaslevel, e)
178 register ADDRESS *a;
179 register ADDRESS **sendq;
180 int aliaslevel;
181 register ENVELOPE *e;
182 {
183 register ADDRESS *q;
184 ADDRESS **pq;
185 register struct mailer *m;
186 register char *p;
187 bool quoted = FALSE; /* set if the addr has a quote bit */
188 int findusercount = 0;
189 int i;
190 char *buf;
191 char buf0[MAXNAME]; /* unquoted image of the user name */
192 extern int safefile();
193
194 e->e_to = a->q_paddr;
195 m = a->q_mailer;
196 errno = 0;
197 if (tTd(26, 1))
198 {
199 printf("\nrecipient: ");
200 printaddr(a, FALSE);
201 }
202
203 /* if this is primary, add it to the original recipient list */
204 if (a->q_alias == NULL)
205 {
206 if (e->e_origrcpt == NULL)
207 e->e_origrcpt = a->q_paddr;
208 else if (e->e_origrcpt != a->q_paddr)
209 e->e_origrcpt = "";
210 }
211
212 /* break aliasing loops */
213 if (aliaslevel > MAXRCRSN)
214 {
215 usrerr("554 aliasing/forwarding loop broken (%d aliases deep; %d max",
216 aliaslevel, MAXRCRSN);
217 return (a);
218 }
219
220 /*
221 ** Finish setting up address structure.
222 */
223
224 /* get unquoted user for file, program or user.name check */
225 i = strlen(a->q_user);
226 if (i >= sizeof buf)
227 buf = xalloc(i + 1);
228 else
229 buf = buf0;
230 (void) strcpy(buf, a->q_user);
231 for (p = buf; *p != '\0' && !quoted; p++)
232 {
233 if (*p == '\\')
234 quoted = TRUE;
235 }
236 stripquotes(buf);
237
238 /* check for direct mailing to restricted mailers */
239 if (m == ProgMailer)
240 {
241 if (a->q_alias == NULL)
242 {
243 a->q_flags |= QBADADDR;
244 usrerr("550 Cannot mail directly to programs");
245 }
246 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
247 {
248 a->q_flags |= QBADADDR;
249 usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
250 a->q_alias->q_ruser, MyHostName);
251 }
252 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
253 {
254 a->q_flags |= QBADADDR;
255 usrerr("550 Address %s is unsafe for mailing to programs",
256 a->q_alias->q_paddr);
257 }
258 }
259
260 /*
261 ** Look up this person in the recipient list.
262 ** If they are there already, return, otherwise continue.
263 ** If the list is empty, just add it. Notice the cute
264 ** hack to make from addresses suppress things correctly:
265 ** the QDONTSEND bit will be set in the send list.
266 ** [Please note: the emphasis is on "hack."]
267 */
268
269 for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
270 {
271 if (sameaddr(q, a))
272 {
273 if (tTd(26, 1))
274 {
275 printf("%s in sendq: ", a->q_paddr);
276 printaddr(q, FALSE);
277 }
278 if (!bitset(QPRIMARY, q->q_flags))
279 {
280 if (!bitset(QDONTSEND, a->q_flags))
281 message("duplicate suppressed");
282 q->q_flags |= a->q_flags;
283 }
284 else if (bitset(QSELFREF, q->q_flags))
285 q->q_flags |= a->q_flags & ~QDONTSEND;
286 a = q;
287 goto done;
288 }
289 }
290
291 /* add address on list */
292 *pq = a;
293 a->q_next = NULL;
294
295 /*
296 ** Alias the name and handle special mailer types.
297 */
298
299 trylocaluser:
300 if (tTd(29, 7))
301 printf("at trylocaluser %s\n", a->q_user);
302
303 if (bitset(QDONTSEND|QBADADDR|QVERIFIED, a->q_flags))
304 goto testselfdestruct;
305
306 if (m == InclMailer)
307 {
308 a->q_flags |= QDONTSEND;
309 if (a->q_alias == NULL)
310 {
311 a->q_flags |= QBADADDR;
312 usrerr("550 Cannot mail directly to :include:s");
313 }
314 else
315 {
316 int ret;
317
318 message("including file %s", a->q_user);
319 ret = include(a->q_user, FALSE, a, sendq, aliaslevel, e);
320 if (transienterror(ret))
321 {
322 #ifdef LOG
323 if (LogLevel > 2)
324 syslog(LOG_ERR, "%s: include %s: transient error: %s",
325 e->e_id == NULL ? "NOQUEUE" : e->e_id,
326 a->q_user, errstring(ret));
327 #endif
328 a->q_flags |= QQUEUEUP;
329 a->q_flags &= ~QDONTSEND;
330 usrerr("451 Cannot open %s: %s",
331 a->q_user, errstring(ret));
332 }
333 else if (ret != 0)
334 {
335 a->q_flags |= QBADADDR;
336 usrerr("550 Cannot open %s: %s",
337 a->q_user, errstring(ret));
338 }
339 }
340 }
341 else if (m == FileMailer)
342 {
343 extern bool writable();
344
345 /* check if writable or creatable */
346 if (a->q_alias == NULL)
347 {
348 a->q_flags |= QBADADDR;
349 usrerr("550 Cannot mail directly to files");
350 }
351 else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
352 {
353 a->q_flags |= QBADADDR;
354 usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
355 a->q_alias->q_ruser, MyHostName);
356 }
357 else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
358 {
359 a->q_flags |= QBADADDR;
360 usrerr("550 Address %s is unsafe for mailing to files",
361 a->q_alias->q_paddr);
362 }
363 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
364 {
365 a->q_flags |= QBADADDR;
366 giveresponse(EX_CANTCREAT, m, NULL, a->q_alias,
367 (time_t) 0, e);
368 }
369 }
370
371 /* try aliasing */
372 if (!bitset(QDONTSEND, a->q_flags) && bitnset(M_ALIASABLE, m->m_flags))
373 alias(a, sendq, aliaslevel, e);
374
375 # ifdef USERDB
376 /* if not aliased, look it up in the user database */
377 if (!bitset(QDONTSEND|QNOTREMOTE|QVERIFIED, a->q_flags) &&
378 bitnset(M_CHECKUDB, m->m_flags))
379 {
380 extern int udbexpand();
381
382 if (udbexpand(a, sendq, aliaslevel, e) == EX_TEMPFAIL)
383 {
384 a->q_flags |= QQUEUEUP;
385 if (e->e_message == NULL)
386 e->e_message = newstr("Deferred: user database error");
387 # ifdef LOG
388 if (LogLevel > 8)
389 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
390 e->e_id == NULL ? "NOQUEUE" : e->e_id,
391 errstring(errno));
392 # endif
393 message("queued (user database error): %s",
394 errstring(errno));
395 e->e_nrcpts++;
396 goto testselfdestruct;
397 }
398 }
399 # endif
400
401 /*
402 ** If we have a level two config file, then pass the name through
403 ** Ruleset 5 before sending it off. Ruleset 5 has the right
404 ** to send rewrite it to another mailer. This gives us a hook
405 ** after local aliasing has been done.
406 */
407
408 if (tTd(29, 5))
409 {
410 printf("recipient: testing local? cl=%d, rr5=%x\n\t",
411 ConfigLevel, RewriteRules[5]);
412 printaddr(a, FALSE);
413 }
414 if (!bitset(QNOTREMOTE|QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
415 ConfigLevel >= 2 && RewriteRules[5] != NULL &&
416 bitnset(M_TRYRULESET5, m->m_flags))
417 {
418 maplocaluser(a, sendq, aliaslevel, e);
419 }
420
421 /*
422 ** If it didn't get rewritten to another mailer, go ahead
423 ** and deliver it.
424 */
425
426 if (!bitset(QDONTSEND|QQUEUEUP|QVERIFIED, a->q_flags) &&
427 bitnset(M_HASPWENT, m->m_flags))
428 {
429 auto bool fuzzy;
430 register struct passwd *pw;
431 extern struct passwd *finduser();
432
433 /* warning -- finduser may trash buf */
434 pw = finduser(buf, &fuzzy);
435 if (pw == NULL)
436 {
437 a->q_flags |= QBADADDR;
438 giveresponse(EX_NOUSER, m, NULL, a->q_alias,
439 (time_t) 0, e);
440 }
441 else
442 {
443 char nbuf[MAXNAME];
444
445 if (fuzzy)
446 {
447 /* name was a fuzzy match */
448 a->q_user = newstr(pw->pw_name);
449 if (findusercount++ > 3)
450 {
451 a->q_flags |= QBADADDR;
452 usrerr("554 aliasing/forwarding loop for %s broken",
453 pw->pw_name);
454 goto done;
455 }
456
457 /* see if it aliases */
458 (void) strcpy(buf, pw->pw_name);
459 goto trylocaluser;
460 }
461 if (strcmp(pw->pw_dir, "/") == 0)
462 a->q_home = "";
463 else
464 a->q_home = newstr(pw->pw_dir);
465 a->q_uid = pw->pw_uid;
466 a->q_gid = pw->pw_gid;
467 a->q_ruser = newstr(pw->pw_name);
468 a->q_flags |= QGOODUID;
469 buildfname(pw->pw_gecos, pw->pw_name, nbuf);
470 if (nbuf[0] != '\0')
471 a->q_fullname = newstr(nbuf);
472 if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
473 !usershellok(pw->pw_shell))
474 {
475 a->q_flags |= QBOGUSSHELL;
476 }
477 if (!quoted)
478 forward(a, sendq, aliaslevel, e);
479 }
480 }
481 if (!bitset(QDONTSEND, a->q_flags))
482 e->e_nrcpts++;
483
484 testselfdestruct:
485 if (tTd(26, 8))
486 {
487 printf("testselfdestruct: ");
488 printaddr(a, TRUE);
489 }
490 if (a->q_alias == NULL && a != &e->e_from &&
491 bitset(QDONTSEND, a->q_flags))
492 {
493 q = *sendq;
494 while (q != NULL && bitset(QDONTSEND, q->q_flags))
495 q = q->q_next;
496 if (q == NULL)
497 {
498 a->q_flags |= QBADADDR;
499 usrerr("554 aliasing/forwarding loop broken");
500 }
501 }
502
503 done:
504 if (buf != buf0)
505 free(buf);
506 return (a);
507 }
508 �/*
509 ** FINDUSER -- find the password entry for a user.
510 **
511 ** This looks a lot like getpwnam, except that it may want to
512 ** do some fancier pattern matching in /etc/passwd.
513 **
514 ** This routine contains most of the time of many sendmail runs.
515 ** It deserves to be optimized.
516 **
517 ** Parameters:
518 ** name -- the name to match against.
519 ** fuzzyp -- an outarg that is set to TRUE if this entry
520 ** was found using the fuzzy matching algorithm;
521 ** set to FALSE otherwise.
522 **
523 ** Returns:
524 ** A pointer to a pw struct.
525 ** NULL if name is unknown or ambiguous.
526 **
527 ** Side Effects:
528 ** may modify name.
529 */
530
531 struct passwd *
532 finduser(name, fuzzyp)
533 char *name;
534 bool *fuzzyp;
535 {
536 register struct passwd *pw;
537 register char *p;
538 extern struct passwd *getpwent();
539 extern struct passwd *getpwnam();
540
541 if (tTd(29, 4))
542 printf("finduser(%s): ", name);
543
544 *fuzzyp = FALSE;
545
546 #ifdef HESIOD
547 /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
548 for (p = name; *p != '\0'; p++)
549 if (!isascii(*p) || !isdigit(*p))
550 break;
551 if (*p == '\0')
552 {
553 if (tTd(29, 4))
554 printf("failed (numeric input)\n");
555 return NULL;
556 }
557 #endif
558
559 /* look up this login name using fast path */
560 if ((pw = getpwnam(name)) != NULL)
561 {
562 if (tTd(29, 4))
563 printf("found (non-fuzzy)\n");
564 return (pw);
565 }
566
567 #ifdef MATCHGECOS
568 /* see if fuzzy matching allowed */
569 if (!MatchGecos)
570 {
571 if (tTd(29, 4))
572 printf("not found (fuzzy disabled)\n");
573 return NULL;
574 }
575
576 /* search for a matching full name instead */
577 for (p = name; *p != '\0'; p++)
578 {
579 if (*p == (SpaceSub & 0177) || *p == '_')
580 *p = ' ';
581 }
582 (void) setpwent();
583 while ((pw = getpwent()) != NULL)
584 {
585 char buf[MAXNAME];
586
587 buildfname(pw->pw_gecos, pw->pw_name, buf);
588 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
589 {
590 if (tTd(29, 4))
591 printf("fuzzy matches %s\n", pw->pw_name);
592 message("sending to login name %s", pw->pw_name);
593 *fuzzyp = TRUE;
594 return (pw);
595 }
596 }
597 if (tTd(29, 4))
598 printf("no fuzzy match found\n");
599 #else
600 if (tTd(29, 4))
601 printf("not found (fuzzy disabled)\n");
602 #endif
603 return (NULL);
604 }
605 �/*
606 ** WRITABLE -- predicate returning if the file is writable.
607 **
608 ** This routine must duplicate the algorithm in sys/fio.c.
609 ** Unfortunately, we cannot use the access call since we
610 ** won't necessarily be the real uid when we try to
611 ** actually open the file.
612 **
613 ** Notice that ANY file with ANY execute bit is automatically
614 ** not writable. This is also enforced by mailfile.
615 **
616 ** Parameters:
617 ** filename -- the file name to check.
618 ** ctladdr -- the controlling address for this file.
619 ** flags -- SFF_* flags to control the function.
620 **
621 ** Returns:
622 ** TRUE -- if we will be able to write this file.
623 ** FALSE -- if we cannot write this file.
624 **
625 ** Side Effects:
626 ** none.
627 */
628
629 bool
630 writable(filename, ctladdr, flags)
631 char *filename;
632 ADDRESS *ctladdr;
633 int flags;
634 {
635 uid_t euid;
636 gid_t egid;
637 int bits;
638 register char *p;
639 char *uname;
640 struct stat stb;
641 extern char RealUserName[];
642
643 if (tTd(29, 5))
644 printf("writable(%s, %x)\n", filename, flags);
645
646 #ifdef HASLSTAT
647 if ((bitset(SFF_NOSLINK, flags) ? lstat(filename, &stb)
648 : stat(filename, &stb)) < 0)
649 #else
650 if (stat(filename, &stb) < 0)
651 #endif
652 {
653 /* file does not exist -- see if directory is safe */
654 p = strrchr(filename, '/');
655 if (p == NULL)
656 {
657 errno = ENOTDIR;
658 return FALSE;
659 }
660 *p = '\0';
661 errno = safefile(filename, RealUid, RealGid, RealUserName,
662 SFF_MUSTOWN, S_IWRITE|S_IEXEC);
663 *p = '/';
664 return errno == 0;
665 }
666
667 #ifdef SUID_ROOT_FILES_OK
668 /* really ought to be passed down -- and not a good idea */
669 flags |= SFF_ROOTOK;
670 #endif
671
672 /*
673 ** File does exist -- check that it is writable.
674 */
675
676 if (bitset(0111, stb.st_mode))
677 {
678 if (tTd(29, 5))
679 printf("failed (mode %o: x bits)\n", stb.st_mode);
680 errno = EPERM;
681 return (FALSE);
682 }
683
684 if (ctladdr != NULL && geteuid() == 0)
685 {
686 euid = ctladdr->q_uid;
687 egid = ctladdr->q_gid;
688 uname = ctladdr->q_user;
689 }
690 #ifdef RUN_AS_REAL_UID
691 else
692 {
693 euid = RealUid;
694 egid = RealGid;
695 uname = RealUserName;
696 }
697 #else
698 else if (FileMailer != NULL)
699 {
700 euid = FileMailer->m_uid;
701 egid = FileMailer->m_gid;
702 }
703 else
704 {
705 euid = egid = 0;
706 }
707 #endif
708 if (euid == 0)
709 {
710 euid = DefUid;
711 uname = DefUser;
712 }
713 if (egid == 0)
714 egid = DefGid;
715 if (geteuid() == 0)
716 {
717 if (bitset(S_ISUID, stb.st_mode) &&
718 (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
719 {
720 euid = stb.st_uid;
721 uname = NULL;
722 }
723 if (bitset(S_ISGID, stb.st_mode) &&
724 (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
725 egid = stb.st_gid;
726 }
727
728 if (tTd(29, 5))
729 printf("\teu/gid=%d/%d, st_u/gid=%d/%d\n",
730 euid, egid, stb.st_uid, stb.st_gid);
731
732 errno = safefile(filename, euid, egid, uname, flags, S_IWRITE);
733 return errno == 0;
734 }
735 �/*
736 ** INCLUDE -- handle :include: specification.
737 **
738 ** Parameters:
739 ** fname -- filename to include.
740 ** forwarding -- if TRUE, we are reading a .forward file.
741 ** if FALSE, it's a :include: file.
742 ** ctladdr -- address template to use to fill in these
743 ** addresses -- effective user/group id are
744 ** the important things.
745 ** sendq -- a pointer to the head of the send queue
746 ** to put these addresses in.
747 ** aliaslevel -- the alias nesting depth.
748 ** e -- the current envelope.
749 **
750 ** Returns:
751 ** open error status
752 **
753 ** Side Effects:
754 ** reads the :include: file and sends to everyone
755 ** listed in that file.
756 **
757 ** Security Note:
758 ** If you have restricted chown (that is, you can't
759 ** give a file away), it is reasonable to allow programs
760 ** and files called from this :include: file to be to be
761 ** run as the owner of the :include: file. This is bogus
762 ** if there is any chance of someone giving away a file.
763 ** We assume that pre-POSIX systems can give away files.
764 **
765 ** There is an additional restriction that if you
766 ** forward to a :include: file, it will not take on
767 ** the ownership of the :include: file. This may not
768 ** be necessary, but shouldn't hurt.
769 */
770
771 static jmp_buf CtxIncludeTimeout;
772 static void includetimeout();
773
774 #ifndef S_IWOTH
775 # define S_IWOTH (S_IWRITE >> 6)
776 #endif
777
778 int
779 include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
780 char *fname;
781 bool forwarding;
782 ADDRESS *ctladdr;
783 ADDRESS **sendq;
784 int aliaslevel;
785 ENVELOPE *e;
786 {
787 FILE *fp = NULL;
788 char *oldto = e->e_to;
789 char *oldfilename = FileName;
790 int oldlinenumber = LineNumber;
791 register EVENT *ev = NULL;
792 int nincludes;
793 register ADDRESS *ca;
794 uid_t saveduid, uid;
795 gid_t savedgid, gid;
796 char *uname;
797 int rval = 0;
798 int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
799 struct stat st;
800 char buf[MAXLINE];
801 #ifdef _POSIX_CHOWN_RESTRICTED
802 # if _POSIX_CHOWN_RESTRICTED == -1
803 # define safechown FALSE
804 # else
805 # define safechown TRUE
806 # endif
807 #else
808 # ifdef _PC_CHOWN_RESTRICTED
809 bool safechown;
810 # else
811 # ifdef BSD
812 # define safechown TRUE
813 # else
814 # define safechown FALSE
815 # endif
816 # endif
817 #endif
818 extern bool chownsafe();
819
820 if (tTd(27, 2))
821 printf("include(%s)\n", fname);
822 if (tTd(27, 4))
823 printf(" ruid=%d euid=%d\n", getuid(), geteuid());
824 if (tTd(27, 14))
825 {
826 printf("ctladdr ");
827 printaddr(ctladdr, FALSE);
828 }
829
830 if (tTd(27, 9))
831 printf("include: old uid = %d/%d\n", getuid(), geteuid());
832
833 ca = getctladdr(ctladdr);
834 if (ca == NULL)
835 {
836 uid = DefUid;
837 gid = DefGid;
838 uname = DefUser;
839 }
840 else
841 {
842 uid = ca->q_uid;
843 gid = ca->q_gid;
844 uname = ca->q_user;
845 }
846 #ifdef HASSETREUID
847 saveduid = geteuid();
848 savedgid = getegid();
849 if (saveduid == 0)
850 {
851 initgroups(uname, gid);
852 if (uid != 0)
853 {
854 if (setreuid(0, uid) < 0)
855 syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
856 uid, getuid(), geteuid());
857 else
858 sfflags |= SFF_NOPATHCHECK;
859 }
860 }
861 #endif
862
863 if (tTd(27, 9))
864 printf("include: new uid = %d/%d\n", getuid(), geteuid());
865
866 /*
867 ** If home directory is remote mounted but server is down,
868 ** this can hang or give errors; use a timeout to avoid this
869 */
870
871 if (setjmp(CtxIncludeTimeout) != 0)
872 {
873 ctladdr->q_flags |= QQUEUEUP;
874 errno = 0;
875
876 /* return pseudo-error code */
877 rval = EOPENTIMEOUT;
878 goto resetuid;
879 }
880 if (TimeOuts.to_fileopen > 0)
881 ev = setevent(TimeOuts.to_fileopen, includetimeout, 0);
882 else
883 ev = NULL;
884
885 /* the input file must be marked safe */
886 rval = safefile(fname, uid, gid, uname, sfflags, S_IREAD);
887 if (rval != 0)
888 {
889 /* don't use this :include: file */
890 if (tTd(27, 4))
891 printf("include: not safe (uid=%d): %s\n",
892 uid, errstring(rval));
893 }
894 else
895 {
896 fp = fopen(fname, "r");
897 if (fp == NULL)
898 {
899 rval = errno;
900 if (tTd(27, 4))
901 printf("include: open: %s\n", errstring(rval));
902 }
903 }
904 if (ev != NULL)
905 clrevent(ev);
906
907 resetuid:
908
909 #ifdef HASSETREUID
910 if (saveduid == 0)
911 {
912 if (uid != 0)
913 {
914 if (setreuid(-1, 0) < 0)
915 syserr("setreuid(-1, 0) failure (real=%d, eff=%d)",
916 getuid(), geteuid());
917 if (setreuid(RealUid, 0) < 0)
918 syserr("setreuid(%d, 0) failure (real=%d, eff=%d)",
919 RealUid, getuid(), geteuid());
920 }
921 setgid(savedgid);
922 }
923 #endif
924
925 if (tTd(27, 9))
926 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
927
928 if (rval == EOPENTIMEOUT)
929 usrerr("451 open timeout on %s", fname);
930
931 if (fp == NULL)
932 return rval;
933
934 if (fstat(fileno(fp), &st) < 0)
935 {
936 rval = errno;
937 syserr("Cannot fstat %s!", fname);
938 return rval;
939 }
940
941 #ifndef safechown
942 safechown = chownsafe(fileno(fp));
943 #endif
944 if (ca == NULL && safechown)
945 {
946 ctladdr->q_uid = st.st_uid;
947 ctladdr->q_gid = st.st_gid;
948 ctladdr->q_flags |= QGOODUID;
949 }
950 if (ca != NULL && ca->q_uid == st.st_uid)
951 {
952 /* optimization -- avoid getpwuid if we already have info */
953 ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
954 ctladdr->q_ruser = ca->q_ruser;
955 }
956 else
957 {
958 register struct passwd *pw;
959
960 pw = getpwuid(st.st_uid);
961 if (pw == NULL)
962 ctladdr->q_flags |= QBOGUSSHELL;
963 else
964 {
965 char *sh;
966
967 ctladdr->q_ruser = newstr(pw->pw_name);
968 if (safechown)
969 sh = pw->pw_shell;
970 else
971 sh = "/SENDMAIL/ANY/SHELL/";
972 if (!usershellok(sh))
973 {
974 if (safechown)
975 ctladdr->q_flags |= QBOGUSSHELL;
976 else
977 ctladdr->q_flags |= QUNSAFEADDR;
978 }
979 }
980 }
981
982 if (bitset(EF_VRFYONLY, e->e_flags))
983 {
984 /* don't do any more now */
985 ctladdr->q_flags |= QVERIFIED;
986 e->e_nrcpts++;
987 xfclose(fp, "include", fname);
988 return rval;
989 }
990
991 /*
992 ** Check to see if some bad guy can write this file
993 **
994 ** This should really do something clever with group
995 ** permissions; currently we just view world writable
996 ** as unsafe. Also, we don't check for writable
997 ** directories in the path. We've got to leave
998 ** something for the local sysad to do.
999 */
1000
1001 if (bitset(S_IWOTH, st.st_mode))
1002 ctladdr->q_flags |= QUNSAFEADDR;
1003
1004 /* read the file -- each line is a comma-separated list. */
1005 FileName = fname;
1006 LineNumber = 0;
1007 ctladdr->q_flags &= ~QSELFREF;
1008 nincludes = 0;
1009 while (fgets(buf, sizeof buf, fp) != NULL)
1010 {
1011 register char *p = strchr(buf, '\n');
1012
1013 LineNumber++;
1014 if (p != NULL)
1015 *p = '\0';
1016 if (buf[0] == '#' || buf[0] == '\0')
1017 continue;
1018 e->e_to = NULL;
1019 message("%s to %s",
1020 forwarding ? "forwarding" : "sending", buf);
1021 #ifdef LOG
1022 if (forwarding && LogLevel > 9)
1023 syslog(LOG_INFO, "%s: forward %s => %s",
1024 e->e_id == NULL ? "NOQUEUE" : e->e_id,
1025 oldto, buf);
1026 #endif
1027
1028 nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);
1029 }
1030
1031 if (ferror(fp) && tTd(27, 3))
1032 printf("include: read error: %s\n", errstring(errno));
1033 if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
1034 {
1035 if (tTd(27, 5))
1036 {
1037 printf("include: QDONTSEND ");
1038 printaddr(ctladdr, FALSE);
1039 }
1040 ctladdr->q_flags |= QDONTSEND;
1041 }
1042
1043 (void) xfclose(fp, "include", fname);
1044 FileName = oldfilename;
1045 LineNumber = oldlinenumber;
1046 e->e_to = oldto;
1047 return rval;
1048 }
1049
1050 static void
1051 includetimeout()
1052 {
1053 longjmp(CtxIncludeTimeout, 1);
1054 }
1055 �/*
1056 ** SENDTOARGV -- send to an argument vector.
1057 **
1058 ** Parameters:
1059 ** argv -- argument vector to send to.
1060 ** e -- the current envelope.
1061 **
1062 ** Returns:
1063 ** none.
1064 **
1065 ** Side Effects:
1066 ** puts all addresses on the argument vector onto the
1067 ** send queue.
1068 */
1069
1070 sendtoargv(argv, e)
1071 register char **argv;
1072 register ENVELOPE *e;
1073 {
1074 register char *p;
1075
1076 while ((p = *argv++) != NULL)
1077 {
1078 (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
1079 }
1080 }
1081 �/*
1082 ** GETCTLADDR -- get controlling address from an address header.
1083 **
1084 ** If none, get one corresponding to the effective userid.
1085 **
1086 ** Parameters:
1087 ** a -- the address to find the controller of.
1088 **
1089 ** Returns:
1090 ** the controlling address.
1091 **
1092 ** Side Effects:
1093 ** none.
1094 */
1095
1096 ADDRESS *
1097 getctladdr(a)
1098 register ADDRESS *a;
1099 {
1100 while (a != NULL && !bitset(QGOODUID, a->q_flags))
1101 a = a->q_alias;
1102 return (a);
1103 }
1104