xref: /netbsd-src/external/ibm-public/postfix/dist/src/local/include.c (revision a5847cc334d9a7029f6352b847e9e8d71a0f9e0c) 
1 /*	$NetBSD: include.c,v 1.1.1.1 2009/06/23 10:08:48 tron Exp $	*/
2 
3 /*++
4 /* NAME
5 /*	deliver_include 3
6 /* SUMMARY
7 /*	deliver to addresses listed in include file
8 /* SYNOPSIS
9 /*	#include "local.h"
10 /*
11 /*	int	deliver_include(state, usr_attr, path)
12 /*	LOCAL_STATE state;
13 /*	USER_ATTR usr_attr;
14 /*	char	*path;
15 /* DESCRIPTION
16 /*	deliver_include() processes the contents of the named include
17 /*	file and delivers to each address listed. Some sanity checks
18 /*	are done on the include file permissions and type.
19 /*
20 /*	Arguments:
21 /* .IP state
22 /*	The attributes that specify the message, recipient and more.
23 /*	Attributes describing alias, include, or forward expansion.
24 /*	A table with the results from expanding aliases or lists.
25 /*	A table with delivered-to: addresses taken from the message.
26 /* .IP usr_attr
27 /*	Attributes describing user rights and environment.
28 /* .IP path
29 /*	Pathname of the include file.
30 /* DIAGNOSTICS
31 /*	Fatal errors: out of memory. Warnings: bad include file type
32 /*	or permissions. The result is non-zero when delivery should be
33 /*	tried again.
34 /* SEE ALSO
35 /*	token(3) tokenize list
36 /* LICENSE
37 /* .ad
38 /* .fi
39 /*	The Secure Mailer license must be distributed with this software.
40 /* AUTHOR(S)
41 /*	Wietse Venema
42 /*	IBM T.J. Watson Research
43 /*	P.O. Box 704
44 /*	Yorktown Heights, NY 10598, USA
45 /*--*/
46 
47 /* System library. */
48 
49 #include <sys_defs.h>
50 #include <sys/stat.h>
51 #include <unistd.h>
52 #include <string.h>
53 #include <fcntl.h>
54 
55 /* Utility library. */
56 
57 #include <msg.h>
58 #include <htable.h>
59 #include <mymalloc.h>
60 #include <vstream.h>
61 #include <open_as.h>
62 #include <stat_as.h>
63 #include <iostuff.h>
64 #include <mypwd.h>
65 
66 /* Global library. */
67 
68 #include <bounce.h>
69 #include <defer.h>
70 #include <been_here.h>
71 #include <mail_params.h>
72 #include <ext_prop.h>
73 #include <sent.h>
74 
75 /* Application-specific. */
76 
77 #include "local.h"
78 
79 /* deliver_include - open include file and deliver */
80 
81 int     deliver_include(LOCAL_STATE state, USER_ATTR usr_attr, char *path)
82 {
83     const char *myname = "deliver_include";
84     struct stat st;
85     struct mypasswd *file_pwd = 0;
86     int     status;
87     VSTREAM *fp;
88     int     fd;
89 
90     /*
91      * Make verbose logging easier to understand.
92      */
93     state.level++;
94     if (msg_verbose)
95 	MSG_LOG_STATE(myname, state);
96 
97     /*
98      * DUPLICATE ELIMINATION
99      *
100      * Don't process this include file more than once as this particular user.
101      */
102     if (been_here(state.dup_filter, "include %ld %s", (long) usr_attr.uid, path))
103 	return (0);
104     state.msg_attr.exp_from = state.msg_attr.local;
105 
106     /*
107      * Can of worms. Allow this include file to be symlinked, but disallow
108      * inclusion of special files or of files with world write permission
109      * enabled.
110      */
111     if (*path != '/') {
112 	msg_warn(":include:%s uses a relative path", path);
113 	dsb_simple(state.msg_attr.why, "5.3.5",
114 		   "mail system configuration error");
115 	return (bounce_append(BOUNCE_FLAGS(state.request),
116 			      BOUNCE_ATTR(state.msg_attr)));
117     }
118     if (stat_as(path, &st, usr_attr.uid, usr_attr.gid) < 0) {
119 	msg_warn("unable to lookup :include: file %s: %m", path);
120 	dsb_simple(state.msg_attr.why, "5.3.5",
121 		   "mail system configuration error");
122 	return (bounce_append(BOUNCE_FLAGS(state.request),
123 			      BOUNCE_ATTR(state.msg_attr)));
124     }
125     if (S_ISREG(st.st_mode) == 0) {
126 	msg_warn(":include: file %s is not a regular file", path);
127 	dsb_simple(state.msg_attr.why, "5.3.5",
128 		   "mail system configuration error");
129 	return (bounce_append(BOUNCE_FLAGS(state.request),
130 			      BOUNCE_ATTR(state.msg_attr)));
131     }
132     if (st.st_mode & S_IWOTH) {
133 	msg_warn(":include: file %s is world writable", path);
134 	dsb_simple(state.msg_attr.why, "5.3.5",
135 		   "mail system configuration error");
136 	return (bounce_append(BOUNCE_FLAGS(state.request),
137 			      BOUNCE_ATTR(state.msg_attr)));
138     }
139 
140     /*
141      * DELIVERY POLICY
142      *
143      * Set the expansion type attribute so that we can decide if destinations
144      * such as /file/name and |command are allowed at all.
145      */
146     state.msg_attr.exp_type = EXPAND_TYPE_INCL;
147 
148     /*
149      * DELIVERY RIGHTS
150      *
151      * When a non-root include file is listed in a root-owned alias, use the
152      * rights of the include file owner.  We do not want to give the include
153      * file owner control of the default account.
154      *
155      * When an include file is listed in a user-owned alias or .forward file,
156      * leave the delivery rights alone. Users should not be able to make
157      * things happen with someone else's rights just by including some file
158      * that is owned by their victim.
159      */
160     if (usr_attr.uid == 0) {
161 	if ((file_pwd = mypwuid(st.st_uid)) == 0) {
162 	    msg_warn("cannot find username for uid %ld", (long) st.st_uid);
163 	    msg_warn("%s: cannot find :include: file owner username", path);
164 	    dsb_simple(state.msg_attr.why, "4.3.5",
165 		       "mail system configuration error");
166 	    return (defer_append(BOUNCE_FLAGS(state.request),
167 				 BOUNCE_ATTR(state.msg_attr)));
168 	}
169 	if (file_pwd->pw_uid != 0)
170 	    SET_USER_ATTR(usr_attr, file_pwd, state.level);
171     }
172 
173     /*
174      * MESSAGE FORWARDING
175      *
176      * When no owner attribute is set (either via an owner- alias, or as part of
177      * .forward file processing), set the owner attribute, to disable direct
178      * delivery of local recipients. By now it is clear that the owner
179      * attribute should have been called forwarder instead.
180      */
181     if (state.msg_attr.owner == 0)
182 	state.msg_attr.owner = state.msg_attr.rcpt.address;
183 
184     /*
185      * From here on no early returns or we have a memory leak.
186      *
187      * FILE OPEN RIGHTS
188      *
189      * Use the delivery rights to open the include file. When no delivery rights
190      * were established sofar, the file containing the :include: is owned by
191      * root, so it should be OK to open any file that is accessible to root.
192      * The command and file delivery routines are responsible for setting the
193      * proper delivery rights. These are the rights of the default user, in
194      * case the :include: is in a root-owned alias.
195      *
196      * Don't propagate unmatched extensions unless permitted to do so.
197      */
198 #define FOPEN_AS(p,u,g) ((fd = open_as(p,O_RDONLY,0,u,g)) >= 0 ? \
199 				vstream_fdopen(fd,O_RDONLY) : 0)
200 
201     if ((fp = FOPEN_AS(path, usr_attr.uid, usr_attr.gid)) == 0) {
202 	msg_warn("cannot open include file %s: %m", path);
203 	dsb_simple(state.msg_attr.why, "5.3.5",
204 		   "mail system configuration error");
205 	status = bounce_append(BOUNCE_FLAGS(state.request),
206 			       BOUNCE_ATTR(state.msg_attr));
207     } else {
208 	if ((local_ext_prop_mask & EXT_PROP_INCLUDE) == 0)
209 	    state.msg_attr.unmatched = 0;
210 	close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
211 	status = deliver_token_stream(state, usr_attr, fp, (int *) 0);
212 	if (vstream_fclose(fp))
213 	    msg_warn("close %s: %m", path);
214     }
215 
216     /*
217      * Cleanup.
218      */
219     if (file_pwd)
220 	mypwfree(file_pwd);
221 
222     return (status);
223 }
224