external/ibm-public/postfix/dist/src/local/command.c

   1 /*      $NetBSD$        */
   2
   3 /*++
   4 /* NAME
   5 /*      command 3
   6 /* SUMMARY
   7 /*      message delivery to shell command
   8 /* SYNOPSIS
   9 /*      #include "local.h"
  10 /*
  11 /*      int     deliver_command(state, usr_attr, command)
  12 /*      LOCAL_STATE state;
  13 /*      USER_ATTR exp_attr;
  14 /*      const char *command;
  15 /* DESCRIPTION
  16 /*      deliver_command() runs a command with a message as standard
  17 /*      input.  A limited amount of standard output and standard error
  18 /*      output is captured for diagnostics purposes.
  19 /*      Duplicate commands for the same recipient are suppressed.
  20 /*      A limited amount of information is exported via the environment:
  21 /*      HOME, SHELL, LOGNAME, USER, EXTENSION, DOMAIN, RECIPIENT (entire
  22 /*      address) LOCAL (just the local part) and SENDER. The exported
  23 /*      information is censored with var_cmd_filter.
  24 /*
  25 /*      Arguments:
  26 /* .IP state
  27 /*      The attributes that specify the message, recipient and more.
  28 /*      Attributes describing the alias, include or forward expansion.
  29 /*      A table with the results from expanding aliases or lists.
  30 /* .IP usr_attr
  31 /*      Attributes describing user rights and environment.
  32 /* .IP command
  33 /*      The shell command to be executed. If possible, the command is
  34 /*      executed without actually invoking a shell. if the command is
  35 /*      the mailbox_command, it is subjected to $name expansion.
  36 /* DIAGNOSTICS
  37 /*      deliver_command() returns non-zero when delivery should be
  38 /*      tried again,
  39 /* SEE ALSO
  40 /*      mailbox(3) deliver to mailbox
  41 /* LICENSE
  42 /* .ad
  43 /* .fi
  44 /*      The Secure Mailer license must be distributed with this software.
  45 /* AUTHOR(S)
  46 /*      Wietse Venema
  47 /*      IBM T.J. Watson Research
  48 /*      P.O. Box 704
  49 /*      Yorktown Heights, NY 10598, USA
  50 /*--*/
  51
  52 /* System library. */
  53
  54 #include <sys_defs.h>
  55 #include <unistd.h>
  56 #include <stdlib.h>
  57 #include <stdarg.h>
  58 #include <string.h>
  59
  60 /* Utility library. */
  61
  62 #include <msg.h>
  63 #include <htable.h>
  64 #include <vstring.h>
  65 #include <vstream.h>
  66 #include <argv.h>
  67 #include <mac_parse.h>
  68
  69 /* Global library. */
  70
  71 #include <defer.h>
  72 #include <bounce.h>
  73 #include <sent.h>
  74 #include <been_here.h>
  75 #include <mail_params.h>
  76 #include <pipe_command.h>
  77 #include <mail_copy.h>
  78 #include <dsn_util.h>
  79
  80 /* Application-specific. */
  81
  82 #include "local.h"
  83
  84 /* deliver_command - deliver to shell command */
  85
  86 int     deliver_command(LOCAL_STATE state, USER_ATTR usr_attr, const char *command)
  87 {
  88     const char *myname = "deliver_command";
  89     DSN_BUF *why = state.msg_attr.why;
  90     int     cmd_status;
  91     int     deliver_status;
  92     ARGV   *env;
  93     int     copy_flags;
  94     char  **cpp;
  95     char   *cp;
  96     ARGV   *export_env;
  97     VSTRING *exec_dir;
  98     int     expand_status;
  99
 100     /*
 101      * Make verbose logging easier to understand.
 102      */
 103     state.level++;
 104     if (msg_verbose)
 105         MSG_LOG_STATE(myname, state);
 106
 107     /*
 108      * DUPLICATE ELIMINATION
 109      *
 110      * Skip this command if it was already delivered to as this user.
 111      */
 112     if (been_here(state.dup_filter, "command %s:%ld %s",
 113                   state.msg_attr.user, (long) usr_attr.uid, command))
 114         return (0);
 115
 116     /*
 117      * Don't deliver a trace-only request.
 118      */
 119     if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
 120         dsb_simple(why, "2.0.0", "delivers to command: %s", command);
 121         return (sent(BOUNCE_FLAGS(state.request),
 122                      SENT_ATTR(state.msg_attr)));
 123     }
 124
 125     /*
 126      * DELIVERY RIGHTS
 127      *
 128      * Choose a default uid and gid when none have been selected (i.e. values
 129      * are still zero).
 130      */
 131     if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
 132         msg_panic("privileged default user id");
 133     if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
 134         msg_panic("privileged default group id");
 135
 136     /*
 137      * Deliver.
 138      */
 139     copy_flags = MAIL_COPY_FROM | MAIL_COPY_RETURN_PATH
 140         | MAIL_COPY_ORIG_RCPT;
 141     if (local_deliver_hdr_mask & DELIVER_HDR_CMD)
 142         copy_flags |= MAIL_COPY_DELIVERED;
 143
 144     if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
 145         msg_fatal("%s: seek queue file %s: %m",
 146                   myname, VSTREAM_PATH(state.msg_attr.fp));
 147
 148     /*
 149      * Pass additional environment information. XXX This should be
 150      * configurable. However, passing untrusted information via environment
 151      * parameters opens up a whole can of worms. Lesson from web servers:
 152      * don't let any network data even near a shell. It causes trouble.
 153      */
 154     env = argv_alloc(1);
 155     if (usr_attr.home)
 156         argv_add(env, "HOME", usr_attr.home, ARGV_END);
 157     argv_add(env,
 158              "LOGNAME", state.msg_attr.user,
 159              "USER", state.msg_attr.user,
 160              "SENDER", state.msg_attr.sender,
 161              "RECIPIENT", state.msg_attr.rcpt.address,
 162              "LOCAL", state.msg_attr.local,
 163              ARGV_END);
 164     if (usr_attr.shell)
 165         argv_add(env, "SHELL", usr_attr.shell, ARGV_END);
 166     if (state.msg_attr.domain)
 167         argv_add(env, "DOMAIN", state.msg_attr.domain, ARGV_END);
 168     if (state.msg_attr.extension)
 169         argv_add(env, "EXTENSION", state.msg_attr.extension, ARGV_END);
 170     if (state.msg_attr.rcpt.orig_addr && state.msg_attr.rcpt.orig_addr[0])
 171         argv_add(env, "ORIGINAL_RECIPIENT", state.msg_attr.rcpt.orig_addr,
 172                  ARGV_END);
 173
 174 #define EXPORT_REQUEST(name, value) \
 175         if ((value)[0]) argv_add(env, (name), (value), ARGV_END);
 176
 177     EXPORT_REQUEST("CLIENT_HOSTNAME", state.msg_attr.request->client_name);
 178     EXPORT_REQUEST("CLIENT_ADDRESS", state.msg_attr.request->client_addr);
 179     EXPORT_REQUEST("CLIENT_HELO", state.msg_attr.request->client_helo);
 180     EXPORT_REQUEST("CLIENT_PROTOCOL", state.msg_attr.request->client_proto);
 181     EXPORT_REQUEST("SASL_METHOD", state.msg_attr.request->sasl_method);
 182     EXPORT_REQUEST("SASL_SENDER", state.msg_attr.request->sasl_sender);
 183     EXPORT_REQUEST("SASL_USERNAME", state.msg_attr.request->sasl_username);
 184
 185     argv_terminate(env);
 186
 187     /*
 188      * Censor out undesirable characters from exported data.
 189      */
 190     for (cpp = env->argv; *cpp; cpp += 2)
 191         for (cp = cpp[1]; *(cp += strspn(cp, var_cmd_exp_filter)) != 0;)
 192             *cp++ = '_';
 193
 194     /*
 195      * Evaluate the command execution directory. Defer delivery if expansion
 196      * fails.
 197      */
 198     export_env = argv_split(var_export_environ, ", \t\r\n");
 199     exec_dir = vstring_alloc(10);
 200     expand_status = local_expand(exec_dir, var_exec_directory,
 201                                  &state, &usr_attr, var_exec_exp_filter);
 202
 203     if (expand_status & MAC_PARSE_ERROR) {
 204         cmd_status = PIPE_STAT_DEFER;
 205         dsb_simple(why, "4.3.5", "mail system configuration error");
 206         msg_warn("bad parameter value syntax for %s: %s",
 207                  VAR_EXEC_DIRECTORY, var_exec_directory);
 208     } else {
 209         cmd_status = pipe_command(state.msg_attr.fp, why,
 210                                   PIPE_CMD_UID, usr_attr.uid,
 211                                   PIPE_CMD_GID, usr_attr.gid,
 212                                   PIPE_CMD_COMMAND, command,
 213                                   PIPE_CMD_COPY_FLAGS, copy_flags,
 214                                   PIPE_CMD_SENDER, state.msg_attr.sender,
 215                           PIPE_CMD_ORIG_RCPT, state.msg_attr.rcpt.orig_addr,
 216                                PIPE_CMD_DELIVERED, state.msg_attr.delivered,
 217                                   PIPE_CMD_TIME_LIMIT, var_command_maxtime,
 218                                   PIPE_CMD_ENV, env->argv,
 219                                   PIPE_CMD_EXPORT, export_env->argv,
 220                                   PIPE_CMD_SHELL, var_local_cmd_shell,
 221                                   PIPE_CMD_CWD, *STR(exec_dir) ?
 222                                   STR(exec_dir) : (char *) 0,
 223                                   PIPE_CMD_END);
 224     }
 225     vstring_free(exec_dir);
 226     argv_free(export_env);
 227     argv_free(env);
 228
 229     /*
 230      * Depending on the result, bounce or defer the message.
 231      */
 232     switch (cmd_status) {
 233     case PIPE_STAT_OK:
 234         dsb_simple(why, "2.0.0", "delivered to command: %s", command);
 235         deliver_status = sent(BOUNCE_FLAGS(state.request),
 236                               SENT_ATTR(state.msg_attr));
 237         break;
 238     case PIPE_STAT_BOUNCE:
 239     case PIPE_STAT_DEFER:
 240         deliver_status =
 241             (STR(why->status)[0] == '4' ?
 242              defer_append : bounce_append)
 243             (BOUNCE_FLAGS(state.request),
 244              BOUNCE_ATTR(state.msg_attr));
 245         break;
 246     case PIPE_STAT_CORRUPT:
 247         deliver_status = DEL_STAT_DEFER;
 248         break;
 249     default:
 250         msg_panic("%s: bad status %d", myname, cmd_status);
 251         /* NOTREACHED */
 252     }
 253
 254     return (deliver_status);
 255 }