external/ibm-public/postfix/dist/src/postdrop/postdrop.c

   1 /*      $NetBSD$        */
   2
   3 /*++
   4 /* NAME
   5 /*      postdrop 1
   6 /* SUMMARY
   7 /*      Postfix mail posting utility
   8 /* SYNOPSIS
   9 /*      \fBpostdrop\fR [\fB-rv\fR] [\fB-c \fIconfig_dir\fR]
  10 /* DESCRIPTION
  11 /*      The \fBpostdrop\fR(1) command creates a file in the \fBmaildrop\fR
  12 /*      directory and copies its standard input to the file.
  13 /*
  14 /*      Options:
  15 /* .IP "\fB-c \fIconfig_dir\fR"
  16 /*      The \fBmain.cf\fR configuration file is in the named directory
  17 /*      instead of the default configuration directory. See also the
  18 /*      MAIL_CONFIG environment setting below.
  19 /* .IP \fB-r\fR
  20 /*      Use a Postfix-internal protocol for reading the message from
  21 /*      standard input, and for reporting status information on standard
  22 /*      output. This is currently the only supported method.
  23 /* .IP \fB-v\fR
  24 /*      Enable verbose logging for debugging purposes. Multiple \fB-v\fR
  25 /*      options make the software increasingly verbose. As of Postfix 2.3,
  26 /*      this option is available for the super-user only.
  27 /* SECURITY
  28 /* .ad
  29 /* .fi
  30 /*      The command is designed to run with set-group ID privileges, so
  31 /*      that it can write to the \fBmaildrop\fR queue directory and so that
  32 /*      it can connect to Postfix daemon processes.
  33 /* DIAGNOSTICS
  34 /*      Fatal errors: malformed input, I/O error, out of memory. Problems
  35 /*      are logged to \fBsyslogd\fR(8) and to the standard error stream.
  36 /*      When the input is incomplete, or when the process receives a HUP,
  37 /*      INT, QUIT or TERM signal, the queue file is deleted.
  38 /* ENVIRONMENT
  39 /* .ad
  40 /* .fi
  41 /* .IP MAIL_CONFIG
  42 /*      Directory with the \fBmain.cf\fR file. In order to avoid exploitation
  43 /*      of set-group ID privileges, a non-standard directory is allowed only
  44 /*      if:
  45 /* .RS
  46 /* .IP \(bu
  47 /*      The name is listed in the standard \fBmain.cf\fR file with the
  48 /*      \fBalternate_config_directories\fR configuration parameter.
  49 /* .IP \(bu
  50 /*      The command is invoked by the super-user.
  51 /* .RE
  52 /* CONFIGURATION PARAMETERS
  53 /* .ad
  54 /* .fi
  55 /*      The following \fBmain.cf\fR parameters are especially relevant to
  56 /*      this program.
  57 /*      The text below provides only a parameter summary. See
  58 /*      \fBpostconf\fR(5) for more details including examples.
  59 /* .IP "\fBalternate_config_directories (empty)\fR"
  60 /*      A list of non-default Postfix configuration directories that may
  61 /*      be specified with "-c config_directory" on the command line, or
  62 /*      via the MAIL_CONFIG environment parameter.
  63 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
  64 /*      The default location of the Postfix main.cf and master.cf
  65 /*      configuration files.
  66 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
  67 /*      The list of environment parameters that a Postfix process will
  68 /*      import from a non-Postfix parent process.
  69 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
  70 /*      The location of the Postfix top-level queue directory.
  71 /* .IP "\fBsyslog_facility (mail)\fR"
  72 /*      The syslog facility of Postfix logging.
  73 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
  74 /*      The mail system name that is prepended to the process name in syslog
  75 /*      records, so that "smtpd" becomes, for example, "postfix/smtpd".
  76 /* .IP "\fBtrigger_timeout (10s)\fR"
  77 /*      The time limit for sending a trigger to a Postfix daemon (for
  78 /*      example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon).
  79 /* .PP
  80 /*      Available in Postfix version 2.2 and later:
  81 /* .IP "\fBauthorized_submit_users (static:anyone)\fR"
  82 /*      List of users who are authorized to submit mail with the \fBsendmail\fR(1)
  83 /*      command (and with the privileged \fBpostdrop\fR(1) helper command).
  84 /* FILES
  85 /*      /var/spool/postfix/maildrop, maildrop queue
  86 /* SEE ALSO
  87 /*      sendmail(1), compatibility interface
  88 /*      postconf(5), configuration parameters
  89 /*      syslogd(8), system logging
  90 /* LICENSE
  91 /* .ad
  92 /* .fi
  93 /*      The Secure Mailer license must be distributed with this software.
  94 /* AUTHOR(S)
  95 /*      Wietse Venema
  96 /*      IBM T.J. Watson Research
  97 /*      P.O. Box 704
  98 /*      Yorktown Heights, NY 10598, USA
  99 /*--*/
 100
 101 /* System library. */
 102
 103 #include <sys_defs.h>
 104 #include <sys/stat.h>
 105 #include <unistd.h>
 106 #include <stdlib.h>
 107 #include <stdio.h>                      /* remove() */
 108 #include <string.h>
 109 #include <stdlib.h>
 110 #include <signal.h>
 111 #include <syslog.h>
 112 #include <errno.h>
 113
 114 /* Utility library. */
 115
 116 #include <msg.h>
 117 #include <mymalloc.h>
 118 #include <vstream.h>
 119 #include <vstring.h>
 120 #include <msg_vstream.h>
 121 #include <msg_syslog.h>
 122 #include <argv.h>
 123 #include <iostuff.h>
 124 #include <stringops.h>
 125
 126 /* Global library. */
 127
 128 #include <mail_proto.h>
 129 #include <mail_queue.h>
 130 #include <mail_params.h>
 131 #include <mail_version.h>
 132 #include <mail_conf.h>
 133 #include <mail_task.h>
 134 #include <clean_env.h>
 135 #include <mail_stream.h>
 136 #include <cleanup_user.h>
 137 #include <record.h>
 138 #include <rec_type.h>
 139 #include <user_acl.h>
 140 #include <rec_attr_map.h>
 141
 142 /* Application-specific. */
 143
 144  /*
 145   * WARNING WARNING WARNING
 146   *
 147   * This software is designed to run set-gid. In order to avoid exploitation of
 148   * privilege, this software should not run any external commands, nor should
 149   * it take any information from the user unless that information can be
 150   * properly sanitized. To get an idea of how much information a process can
 151   * inherit from a potentially hostile user, examine all the members of the
 152   * process structure (typically, in /usr/include/sys/proc.h): the current
 153   * directory, open files, timers, signals, environment, command line, umask,
 154   * and so on.
 155   */
 156
 157  /*
 158   * Local mail submission access list.
 159   */
 160 char   *var_submit_acl;
 161
 162 static const CONFIG_STR_TABLE str_table[] = {
 163     VAR_SUBMIT_ACL, DEF_SUBMIT_ACL, &var_submit_acl, 0, 0,
 164     0,
 165 };
 166
 167  /*
 168   * Queue file name. Global, so that the cleanup routine can find it when
 169   * called by the run-time error handler.
 170   */
 171 static char *postdrop_path;
 172
 173 /* postdrop_sig - catch signal and clean up */
 174
 175 static void postdrop_sig(int sig)
 176 {
 177
 178     /*
 179      * This is the fatal error handler. Don't try to do anything fancy.
 180      *
 181      * msg_vstream does not allocate memory, but msg_syslog may indirectly in
 182      * syslog(), so it should not be called from a user-triggered signal
 183      * handler.
 184      *
 185      * Assume atomic signal() updates, even when emulated with sigaction(). We
 186      * use the in-kernel SIGINT handler address as an atomic variable to
 187      * prevent nested postdrop_sig() calls. For this reason, main() must
 188      * configure postdrop_sig() as SIGINT handler before other signal
 189      * handlers are allowed to invoke postdrop_sig().
 190      */
 191     if (signal(SIGINT, SIG_IGN) != SIG_IGN) {
 192         (void) signal(SIGQUIT, SIG_IGN);
 193         (void) signal(SIGTERM, SIG_IGN);
 194         (void) signal(SIGHUP, SIG_IGN);
 195         if (postdrop_path) {
 196             (void) remove(postdrop_path);
 197             postdrop_path = 0;
 198         }
 199         /* Future proofing. If you need exit() here then you broke Postfix. */
 200         if (sig)
 201             _exit(sig);
 202     }
 203 }
 204
 205 /* postdrop_cleanup - callback for the runtime error handler */
 206
 207 static void postdrop_cleanup(void)
 208 {
 209     postdrop_sig(0);
 210 }
 211
 212 MAIL_VERSION_STAMP_DECLARE;
 213
 214 /* main - the main program */
 215
 216 int     main(int argc, char **argv)
 217 {
 218     struct stat st;
 219     int     fd;
 220     int     c;
 221     VSTRING *buf;
 222     int     status;
 223     MAIL_STREAM *dst;
 224     int     rec_type;
 225     static char *segment_info[] = {
 226         REC_TYPE_POST_ENVELOPE, REC_TYPE_POST_CONTENT, REC_TYPE_POST_EXTRACT, ""
 227     };
 228     char  **expected;
 229     uid_t   uid = getuid();
 230     ARGV   *import_env;
 231     const char *error_text;
 232     char   *attr_name;
 233     char   *attr_value;
 234     const char *errstr;
 235     char   *junk;
 236     struct timeval start;
 237     int     saved_errno;
 238
 239     /*
 240      * Fingerprint executables and core dumps.
 241      */
 242     MAIL_VERSION_STAMP_ALLOCATE;
 243
 244     /*
 245      * Be consistent with file permissions.
 246      */
 247     umask(022);
 248
 249     /*
 250      * To minimize confusion, make sure that the standard file descriptors
 251      * are open before opening anything else. XXX Work around for 44BSD where
 252      * fstat can return EBADF on an open file descriptor.
 253      */
 254     for (fd = 0; fd < 3; fd++)
 255         if (fstat(fd, &st) == -1
 256             && (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
 257             msg_fatal("open /dev/null: %m");
 258
 259     /*
 260      * Set up logging. Censor the process name: it is provided by the user.
 261      */
 262     argv[0] = "postdrop";
 263     msg_vstream_init(argv[0], VSTREAM_ERR);
 264     msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
 265     set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
 266
 267     /*
 268      * Parse JCL. This program is set-gid and must sanitize all command-line
 269      * arguments. The configuration directory argument is validated by the
 270      * mail configuration read routine. Don't do complex things until we have
 271      * completed initializations.
 272      */
 273     while ((c = GETOPT(argc, argv, "c:rv")) > 0) {
 274         switch (c) {
 275         case 'c':
 276             if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
 277                 msg_fatal("out of memory");
 278             break;
 279         case 'r':                               /* forward compatibility */
 280             break;
 281         case 'v':
 282             if (geteuid() == 0)
 283                 msg_verbose++;
 284             break;
 285         default:
 286             msg_fatal("usage: %s [-c config_dir] [-v]", argv[0]);
 287         }
 288     }
 289
 290     /*
 291      * Read the global configuration file and extract configuration
 292      * information. Some claim that the user should supply the working
 293      * directory instead. That might be OK, given that this command needs
 294      * write permission in a subdirectory called "maildrop". However we still
 295      * need to reliably detect incomplete input, and so we must perform
 296      * record-level I/O. With that, we should also take the opportunity to
 297      * perform some sanity checks on the input.
 298      */
 299     mail_conf_read();
 300     if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0)
 301         msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
 302     get_mail_conf_str_table(str_table);
 303
 304     /*
 305      * Mail submission access control. Should this be in the user-land gate,
 306      * or in the daemon process?
 307      */
 308     if ((errstr = check_user_acl_byuid(var_submit_acl, uid)) != 0)
 309         msg_fatal("User %s(%ld) is not allowed to submit mail",
 310                   errstr, (long) uid);
 311
 312     /*
 313      * Stop run-away process accidents by limiting the queue file size. This
 314      * is not a defense against DOS attack.
 315      */
 316     if (var_message_limit > 0 && get_file_limit() > var_message_limit)
 317         set_file_limit((off_t) var_message_limit);
 318
 319     /*
 320      * Strip the environment so we don't have to trust the C library.
 321      */
 322     import_env = argv_split(var_import_environ, ", \t\r\n");
 323     clean_env(import_env->argv);
 324     argv_free(import_env);
 325
 326     if (chdir(var_queue_dir))
 327         msg_fatal("chdir %s: %m", var_queue_dir);
 328     if (msg_verbose)
 329         msg_info("chdir %s", var_queue_dir);
 330
 331     /*
 332      * Set up signal handlers and a runtime error handler so that we can
 333      * clean up incomplete output.
 334      *
 335      * postdrop_sig() uses the in-kernel SIGINT handler address as an atomic
 336      * variable to prevent nested postdrop_sig() calls. For this reason, the
 337      * SIGINT handler must be configured before other signal handlers are
 338      * allowed to invoke postdrop_sig().
 339      */
 340     signal(SIGPIPE, SIG_IGN);
 341     signal(SIGXFSZ, SIG_IGN);
 342
 343     signal(SIGINT, postdrop_sig);
 344     signal(SIGQUIT, postdrop_sig);
 345     if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
 346         signal(SIGTERM, postdrop_sig);
 347     if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
 348         signal(SIGHUP, postdrop_sig);
 349     msg_cleanup(postdrop_cleanup);
 350
 351     /* End of initializations. */
 352
 353     /*
 354      * Don't trust the caller's time information.
 355      */
 356     GETTIMEOFDAY(&start);
 357
 358     /*
 359      * Create queue file. mail_stream_file() never fails. Send the queue ID
 360      * to the caller. Stash away a copy of the queue file name so we can
 361      * clean up in case of a fatal error or an interrupt.
 362      */
 363     dst = mail_stream_file(MAIL_QUEUE_MAILDROP, MAIL_CLASS_PUBLIC,
 364                            var_pickup_service, 0444);
 365     attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
 366                ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, dst->id,
 367                ATTR_TYPE_END);
 368     vstream_fflush(VSTREAM_OUT);
 369     postdrop_path = mystrdup(VSTREAM_PATH(dst->stream));
 370
 371     /*
 372      * Copy stdin to file. The format is checked so that we can recognize
 373      * incomplete input and cancel the operation. With the sanity checks
 374      * applied here, the pickup daemon could skip format checks and pass a
 375      * file descriptor to the cleanup daemon. These are by no means all
 376      * sanity checks - the cleanup service and queue manager services will
 377      * reject messages that lack required information.
 378      *
 379      * If something goes wrong, slurp up the input before responding to the
 380      * client, otherwise the client will give up after detecting SIGPIPE.
 381      *
 382      * Allow attribute records if the attribute specifies the MIME body type
 383      * (sendmail -B).
 384      */
 385     vstream_control(VSTREAM_IN, VSTREAM_CTL_PATH, "stdin", VSTREAM_CTL_END);
 386     buf = vstring_alloc(100);
 387     expected = segment_info;
 388     /* Override time information from the untrusted caller. */
 389     rec_fprintf(dst->stream, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
 390                 REC_TYPE_TIME_ARG(start));
 391     for (;;) {
 392         /* Don't allow PTR records. */
 393         rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit, REC_FLAG_NONE);
 394         if (rec_type == REC_TYPE_EOF) {         /* request cancelled */
 395             mail_stream_cleanup(dst);
 396             if (remove(postdrop_path))
 397                 msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
 398             else if (msg_verbose)
 399                 msg_info("remove %s", postdrop_path);
 400             myfree(postdrop_path);
 401             postdrop_path = 0;
 402             exit(0);
 403         }
 404         if (rec_type == REC_TYPE_ERROR)
 405             msg_fatal("uid=%ld: malformed input", (long) uid);
 406         if (strchr(*expected, rec_type) == 0)
 407             msg_fatal("uid=%ld: unexpected record type: %d", (long) uid, rec_type);
 408         if (rec_type == **expected)
 409             expected++;
 410         /* Override time information from the untrusted caller. */
 411         if (rec_type == REC_TYPE_TIME)
 412             continue;
 413         if (rec_type == REC_TYPE_ATTR) {
 414             if ((error_text = split_nameval(vstring_str(buf), &attr_name,
 415                                             &attr_value)) != 0) {
 416                 msg_warn("uid=%ld: ignoring malformed record: %s: %.200s",
 417                          (long) uid, error_text, vstring_str(buf));
 418                 continue;
 419             }
 420 #define STREQ(x,y) (strcmp(x,y) == 0)
 421
 422             if ((STREQ(attr_name, MAIL_ATTR_ENCODING)
 423                  && (STREQ(attr_value, MAIL_ATTR_ENC_7BIT)
 424                      || STREQ(attr_value, MAIL_ATTR_ENC_8BIT)
 425                      || STREQ(attr_value, MAIL_ATTR_ENC_NONE)))
 426                 || STREQ(attr_name, MAIL_ATTR_DSN_ENVID)
 427                 || STREQ(attr_name, MAIL_ATTR_DSN_NOTIFY)
 428                 || rec_attr_map(attr_name)
 429                 || (STREQ(attr_name, MAIL_ATTR_RWR_CONTEXT)
 430                     && (STREQ(attr_value, MAIL_ATTR_RWR_LOCAL)
 431                         || STREQ(attr_value, MAIL_ATTR_RWR_REMOTE)))
 432                 || STREQ(attr_name, MAIL_ATTR_TRACE_FLAGS)) {   /* XXX */
 433                 rec_fprintf(dst->stream, REC_TYPE_ATTR, "%s=%s",
 434                             attr_name, attr_value);
 435             } else {
 436                 msg_warn("uid=%ld: ignoring attribute record: %.200s=%.200s",
 437                          (long) uid, attr_name, attr_value);
 438             }
 439             continue;
 440         }
 441         if (REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
 442             /* rec_get() errors must not clobber errno. */
 443             saved_errno = errno;
 444             while ((rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit,
 445                                            REC_FLAG_NONE)) != REC_TYPE_END
 446                    && rec_type != REC_TYPE_EOF)
 447                 if (rec_type == REC_TYPE_ERROR)
 448                     msg_fatal("uid=%ld: malformed input", (long) uid);
 449             errno = saved_errno;
 450             break;
 451         }
 452         if (rec_type == REC_TYPE_END)
 453             break;
 454     }
 455     vstring_free(buf);
 456
 457     /*
 458      * Finish the file.
 459      */
 460     if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
 461         msg_warn("uid=%ld: %m", (long) uid);
 462         postdrop_cleanup();
 463     }
 464
 465     /*
 466      * Disable deletion on fatal error before reporting success, so the file
 467      * will not be deleted after we have taken responsibility for delivery.
 468      */
 469     if (postdrop_path) {
 470         junk = postdrop_path;
 471         postdrop_path = 0;
 472         myfree(junk);
 473     }
 474
 475     /*
 476      * Send the completion status to the caller and terminate.
 477      */
 478     attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
 479                ATTR_TYPE_INT, MAIL_ATTR_STATUS, status,
 480                ATTR_TYPE_STR, MAIL_ATTR_WHY, "",
 481                ATTR_TYPE_END);
 482     vstream_fflush(VSTREAM_OUT);
 483     exit(status);
 484 }