external/ibm-public/postfix/dist/src/global/mbox_open.c

   1 /*      $NetBSD$        */
   2
   3 /*++
   4 /* NAME
   5 /*      mbox_open 3
   6 /* SUMMARY
   7 /*      mailbox access
   8 /* SYNOPSIS
   9 /*      #include <mbox_open.h>
  10 /*
  11 /*      typedef struct {
  12 /* .in +4
  13 /*              /* public members... */
  14 /*              VSTREAM *fp;
  15 /* .in -4
  16 /*      } MBOX;
  17 /*
  18 /*      MBOX    *mbox_open(path, flags, mode, st, user, group, lock_style,
  19 /*                              def_dsn, why)
  20 /*      const char *path;
  21 /*      int     flags;
  22 /*      mode_t  mode;
  23 /*      struct stat *st;
  24 /*      uid_t   user;
  25 /*      gid_t   group;
  26 /*      int     lock_style;
  27 /*      const char *def_dsn;
  28 /*      DSN_BUF *why;
  29 /*
  30 /*      void    mbox_release(mbox)
  31 /*      MBOX    *mbox;
  32 /*
  33 /*      const char *mbox_dsn(err, def_dsn)
  34 /*      int     err;
  35 /*      const char *def_dsn;
  36 /* DESCRIPTION
  37 /*      This module manages access to UNIX mailbox-style files.
  38 /*
  39 /*      mbox_open() acquires exclusive access to the named file.
  40 /*      The \fBpath, flags, mode, st, user, group, why\fR arguments
  41 /*      are passed to the \fBsafe_open\fR() routine. Attempts to change
  42 /*      file ownership will succeed only if the process runs with
  43 /*      adequate effective privileges.
  44 /*      The \fBlock_style\fR argument specifies a lock style from
  45 /*      mbox_lock_mask(). Locks are applied to regular files only.
  46 /*      The result is a handle that must be destroyed by mbox_release().
  47 /*      The \fBdef_dsn\fR argument is given to mbox_dsn().
  48 /*
  49 /*      mbox_release() releases the named mailbox. It is up to the
  50 /*      application to close the stream.
  51 /*
  52 /*      mbox_dsn() translates an errno value to a mailbox related
  53 /*      enhanced status code.
  54 /* .IP "EAGAIN, ESTALE"
  55 /*      These result in a 4.2.0 soft error (mailbox problem).
  56 /* .IP ENOSPC
  57 /*      This results in a 4.3.0 soft error (mail system full).
  58 /* .IP "EDQUOT, EFBIG"
  59 /*      These result in a 5.2.2 hard error (mailbox full).
  60 /* .PP
  61 /*      All other errors are assigned the specified default error
  62 /*      code. Typically, one would specify 4.2.0 or 5.2.0.
  63 /* DIAGNOSTICS
  64 /*      mbox_open() returns a null pointer in case of problems, and
  65 /*      sets errno to EAGAIN if someone else has exclusive access.
  66 /*      Other errors are likely to have a more permanent nature.
  67 /* LICENSE
  68 /* .ad
  69 /* .fi
  70 /*      The Secure Mailer license must be distributed with this software.
  71 /* AUTHOR(S)
  72 /*      Wietse Venema
  73 /*      IBM T.J. Watson Research
  74 /*      P.O. Box 704
  75 /*      Yorktown Heights, NY 10598, USA
  76 /*--*/
  77
  78 /* System library. */
  79
  80 #include <sys_defs.h>
  81 #include <sys/stat.h>
  82 #include <errno.h>
  83
  84 #ifndef EDQUOT
  85 #define EDQUOT EFBIG
  86 #endif
  87
  88 /* Utility library. */
  89
  90 #include <msg.h>
  91 #include <vstream.h>
  92 #include <vstring.h>
  93 #include <safe_open.h>
  94 #include <iostuff.h>
  95 #include <mymalloc.h>
  96
  97 /* Global library. */
  98
  99 #include <dot_lockfile.h>
 100 #include <deliver_flock.h>
 101 #include <mbox_conf.h>
 102 #include <mbox_open.h>
 103
 104 /* mbox_open - open mailbox-style file for exclusive access */
 105
 106 MBOX   *mbox_open(const char *path, int flags, mode_t mode, struct stat * st,
 107                           uid_t chown_uid, gid_t chown_gid,
 108                           int lock_style, const char *def_dsn,
 109                           DSN_BUF *why)
 110 {
 111     struct stat local_statbuf;
 112     MBOX   *mp;
 113     int     locked = 0;
 114     VSTREAM *fp;
 115
 116     if (st == 0)
 117         st = &local_statbuf;
 118
 119     /*
 120      * If this is a regular file, create a dotlock file. This locking method
 121      * does not work well over NFS, but it is better than some alternatives.
 122      * With NFS, creating files atomically is a problem, and a successful
 123      * operation can fail with EEXIST.
 124      *
 125      * If filename.lock can't be created for reasons other than "file exists",
 126      * issue only a warning if the application says it is non-fatal. This is
 127      * for bass-awkward compatibility with existing installations that
 128      * deliver to files in non-writable directories.
 129      *
 130      * We dot-lock the file before opening, so we must avoid doing silly things
 131      * like dot-locking /dev/null. Fortunately, deliveries to non-mailbox
 132      * files execute with recipient privileges, so we don't have to worry
 133      * about creating dotlock files in places where the recipient would not
 134      * be able to write.
 135      *
 136      * Note: we use stat() to follow symlinks, because safe_open() allows the
 137      * target to be a root-owned symlink, and we don't want to create dotlock
 138      * files for /dev/null or other non-file objects.
 139      */
 140     if ((lock_style & MBOX_DOT_LOCK)
 141         && (stat(path, st) < 0 || S_ISREG(st->st_mode))) {
 142         if (dot_lockfile(path, why->reason) == 0) {
 143             locked |= MBOX_DOT_LOCK;
 144         } else if (errno == EEXIST) {
 145             dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
 146             return (0);
 147         } else if (lock_style & MBOX_DOT_LOCK_MAY_FAIL) {
 148             msg_warn("%s", vstring_str(why->reason));
 149         } else {
 150             dsb_status(why, mbox_dsn(errno, def_dsn));
 151             return (0);
 152         }
 153     }
 154
 155     /*
 156      * Open or create the target file. In case of a privileged open, the
 157      * privileged user may be attacked with hard/soft link tricks in an
 158      * unsafe parent directory. In case of an unprivileged open, the mail
 159      * system may be attacked by a malicious user-specified path, or the
 160      * unprivileged user may be attacked with hard/soft link tricks in an
 161      * unsafe parent directory. Open non-blocking to fend off attacks
 162      * involving non-file targets.
 163      */
 164     if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st,
 165                         chown_uid, chown_gid, why->reason)) == 0) {
 166         dsb_status(why, mbox_dsn(errno, def_dsn));
 167         if (locked & MBOX_DOT_LOCK)
 168             dot_unlockfile(path);
 169         return (0);
 170     }
 171     close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
 172
 173     /*
 174      * If this is a regular file, acquire kernel locks. flock() locks are not
 175      * intended to work across a network; fcntl() locks are supposed to work
 176      * over NFS, but in the real world, NFS lock daemons often have serious
 177      * problems.
 178      */
 179 #define HUNKY_DORY(lock_mask, myflock_style) ((lock_style & (lock_mask)) == 0 \
 180          || deliver_flock(vstream_fileno(fp), (myflock_style), why->reason) == 0)
 181
 182     if (S_ISREG(st->st_mode)) {
 183         if (HUNKY_DORY(MBOX_FLOCK_LOCK, MYFLOCK_STYLE_FLOCK)
 184             && HUNKY_DORY(MBOX_FCNTL_LOCK, MYFLOCK_STYLE_FCNTL)) {
 185             locked |= lock_style;
 186         } else {
 187             dsb_status(why, mbox_dsn(errno, def_dsn));
 188             if (locked & MBOX_DOT_LOCK)
 189                 dot_unlockfile(path);
 190             vstream_fclose(fp);
 191             return (0);
 192         }
 193     }
 194
 195     /*
 196      * Sanity check: reportedly, GNU POP3D creates a new mailbox file and
 197      * deletes the old one. This does not play well with software that opens
 198      * the mailbox first and then locks it, such as software that that uses
 199      * FCNTL or FLOCK locks on open file descriptors (some UNIX systems don't
 200      * use dotlock files).
 201      *
 202      * To detect that GNU POP3D deletes the mailbox file we look at the target
 203      * file hard-link count. Note that safe_open() guarantees a hard-link
 204      * count of 1, so any change in this count is a sign of trouble.
 205      */
 206     if (S_ISREG(st->st_mode)
 207         && (fstat(vstream_fileno(fp), st) < 0 || st->st_nlink != 1)) {
 208         vstring_sprintf(why->reason, "target file status changed unexpectedly");
 209         dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
 210         msg_warn("%s: file status changed unexpectedly", path);
 211         if (locked & MBOX_DOT_LOCK)
 212             dot_unlockfile(path);
 213         vstream_fclose(fp);
 214         return (0);
 215     }
 216     mp = (MBOX *) mymalloc(sizeof(*mp));
 217     mp->path = mystrdup(path);
 218     mp->fp = fp;
 219     mp->locked = locked;
 220     return (mp);
 221 }
 222
 223 /* mbox_release - release mailbox exclusive access */
 224
 225 void    mbox_release(MBOX *mp)
 226 {
 227
 228     /*
 229      * Unfortunately we can't close the stream, because on some file systems
 230      * (AFS), the only way to find out if a file was written successfully is
 231      * to close it, and therefore the close() operation is in the mail_copy()
 232      * routine. If we really insist on owning the vstream member, then we
 233      * should export appropriate methods that mail_copy() can use in order to
 234      * manipulate a message stream.
 235      */
 236     if (mp->locked & MBOX_DOT_LOCK)
 237         dot_unlockfile(mp->path);
 238     myfree(mp->path);
 239     myfree((char *) mp);
 240 }
 241
 242 /* mbox_dsn - map errno value to mailbox-related DSN detail */
 243
 244 const char *mbox_dsn(int err, const char *def_dsn)
 245 {
 246 #define TRY_AGAIN_ERROR(e) \
 247         (e == EAGAIN || e == ESTALE)
 248 #define SYSTEM_FULL_ERROR(e) \
 249         (e == ENOSPC)
 250 #define MBOX_FULL_ERROR(e) \
 251         (e == EDQUOT || e == EFBIG)
 252
 253     return (TRY_AGAIN_ERROR(err) ? "4.2.0" :
 254             SYSTEM_FULL_ERROR(err) ? "4.3.0" :
 255             MBOX_FULL_ERROR(err) ? "5.2.2" :
 256             def_dsn);
 257 }