3 * inc.c -- incorporate messages from a maildrop into a folder
7 * This code is Copyright (c) 2002, by the authors of nmh. See the
8 * COPYRIGHT file in the root directory of the nmh distribution for
9 * complete copyright information.
13 /* Revised: Sat Apr 14 17:08:17 PDT 1990 (marvit@hplabs)
14 * Added hpux hacks to set and reset gid to be "mail" as needed. The reset
15 * is necessary so inc'ed mail is the group of the inc'er, rather than
16 * "mail". We setgid to egid only when [un]locking the mail file. This
17 * is also a major security precaution which will not be explained here.
19 * Fri Feb 7 16:04:57 PST 1992 John Romine <bug-mh@ics.uci.edu>
20 * NB: I'm not 100% sure that this setgid stuff is secure even now.
22 * See the *GROUPPRIVS() macros later. I'm reasonably happy with the setgid
23 * attribute. Running setuid root is probably not a terribly good idea, though.
24 * -- Peter Maydell <pmaydell@chiark.greenend.org.uk>, 04/1998
26 * Peter Maydell's patch slightly modified for nmh 0.28-pre2.
27 * Ruud de Rooij <ruud@debian.org> Wed, 22 Jul 1998 13:24:22 +0200
36 # include <h/dropsbr.h>
37 # include <h/popsbr.h>
44 #include <h/fmt_scan.h>
45 #include <h/scansbr.h>
46 #include <h/signals.h>
53 # define POPminc(a) (a)
59 # define RPOPminc(a) (a)
61 # define RPOPminc(a) 0
65 # define APOPminc(a) (a)
67 # define APOPminc(a) 0
71 # define KPOPminc(a) (a)
73 # define KPOPminc(a) 0
77 # define SASLminc(a) (a)
79 # define SASLminc(a) 0
82 static struct swit switches[] = {
84 { "audit audit-file", 0 },
94 { "form formatfile", 0 },
96 { "format string", 5 },
98 { "host hostname", POPminc (-4) },
100 { "user username", POPminc (-4) },
102 { "pack file", POPminc (-4) },
104 { "nopack", POPminc (-6) },
106 { "apop", APOPminc (-4) },
108 { "noapop", APOPminc (-6) },
110 { "rpop", RPOPminc (-4) },
112 { "norpop", RPOPminc (-6) },
122 { "width columns", 0 },
130 { "kpop", KPOPminc (-4) },
132 { "sasl", SASLminc(-4) },
133 #define SASLMECHSW 25
134 { "saslmech", SASLminc(-8) },
136 { "proxy command", POPminc(-5) },
141 * flags for the mail source
147 static int snoop = 0;
150 extern char response[];
152 static char *packfile = NULL;
158 static int mbx_style = MMDF_FORMAT;
159 static int pd = NOTOK;
160 static FILE *pf = NULL;
163 /* This is an attempt to simplify things by putting all the
164 * privilege ops into macros.
165 * *GROUPPRIVS() is related to handling the setgid MAIL property,
166 * and only applies if MAILGROUP is defined.
167 * *USERPRIVS() is related to handling the setuid root property,
168 * and only applies if POP is defined [why does POP => setuid root?]
169 * Basically, SAVEGROUPPRIVS() is called right at the top of main()
170 * to initialise things, and then DROPGROUPPRIVS() and GETGROUPPRIVS()
171 * do the obvious thing. TRYDROPGROUPPRIVS() has to be safe to call
172 * before DROPUSERPRIVS() is called [this is needed because setgid()
173 * sets both effective and real uids if euid is root.]
175 * There's probably a better implementation if we're allowed to use
176 * BSD-style setreuid() rather than using POSIX saved-ids.
177 * Anyway, if you're euid root it's a bit pointless to drop the group
180 * I'm pretty happy that the security is good provided we aren't setuid root.
181 * The only things we trust with group=mail privilege are lkfopen()
186 * For setting and returning to "mail" gid
189 static int return_gid;
191 /* easy case; we're not setuid root, so can drop group privs
194 #define TRYDROPGROUPPRIVS() DROPGROUPPRIVS()
195 #else /* POP ie we are setuid root */
196 #define TRYDROPGROUPPRIVS() \
197 if (geteuid() != 0) DROPGROUPPRIVS()
199 #define DROPGROUPPRIVS() setgid(getgid())
200 #define GETGROUPPRIVS() setgid(return_gid)
201 #define SAVEGROUPPRIVS() return_gid = getegid()
203 /* define *GROUPPRIVS() as null; this avoids having lots of "#ifdef MAILGROUP"s */
204 #define TRYDROPGROUPPRIVS()
205 #define DROPGROUPPRIVS()
206 #define GETGROUPPRIVS()
207 #define SAVEGROUPPRIVS()
208 #endif /* not MAILGROUP */
211 #define DROPUSERPRIVS() setuid(getuid())
213 #define DROPUSERPRIVS()
216 /* these variables have to be globals so that done() can correctly clean up the lockfile */
217 static int locked = 0;
218 static char *newmail;
224 char *map_name(char *);
228 static int pop_action(char *);
229 static int pop_pack(char *);
230 static int map_count(void);
235 main (int argc, char **argv)
237 int chgflag = 1, trnflag = 1;
238 int noisy = 1, width = 0;
239 int rpop, i, hghnum, msgnum;
240 int kpop = 0, sasl = 0;
241 char *cp, *maildir, *folder = NULL;
242 char *format = NULL, *form = NULL;
243 char *host = NULL, *user = NULL, *proxy = NULL;
244 char *audfile = NULL, *from = NULL, *saslmech = NULL;
245 char buf[BUFSIZ], **argp, *nfs, **arguments;
249 char b[MAXPATHLEN + 1];
250 char *maildir_copy; /* copy of mail directory because the static gets overwritten */
253 int nmsgs, nbytes, p = 0;
255 char *MAILHOST_env_variable;
263 struct hes_postoffice *po;
266 /* absolutely the first thing we do is save our privileges,
267 * and drop them if we can.
273 setlocale(LC_ALL, "");
275 invo_name = r1bindex (argv[0], '/');
277 /* read user profile/context */
280 mts_init (invo_name);
281 arguments = getarguments (invo_name, argc, argv, 1);
287 * use MAILHOST environment variable if present,
289 * If that fails, use the default (if any)
290 * provided by mts.conf in mts_init()
292 if ((MAILHOST_env_variable = getenv("MAILHOST")) != NULL)
293 pophost = MAILHOST_env_variable;
295 else if ((po = hes_getmailhost(getusername())) != NULL &&
296 strcmp(po->po_type, "POP") == 0)
297 pophost = po->po_host;
300 * If there is a valid "pophost" entry in mts.conf,
301 * then use it as the default host.
303 if (pophost && *pophost)
306 if ((cp = getenv ("MHPOPDEBUG")) && *cp)
312 while ((cp = *argp++)) {
314 switch (smatch (++cp, switches)) {
316 ambigsw (cp, switches);
319 adios (NULL, "-%s unknown", cp);
322 snprintf (buf, sizeof(buf), "%s [+folder] [switches]", invo_name);
323 print_help (buf, switches, 1);
326 print_version(invo_name);
330 if (!(cp = *argp++) || *cp == '-')
331 adios (NULL, "missing argument to %s", argp[-2]);
332 audfile = getcpy (m_maildir (cp));
346 * The flag `trnflag' has the value:
348 * 2 if -truncate is given
349 * 1 by default (truncating is default)
350 * 0 if -notruncate is given
360 if (!(cp = *argp++) || *cp == '-')
361 adios (NULL, "missing argument to %s", argp[-2]);
362 from = path (cp, TFILE);
365 * If the truncate file is in default state,
366 * change to not truncate.
380 if (!(form = *argp++) || *form == '-')
381 adios (NULL, "missing argument to %s", argp[-2]);
385 if (!(format = *argp++) || *format == '-')
386 adios (NULL, "missing argument to %s", argp[-2]);
391 if (!(cp = *argp++) || *cp == '-')
392 adios (NULL, "missing argument to %s", argp[-2]);
397 if (!(host = *argp++) || *host == '-')
398 adios (NULL, "missing argument to %s", argp[-2]);
401 if (!(user = *argp++) || *user == '-')
402 adios (NULL, "missing argument to %s", argp[-2]);
407 if (!(cp = *argp++) || *cp == '-')
408 adios (NULL, "missing argument to %s", argp[-2]);
410 if (!(packfile = *argp++) || *packfile == '-')
411 adios (NULL, "missing argument to %s", argp[-2]);
447 if (!(saslmech = *argp++) || *saslmech == '-')
448 adios (NULL, "missing argument to %s", argp[-2]);
451 if (!(proxy = *argp++) || *proxy == '-')
452 adios (NULL, "missing argument to %s", argp[-2]);
456 if (*cp == '+' || *cp == '@') {
458 adios (NULL, "only one folder at a time!");
460 folder = pluspath (cp);
462 adios (NULL, "usage: %s [+folder] [switches]", invo_name);
466 /* NOTE: above this point you should use TRYDROPGROUPPRIVS(),
467 * not DROPGROUPPRIVS().
472 if (from || !host || rpop <= 0)
476 /* guarantee dropping group priveleges; we might not have done so earlier */
480 * Where are we getting the new mail?
493 * Are we getting the mail from
496 if (inc_type == INC_POP) {
498 user = getusername ();
499 if ( strcmp( POPSERVICE, "kpop" ) == 0 ) {
502 if (kpop || sasl || ( rpop > 0))
503 pass = getusername ();
505 ruserpass (host, &user, &pass);
508 * initialize POP connection
510 if (pop_init (host, user, pass, proxy, snoop, kpop ? 1 : rpop, kpop,
511 sasl, saslmech) == NOTOK)
512 adios (NULL, "%s", response);
514 /* Check if there are any messages */
515 if (pop_stat (&nmsgs, &nbytes) == NOTOK)
516 adios (NULL, "%s", response);
522 adios (NULL, "no mail to incorporate");
528 * We will get the mail from a file
529 * (typically the standard maildrop)
532 if (inc_type == INC_FILE) {
535 else if ((newmail = getenv ("MAILDROP")) && *newmail)
536 newmail = m_mailpath (newmail);
537 else if ((newmail = context_find ("maildrop")) && *newmail)
538 newmail = m_mailpath (newmail);
540 newmail = concat (MAILDIR, "/", MAILFIL, NULL);
542 if (stat (newmail, &s1) == NOTOK || s1.st_size == 0)
543 adios (NULL, "no mail to incorporate");
545 if ((cp = strdup(newmail)) == (char *)0)
546 adios (maildir, "error allocating memory to copy newmail");
552 /* skip the folder setup */
553 if ((inc_type == INC_POP) && packfile)
557 if (!context_find ("path"))
558 free (path ("./", TFOLDER));
560 folder = getfolder (0);
561 maildir = m_maildir (folder);
563 if ((maildir_copy = strdup(maildir)) == (char *)0)
564 adios (maildir, "error allocating memory to copy maildir");
567 create_folder(maildir, 0, done);
571 if (chdir (maildir) == NOTOK)
572 adios (maildir, "unable to change directory to");
574 /* read folder and create message structure */
575 if (!(mp = folder_read (folder)))
576 adios (NULL, "unable to read folder %s", folder);
582 if (inc_type == INC_FILE) {
583 if (access (newmail, W_OK) != NOTOK) {
586 SIGNAL (SIGHUP, SIG_IGN);
587 SIGNAL (SIGINT, SIG_IGN);
588 SIGNAL (SIGQUIT, SIG_IGN);
589 SIGNAL (SIGTERM, SIG_IGN);
592 GETGROUPPRIVS(); /* Reset gid to lock mail file */
593 in = lkfopen (newmail, "r");
596 adios (NULL, "unable to lock and fopen %s", newmail);
597 fstat (fileno(in), &s1);
600 if ((in = fopen (newmail, "r")) == NULL)
601 adios (newmail, "unable to read");
605 /* This shouldn't be necessary but it can't hurt. */
609 if ((i = stat (audfile, &st)) == NOTOK)
610 advise (NULL, "Creating Receive-Audit: %s", audfile);
611 if ((aud = fopen (audfile, "a")) == NULL)
612 adios (audfile, "unable to append to");
614 chmod (audfile, m_gmprot ());
617 fprintf (aud, from ? "<<inc>> %s -ms %s\n"
618 : host ? "<<inc>> %s -host %s -user %s%s\n"
620 dtimenow (0), from ? from : host, user,
621 rpop < 0 ? " -apop" : rpop > 0 ? " -rpop" : "");
623 fprintf (aud, from ? "<<inc>> %s -ms %s\n" : "<<inc>> %s\n",
629 if (context_find ("mhe")) {
630 cp = concat (maildir, "/++", NULL);
632 if ((mhe = fopen (cp, "a")) == NULL)
633 admonish (cp, "unable to append to");
636 chmod (cp, m_gmprot ());
641 /* Get new format string */
642 nfs = new_fs (form, format, FORMAT);
645 printf ("Incorporating new mail into %s...\n\n", folder);
651 * Get the mail from a POP server
653 if (inc_type == INC_POP) {
655 packfile = path (packfile, TFILE);
656 if (stat (packfile, &st) == NOTOK) {
658 adios (packfile, "error on file");
659 cp = concat ("Create file \"", packfile, "\"? ", NULL);
660 if (noisy && !getanswer (cp))
664 msgnum = map_count ();
665 if ((pd = mbx_open (packfile, mbx_style, getuid(), getgid(), m_gmprot()))
667 adios (packfile, "unable to open");
668 if ((pf = fdopen (pd, "w+")) == NULL)
669 adios (NULL, "unable to fdopen %s", packfile);
671 hghnum = msgnum = mp->hghmsg;
673 * Check if we have enough message space for all the new
674 * messages. If not, then realloc the folder and add enough
675 * space for all new messages plus 10 additional slots.
677 if (mp->hghmsg + nmsgs >= mp->hghoff
678 && !(mp = folder_realloc (mp, mp->lowoff, mp->hghmsg + nmsgs + 10)))
679 adios (NULL, "unable to allocate folder storage");
682 for (i = 1; i <= nmsgs; i++) {
685 fseek (pf, 0L, SEEK_CUR);
688 fwrite (mmdlm1, 1, strlen (mmdlm1), pf);
691 if (pop_retr (i, pop_pack) == NOTOK)
692 adios (NULL, "%s", response);
694 fseek (pf, 0L, SEEK_CUR);
697 adios (packfile, "write error on");
698 fseek (pf, start, SEEK_SET);
700 cp = getcpy (m_name (msgnum));
701 if ((pf = fopen (cp, "w+")) == NULL)
702 adios (cp, "unable to write");
703 chmod (cp, m_gmprot ());
706 if (pop_retr (i, pop_action) == NOTOK)
707 adios (NULL, "%s", response);
710 adios (cp, "write error on");
711 fseek (pf, 0L, SEEK_SET);
713 switch (p = scan (pf, msgnum, 0, nfs, width,
714 packfile ? 0 : msgnum == mp->hghmsg + 1 && chgflag,
715 1, NULL, stop - start, noisy)) {
717 printf ("%*d empty\n", DMAXFOLDER, msgnum);
723 /* advise (cp, "unable to read"); already advised */
742 clear_msg_flags (mp, msgnum);
743 set_exists (mp, msgnum);
744 set_unseen (mp, msgnum);
745 mp->msgflags |= SEQMOD;
750 fseek (pf, stop, SEEK_SET);
751 fwrite (mmdlm2, 1, strlen (mmdlm2), pf);
752 if (fflush (pf) || ferror (pf)) {
756 adios (packfile, "write error on");
758 map_write (packfile, pd, 0, 0L, start, stop, pos, size, noisy);
760 if (ferror(pf) || fclose (pf)) {
765 adios (cp, "write error on");
770 if (trnflag && pop_dele (i) == NOTOK)
771 adios (NULL, "%s", response);
774 if (pop_quit () == NOTOK)
775 adios (NULL, "%s", response);
777 mbx_close (packfile, pd);
784 * Get the mail from file (usually mail spool)
786 if (inc_type == INC_FILE) {
787 m_unknown (in); /* the MAGIC invocation... */
788 hghnum = msgnum = mp->hghmsg;
791 * Check if we need to allocate more space for message status.
792 * If so, then add space for an additional 100 messages.
794 if (msgnum >= mp->hghoff
795 && !(mp = folder_realloc (mp, mp->lowoff, mp->hghoff + 100))) {
796 advise (NULL, "unable to allocate folder storage");
802 /* copy file from spool to tmp file */
803 tmpfilenam = m_scratch ("", invo_name);
804 if ((fd = creat (tmpfilenam, m_gmprot ())) == NOTOK)
805 adios (tmpfilenam, "unable to create");
806 chmod (tmpfilenam, m_gmprot ());
807 if (!(in2 = fdopen (fd, "r+")))
808 adios (tmpfilenam, "unable to access");
811 /* link message into folder */
812 newmsg = folder_addmsg(mp, tmpfilenam);
814 /* create scanline for new message */
815 switch (i = scan (in, msgnum + 1, msgnum + 1, nfs, width,
816 msgnum == hghnum && chgflag, 1, NULL, 0L, noisy)) {
823 fputs ("inc aborted!\n", aud);
824 advise (NULL, "aborted!"); /* doesn't clean up locks! */
828 advise (NULL, "BUG in %s, number out of range", invo_name);
832 advise (NULL, "BUG in %s, scan() botch (%d)", invo_name, i);
838 * Run the external program hook on the message.
841 (void)snprintf(b, sizeof (b), "%s/%d", maildir_copy, msgnum + 1);
842 (void)ext_hook("add-hook", b, (char *)0);
856 if (mp->lowmsg == 0) mp->lowmsg = 1;
858 clear_msg_flags (mp, msgnum);
859 set_exists (mp, msgnum);
860 set_unseen (mp, msgnum);
861 mp->msgflags |= SEQMOD;
869 if (p < 0) { /* error */
871 if (i < 0) { /* error */
874 GETGROUPPRIVS(); /* Be sure we can unlock mail file */
875 (void) lkfclose (in, newmail); in = NULL;
876 DROPGROUPPRIVS(); /* And then return us to normal privileges */
878 fclose (in); in = NULL;
880 adios (NULL, "failed");
895 if ((inc_type == INC_POP) && packfile)
900 * truncate file we are incorporating from
902 if (inc_type == INC_FILE) {
904 if (stat (newmail, &st) != NOTOK && s1.st_mtime != st.st_mtime)
905 advise (NULL, "new messages have arrived!\007");
907 if ((i = creat (newmail, 0600)) != NOTOK)
910 admonish (newmail, "error zero'ing");
911 unlink(map_name(newmail));
915 printf ("%s not zero'd\n", newmail);
919 if (msgnum == hghnum) {
920 admonish (NULL, "no messages incorporated");
922 context_replace (pfolder, folder); /* update current folder */
924 mp->curmsg = hghnum + 1;
928 if (chgflag) /* sigh... */
929 seq_setcur (mp, mp->curmsg);
933 * unlock the mail spool
935 if (inc_type == INC_FILE) {
937 GETGROUPPRIVS(); /* Be sure we can unlock mail file */
938 (void) lkfclose (in, newmail); in = NULL;
939 DROPGROUPPRIVS(); /* And then return us to normal privileges */
941 fclose (in); in = NULL;
945 seq_setunseen (mp, 0); /* set the Unseen-Sequence */
946 seq_save (mp); /* synchronize sequences */
947 context_save (); /* save the context file */
955 * Copy message message from spool into
956 * temporary file. Massage the "From " line
960 cpymsg (FILE *in, FILE *out)
963 char *tmpbuf, name[NAMESZ];
966 state = m_getfld (state, name, tmpbuf, rlwidth, in);
989 if (packfile && pd != NOTOK)
990 mbx_close (packfile, pd);
995 lkfclose(in, newmail);
999 return 1; /* dead code to satisfy the compiler */
1004 pop_action (char *s)
1006 fprintf (pf, "%s\n", s);
1007 stop += strlen (s) + 1;
1008 return 0; /* Is return value used? This was missing before 1999-07-15. */
1015 char buffer[BUFSIZ];
1017 snprintf (buffer, sizeof(buffer), "%s\n", s);
1018 for (j = 0; (j = stringdex (mmdlm1, buffer)) >= 0; buffer[j]++)
1020 for (j = 0; (j = stringdex (mmdlm2, buffer)) >= 0; buffer[j]++)
1023 size += strlen (buffer) + 1;
1024 return 0; /* Is return value used? This was missing before 1999-07-15. */
1035 if (stat (packfile, &st) == NOTOK)
1037 if ((md = open (cp = map_name (packfile), O_RDONLY)) == NOTOK
1038 || map_chk (cp, md, &d, (long) st.st_size, 1)) {