2 * inc.c -- incorporate messages from a maildrop into a folder
4 * This code is Copyright (c) 2002, by the authors of nmh. See the
5 * COPYRIGHT file in the root directory of the nmh distribution for
6 * complete copyright information.
10 /* Revised: Sat Apr 14 17:08:17 PDT 1990 (marvit@hplabs)
11 * Added hpux hacks to set and reset gid to be "mail" as needed. The reset
12 * is necessary so inc'ed mail is the group of the inc'er, rather than
13 * "mail". We setgid to egid only when [un]locking the mail file. This
14 * is also a major security precaution which will not be explained here.
16 * Fri Feb 7 16:04:57 PST 1992 John Romine <bug-mh@ics.uci.edu>
17 * NB: I'm not 100% sure that this setgid stuff is secure even now.
19 * See the *GROUPPRIVS() macros later. I'm reasonably happy with the setgid
20 * attribute. Running setuid root is probably not a terribly good idea, though.
21 * -- Peter Maydell <pmaydell@chiark.greenend.org.uk>, 04/1998
23 * Peter Maydell's patch slightly modified for nmh 0.28-pre2.
24 * Ruud de Rooij <ruud@debian.org> Wed, 22 Jul 1998 13:24:22 +0200
32 #include <h/fmt_scan.h>
33 #include <h/scansbr.h>
34 #include <h/signals.h>
40 static struct swit switches[] = {
42 { "audit audit-file", 0 },
52 { "form formatfile", 0 },
54 { "format string", 5 },
64 { "width columns", 0 },
71 /* This is an attempt to simplify things by putting all the
72 * privilege ops into macros.
73 * *GROUPPRIVS() is related to handling the setgid MAIL property,
74 * and only applies if MAILGROUP is defined.
75 * Basically, SAVEGROUPPRIVS() is called right at the top of main()
76 * to initialise things, and then DROPGROUPPRIVS() and GETGROUPPRIVS()
77 * do the obvious thing. TRYDROPGROUPPRIVS() has to be safe to call
78 * before DROPUSERPRIVS() is called [this is needed because setgid()
79 * sets both effective and real uids if euid is root.]
81 * There's probably a better implementation if we're allowed to use
82 * BSD-style setreuid() rather than using POSIX saved-ids.
83 * Anyway, if you're euid root it's a bit pointless to drop the group
86 * I'm pretty happy that the security is good provided we aren't setuid root.
87 * The only things we trust with group=mail privilege are lkfopen()
92 * For setting and returning to "mail" gid
95 static int return_gid;
96 /* easy case; we're not setuid root, so can drop group privs
99 #define TRYDROPGROUPPRIVS() DROPGROUPPRIVS()
100 #define DROPGROUPPRIVS() setgid(getgid())
101 #define GETGROUPPRIVS() setgid(return_gid)
102 #define SAVEGROUPPRIVS() return_gid = getegid()
104 /* define *GROUPPRIVS() as null; this avoids having lots of "#ifdef MAILGROUP"s */
105 #define TRYDROPGROUPPRIVS()
106 #define DROPGROUPPRIVS()
107 #define GETGROUPPRIVS()
108 #define SAVEGROUPPRIVS()
109 #endif /* not MAILGROUP */
111 /* these variables have to be globals so that done() can correctly clean up the lockfile */
112 static int locked = 0;
113 static char *newmail;
119 char *map_name(char *);
121 static void inc_done(int) NORETURN;
125 main (int argc, char **argv)
127 int chgflag = 1, trnflag = 1;
128 int noisy = 1, width = 0;
129 int hghnum = 0, msgnum = 0;
130 int incerr = 0; /* <0 if inc hits an error which means it should not truncate mailspool */
131 char *cp, *maildir = NULL, *folder = NULL;
132 char *format = NULL, *form = NULL;
133 char *audfile = NULL, *from = NULL;
134 char buf[BUFSIZ], **argp, *nfs, **arguments;
135 struct msgs *mp = NULL;
138 char b[MAXPATHLEN + 1];
139 /* copy of mail directory because the static gets overwritten */
140 char *maildir_copy = NULL;
148 /* absolutely the first thing we do is save our privileges,
149 * and drop them if we can.
155 setlocale(LC_ALL, "");
157 invo_name = r1bindex (argv[0], '/');
159 /* read user profile/context */
162 mts_init (invo_name);
163 arguments = getarguments (invo_name, argc, argv, 1);
166 while ((cp = *argp++)) {
168 switch (smatch (++cp, switches)) {
170 ambigsw (cp, switches);
173 adios (NULL, "-%s unknown", cp);
176 snprintf (buf, sizeof(buf), "%s [+folder] [switches]", invo_name);
177 print_help (buf, switches, 1);
180 print_version(invo_name);
184 if (!(cp = *argp++) || *cp == '-')
185 adios (NULL, "missing argument to %s", argp[-2]);
186 audfile = getcpy (m_maildir (cp));
200 * The flag `trnflag' has the value:
202 * 2 if -truncate is given
203 * 1 by default (truncating is default)
204 * 0 if -notruncate is given
214 if (!(cp = *argp++) || *cp == '-')
215 adios (NULL, "missing argument to %s", argp[-2]);
216 from = path (cp, TFILE);
219 * If the truncate file is in default state,
220 * change to not truncate.
234 if (!(form = *argp++) || *form == '-')
235 adios (NULL, "missing argument to %s", argp[-2]);
239 if (!(format = *argp++) || *format == '-')
240 adios (NULL, "missing argument to %s", argp[-2]);
245 if (!(cp = *argp++) || *cp == '-')
246 adios (NULL, "missing argument to %s", argp[-2]);
251 if (*cp == '+' || *cp == '@') {
253 adios (NULL, "only one folder at a time!");
255 folder = pluspath (cp);
257 adios (NULL, "usage: %s [+folder] [switches]", invo_name);
261 /* NOTE: above this point you should use TRYDROPGROUPPRIVS(),
262 * not DROPGROUPPRIVS().
264 /* guarantee dropping group priveleges; we might not have done so earlier */
268 * We will get the mail from a file
269 * (typically the standard maildrop)
273 else if ((newmail = getenv ("MAILDROP")) && *newmail)
274 newmail = m_mailpath (newmail);
275 else if ((newmail = context_find ("maildrop")) && *newmail)
276 newmail = m_mailpath (newmail);
278 newmail = concat (MAILDIR, "/", MAILFIL, NULL);
280 if (stat (newmail, &s1) == NOTOK || s1.st_size == 0)
281 adios (NULL, "no mail to incorporate");
283 if ((cp = strdup(newmail)) == (char *)0)
284 adios (NULL, "error allocating memory to copy newmail");
288 if (!context_find ("path"))
289 free (path ("./", TFOLDER));
291 folder = getfolder (0);
292 maildir = m_maildir (folder);
294 if ((maildir_copy = strdup(maildir)) == (char *)0)
295 adios (maildir, "error allocating memory to copy maildir");
297 if (!folder_exists(maildir)) {
298 /* If the folder doesn't exist, and we're given the -silent flag,
302 create_folder(maildir, 0, done);
307 if (chdir (maildir) == NOTOK)
308 adios (maildir, "unable to change directory to");
310 /* read folder and create message structure */
311 if (!(mp = folder_read (folder)))
312 adios (NULL, "unable to read folder %s", folder);
314 if (access (newmail, W_OK) != NOTOK) {
317 SIGNAL (SIGHUP, SIG_IGN);
318 SIGNAL (SIGINT, SIG_IGN);
319 SIGNAL (SIGQUIT, SIG_IGN);
320 SIGNAL (SIGTERM, SIG_IGN);
323 GETGROUPPRIVS(); /* Reset gid to lock mail file */
324 in = lkfopen (newmail, "r");
327 adios (NULL, "unable to lock and fopen %s", newmail);
328 fstat (fileno(in), &s1);
331 if ((in = fopen (newmail, "r")) == NULL)
332 adios (newmail, "unable to read");
335 /* This shouldn't be necessary but it can't hurt. */
340 if ((i = stat (audfile, &st)) == NOTOK)
341 advise (NULL, "Creating Receive-Audit: %s", audfile);
342 if ((aud = fopen (audfile, "a")) == NULL)
343 adios (audfile, "unable to append to");
345 chmod (audfile, m_gmprot ());
347 fprintf (aud, from ? "<<inc>> %s -ms %s\n" : "<<inc>> %s\n",
352 if (context_find ("mhe")) {
354 cp = concat (maildir, "/++", NULL);
356 if ((mhe = fopen (cp, "a")) == NULL)
357 admonish (cp, "unable to append to");
360 chmod (cp, m_gmprot ());
365 /* Get new format string */
366 nfs = new_fs (form, format, FORMAT);
369 printf ("Incorporating new mail into %s...\n\n", folder);
374 * Get the mail from file (usually mail spool)
376 m_unknown (in); /* the MAGIC invocation... */
377 hghnum = msgnum = mp->hghmsg;
380 * Check if we need to allocate more space for message status.
381 * If so, then add space for an additional 100 messages.
383 if (msgnum >= mp->hghoff
384 && !(mp = folder_realloc (mp, mp->lowoff, mp->hghoff + 100))) {
385 advise (NULL, "unable to allocate folder storage");
390 /* create scanline for new message */
391 switch (incerr = scan (in, msgnum + 1, msgnum + 1, nfs, width,
392 msgnum == hghnum && chgflag, 1, NULL, 0L, noisy)) {
399 fputs ("inc aborted!\n", aud);
400 /* doesn't clean up locks! */
401 advise (NULL, "aborted!");
405 advise (NULL, "BUG in %s, number out of range", invo_name);
409 advise (NULL, "BUG in %s, scan() botch (%d)", invo_name, incerr);
415 * Run the external program hook on the message.
418 (void)snprintf(b, sizeof (b), "%s/%d", maildir_copy, msgnum + 1);
419 (void)ext_hook("add-hook", b, (char *)0);
434 clear_msg_flags (mp, msgnum);
435 set_exists (mp, msgnum);
436 set_unseen (mp, msgnum);
437 mp->msgflags |= SEQMOD;
440 /* If we get here there was some sort of error from scan(),
441 * so stop processing anything more from the spool.
446 if (incerr < 0) { /* error */
448 GETGROUPPRIVS(); /* Be sure we can unlock mail file */
449 (void) lkfclose (in, newmail); in = NULL;
450 DROPGROUPPRIVS(); /* And then return us to normal privileges */
452 fclose (in); in = NULL;
454 adios (NULL, "failed");
469 * truncate file we are incorporating from
472 if (stat (newmail, &st) != NOTOK && s1.st_mtime != st.st_mtime)
473 advise (NULL, "new messages have arrived!\007");
476 if ((newfd = creat (newmail, 0600)) != NOTOK)
479 admonish (newmail, "error zero'ing");
480 unlink(map_name(newmail));
484 printf ("%s not zero'd\n", newmail);
487 if (msgnum == hghnum) {
488 admonish (NULL, "no messages incorporated");
490 context_replace (pfolder, folder); /* update current folder */
492 mp->curmsg = hghnum + 1;
496 if (chgflag) /* sigh... */
497 seq_setcur (mp, mp->curmsg);
501 * unlock the mail spool
504 GETGROUPPRIVS(); /* Be sure we can unlock mail file */
505 (void) lkfclose (in, newmail); in = NULL;
506 DROPGROUPPRIVS(); /* And then return us to normal privileges */
508 fclose (in); in = NULL;
511 seq_setunseen (mp, 0); /* set the Unseen-Sequence */
512 seq_save (mp); /* synchronize sequences */
513 context_save (); /* save the context file */
519 inc_done (int status)
523 lkfclose(in, newmail);