X-Git-Url: http://git.marmaro.de/?p=mmh;a=blobdiff_plain;f=uip%2Finc.c;h=f461dd86745a92c117390b40ca1f80bd5165a25a;hp=fd7b55e2e21a326dcd81e1411e52989ea522eaa4;hb=56f52a606b02d40fdc92b9012c7835679163cd5c;hpb=0d1c5f533f3a6cd1c7f038f59585378f53b666c2 diff --git a/uip/inc.c b/uip/inc.c index fd7b55e..f461dd8 100644 --- a/uip/inc.c +++ b/uip/inc.c @@ -2,7 +2,9 @@ /* * inc.c -- incorporate messages from a maildrop into a folder * - * $Id$ + * This code is Copyright (c) 2002, by the authors of nmh. See the + * COPYRIGHT file in the root directory of the nmh distribution for + * complete copyright information. */ #ifdef MAILGROUP @@ -14,10 +16,18 @@ * * Fri Feb 7 16:04:57 PST 1992 John Romine * NB: I'm not 100% sure that this setgid stuff is secure even now. + * + * See the *GROUPPRIVS() macros later. I'm reasonably happy with the setgid + * attribute. Running setuid root is probably not a terribly good idea, though. + * -- Peter Maydell , 04/1998 + * + * Peter Maydell's patch slightly modified for nmh 0.28-pre2. + * Ruud de Rooij Wed, 22 Jul 1998 13:24:22 +0200 */ #endif #include +#include #include #ifdef POP @@ -25,15 +35,11 @@ # include #endif -#ifdef HESIOD -# include -#endif - #include #include #include -#include -#include +#include +#include #include #include @@ -43,22 +49,10 @@ # define POPminc(a) 0 #endif -#ifndef RPOP -# define RPOPminc(a) (a) +#ifndef CYRUS_SASL +# define SASLminc(a) (a) #else -# define RPOPminc(a) 0 -#endif - -#ifndef APOP -# define APOPminc(a) (a) -#else -# define APOPminc(a) 0 -#endif - -#ifndef KPOP -# define KPOPminc(a) (a) -#else -# define KPOPminc(a) 0 +# define SASLminc(a) 0 #endif static struct swit switches[] = { @@ -84,37 +78,33 @@ static struct swit switches[] = { { "pack file", POPminc (-4) }, #define NPACKSW 10 { "nopack", POPminc (-6) }, -#define APOPSW 11 - { "apop", APOPminc (-4) }, -#define NAPOPSW 12 - { "noapop", APOPminc (-6) }, -#define RPOPSW 13 - { "rpop", RPOPminc (-4) }, -#define NRPOPSW 14 - { "norpop", RPOPminc (-6) }, -#define SILSW 15 +#define PORTSW 11 + { "port name/number", POPminc (-4) }, +#define SILSW 12 { "silent", 0 }, -#define NSILSW 16 +#define NSILSW 13 { "nosilent", 0 }, -#define TRNCSW 17 +#define TRNCSW 14 { "truncate", 0 }, -#define NTRNCSW 18 +#define NTRNCSW 15 { "notruncate", 0 }, -#define WIDTHSW 19 +#define WIDTHSW 16 { "width columns", 0 }, -#define VERSIONSW 20 +#define VERSIONSW 17 { "version", 0 }, -#define HELPSW 21 - { "help", 4 }, -#define SNOOPSW 22 +#define HELPSW 18 + { "help", 0 }, +#define SNOOPSW 19 { "snoop", -5 }, -#define KPOPSW 23 - { "kpop", KPOPminc (-4) }, +#define SASLSW 20 + { "sasl", SASLminc(-4) }, +#define SASLMECHSW 21 + { "saslmech", SASLminc(-8) }, +#define PROXYSW 22 + { "proxy command", POPminc(-5) }, { NULL, 0 } }; -extern int errno; - /* * flags for the mail source */ @@ -138,21 +128,65 @@ static int pd = NOTOK; static FILE *pf = NULL; #endif /* POP */ +/* This is an attempt to simplify things by putting all the + * privilege ops into macros. + * *GROUPPRIVS() is related to handling the setgid MAIL property, + * and only applies if MAILGROUP is defined. + * *USERPRIVS() is related to handling the setuid root property, + * and only applies if POP is defined [why does POP => setuid root?] + * Basically, SAVEGROUPPRIVS() is called right at the top of main() + * to initialise things, and then DROPGROUPPRIVS() and GETGROUPPRIVS() + * do the obvious thing. TRYDROPGROUPPRIVS() has to be safe to call + * before DROPUSERPRIVS() is called [this is needed because setgid() + * sets both effective and real uids if euid is root.] + * + * There's probably a better implementation if we're allowed to use + * BSD-style setreuid() rather than using POSIX saved-ids. + * Anyway, if you're euid root it's a bit pointless to drop the group + * permissions... + * + * I'm pretty happy that the security is good provided we aren't setuid root. + * The only things we trust with group=mail privilege are lkfopen() + * and lkfclose(). + */ /* * For setting and returning to "mail" gid */ #ifdef MAILGROUP static int return_gid; +#ifndef POP +/* easy case; we're not setuid root, so can drop group privs + * immediately. + */ +#define TRYDROPGROUPPRIVS() DROPGROUPPRIVS() +#else /* POP ie we are setuid root */ +#define TRYDROPGROUPPRIVS() \ +if (geteuid() != 0) DROPGROUPPRIVS() #endif +#define DROPGROUPPRIVS() setgid(getgid()) +#define GETGROUPPRIVS() setgid(return_gid) +#define SAVEGROUPPRIVS() return_gid = getegid() +#else +/* define *GROUPPRIVS() as null; this avoids having lots of "#ifdef MAILGROUP"s */ +#define TRYDROPGROUPPRIVS() +#define DROPGROUPPRIVS() +#define GETGROUPPRIVS() +#define SAVEGROUPPRIVS() +#endif /* not MAILGROUP */ + +/* these variables have to be globals so that done() can correctly clean up the lockfile */ +static int locked = 0; +static char *newmail; +static FILE *in; /* * prototypes */ char *map_name(char *); +static void inc_done(int) NORETURN; #ifdef POP -int done(int); static int pop_action(char *); static int pop_pack(char *); static int map_count(void); @@ -163,31 +197,37 @@ int main (int argc, char **argv) { int chgflag = 1, trnflag = 1; - int noisy = 1, width = 0, locked = 0; - int rpop, i, hghnum, msgnum; - int kpop = 0; - char *cp, *maildir, *folder = NULL; + int noisy = 1, width = 0; + int i, hghnum = 0, msgnum = 0; + int sasl = 0; + char *cp, *maildir = NULL, *folder = NULL; char *format = NULL, *form = NULL; - char *newmail, *host = NULL, *user = NULL; - char *audfile = NULL, *from = NULL; + char *host = NULL, *port = NULL, *user = NULL, *proxy = NULL; + char *audfile = NULL, *from = NULL, *saslmech = NULL; char buf[BUFSIZ], **argp, *nfs, **arguments; - struct msgs *mp; + struct msgs *mp = NULL; struct stat st, s1; - FILE *in, *aud = NULL; + FILE *aud = NULL; + char b[MAXPATHLEN + 1]; + char *maildir_copy = NULL; /* copy of mail directory because the static gets overwritten */ #ifdef POP int nmsgs, nbytes, p = 0; char *pass = NULL; + char *MAILHOST_env_variable; #endif #ifdef MHE FILE *mhe = NULL; #endif -#ifdef HESIOD - struct hes_postoffice *po; - char *tmphost; -#endif + done=inc_done; + +/* absolutely the first thing we do is save our privileges, + * and drop them if we can. + */ + SAVEGROUPPRIVS(); + TRYDROPGROUPPRIVS(); #ifdef LOCALE setlocale(LC_ALL, ""); @@ -202,7 +242,6 @@ main (int argc, char **argv) argp = arguments; #ifdef POP -# ifdef HESIOD /* * Scheme is: * use MAILHOST environment variable if present, @@ -210,12 +249,8 @@ main (int argc, char **argv) * If that fails, use the default (if any) * provided by mts.conf in mts_init() */ - if ((tmphost = getenv("MAILHOST")) != NULL) - pophost = tmphost; - else if ((po = hes_getmailhost(getusername())) != NULL && - strcmp(po->po_type, "POP") == 0) - pophost = po->po_host; -# endif /* HESIOD */ + if ((MAILHOST_env_variable = getenv("MAILHOST")) != NULL) + pophost = MAILHOST_env_variable; /* * If there is a valid "pophost" entry in mts.conf, * then use it as the default host. @@ -227,8 +262,6 @@ main (int argc, char **argv) snoop++; #endif /* POP */ - rpop = 0; - while ((cp = *argp++)) { if (*cp == '-') { switch (smatch (++cp, switches)) { @@ -317,6 +350,12 @@ main (int argc, char **argv) if (!(host = *argp++) || *host == '-') adios (NULL, "missing argument to %s", argp[-2]); continue; + + case PORTSW: + if (!(host = *argp++) || *port == '-') + adios (NULL, "missing argument to %s", argp[-2]); + continue; + case USERSW: if (!(user = *argp++) || *user == '-') adios (NULL, "missing argument to %s", argp[-2]); @@ -337,26 +376,21 @@ main (int argc, char **argv) #endif /* POP */ continue; - case APOPSW: - rpop = -1; - continue; - case NAPOPSW: - rpop = 0; - continue; - - case RPOPSW: - rpop = 1; + case SNOOPSW: + snoop++; continue; - case NRPOPSW: - rpop = 0; + + case SASLSW: + sasl++; continue; - - case KPOPSW: - kpop = 1; + + case SASLMECHSW: + if (!(saslmech = *argp++) || *saslmech == '-') + adios (NULL, "missing argument to %s", argp[-2]); continue; - - case SNOOPSW: - snoop++; + case PROXYSW: + if (!(proxy = *argp++) || *proxy == '-') + adios (NULL, "missing argument to %s", argp[-2]); continue; } } @@ -364,24 +398,23 @@ main (int argc, char **argv) if (folder) adios (NULL, "only one folder at a time!"); else - folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF); + folder = pluspath (cp); } else { adios (NULL, "usage: %s [+folder] [switches]", invo_name); } } -#ifdef MAILGROUP - return_gid = getegid(); /* Save effective gid, assuming we'll use it */ - setgid(getgid()); /* Turn off extraordinary privileges */ -#endif /* MAILGROUP */ - + /* NOTE: above this point you should use TRYDROPGROUPPRIVS(), + * not DROPGROUPPRIVS(). + */ #ifdef POP if (host && !*host) host = NULL; - if (from || !host || rpop <= 0) - setuid (getuid ()); #endif /* POP */ + /* guarantee dropping group priveleges; we might not have done so earlier */ + DROPGROUPPRIVS(); + /* * Where are we getting the new mail? */ @@ -402,7 +435,7 @@ main (int argc, char **argv) if (inc_type == INC_POP) { if (user == NULL) user = getusername (); - if (kpop || ( rpop > 0)) + if (sasl) pass = getusername (); else ruserpass (host, &user, &pass); @@ -410,15 +443,14 @@ main (int argc, char **argv) /* * initialize POP connection */ - if (pop_init (host, user, pass, snoop, kpop ? 1 : rpop, kpop) == NOTOK) + if (pop_init (host, port, user, pass, proxy, snoop, sasl, + saslmech) == NOTOK) adios (NULL, "%s", response); /* Check if there are any messages */ if (pop_stat (&nmsgs, &nbytes) == NOTOK) adios (NULL, "%s", response); - if (rpop > 0) - setuid (getuid ()); if (nmsgs == 0) { pop_quit(); adios (NULL, "no mail to incorporate"); @@ -443,6 +475,11 @@ main (int argc, char **argv) } if (stat (newmail, &s1) == NOTOK || s1.st_size == 0) adios (NULL, "no mail to incorporate"); + + if ((cp = strdup(newmail)) == (char *)0) + adios (NULL, "error allocating memory to copy newmail"); + + newmail = cp; } #ifdef POP @@ -457,15 +494,17 @@ main (int argc, char **argv) folder = getfolder (0); maildir = m_maildir (folder); - if (stat (maildir, &st) == NOTOK) { - if (errno != ENOENT) - adios (maildir, "error on folder"); - cp = concat ("Create folder \"", maildir, "\"? ", NULL); - if (noisy && !getanswer (cp)) - done (1); - free (cp); - if (!makedir (maildir)) - adios (NULL, "unable to create folder %s", maildir); + if ((maildir_copy = strdup(maildir)) == (char *)0) + adios (maildir, "error allocating memory to copy maildir"); + + if (!folder_exists(maildir)) { + /* If the folder doesn't exist, and we're given the -silent flag, + * just fail. + */ + if (noisy) + create_folder(maildir, 0, done); + else + done (1); } if (chdir (maildir) == NOTOK) @@ -489,17 +528,11 @@ go_to_it: SIGNAL (SIGTERM, SIG_IGN); } -#ifdef MAILGROUP - setgid(return_gid); /* Reset gid to lock mail file */ -#endif /* MAILGROUP */ - - /* lock and fopen the mail spool */ - if ((in = lkfopen (newmail, "r")) == NULL) + GETGROUPPRIVS(); /* Reset gid to lock mail file */ + in = lkfopen (newmail, "r"); + DROPGROUPPRIVS(); + if (in == NULL) adios (NULL, "unable to lock and fopen %s", newmail); - -#ifdef MAILGROUP - setgid(getgid()); /* Return us to normal privileges */ -#endif /* MAILGROUP */ fstat (fileno(in), &s1); } else { trnflag = 0; @@ -508,9 +541,8 @@ go_to_it: } } -#ifdef MAILGROUP - setgid(getgid()); /* Return us to normal privileges */ -#endif /* MAILGROUP */ + /* This shouldn't be necessary but it can't hurt. */ + DROPGROUPPRIVS(); if (audfile) { if ((i = stat (audfile, &st)) == NOTOK) @@ -522,10 +554,9 @@ go_to_it: #ifdef POP fprintf (aud, from ? "<> %s -ms %s\n" - : host ? "<> %s -host %s -user %s%s\n" + : host ? "<> %s -host %s -user %s\n" : "<> %s\n", - dtimenow (0), from ? from : host, user, - rpop < 0 ? " -apop" : rpop > 0 ? " -rpop" : ""); + dtimenow (0), from ? from : host, user); #else /* POP */ fprintf (aud, from ? "<> %s -ms %s\n" : "<> %s\n", dtimenow (0), from); @@ -718,7 +749,6 @@ go_to_it: /* link message into folder */ newmsg = folder_addmsg(mp, tmpfilenam); #endif - /* create scanline for new message */ switch (i = scan (in, msgnum + 1, msgnum + 1, nfs, width, msgnum == hghnum && chgflag, 1, NULL, 0L, noisy)) { @@ -742,6 +772,13 @@ go_to_it: case SCNMSG: case SCNENC: + /* + * Run the external program hook on the message. + */ + + (void)snprintf(b, sizeof (b), "%s/%d", maildir_copy, msgnum + 1); + (void)ext_hook("add-hook", b, (char *)0); + if (aud) fputs (scanl, aud); #ifdef MHE @@ -753,6 +790,9 @@ go_to_it: msgnum++; mp->hghmsg++; + mp->nummsg++; + if (mp->lowmsg == 0) mp->lowmsg = 1; + clear_msg_flags (mp, msgnum); set_exists (mp, msgnum); set_unseen (mp, msgnum); @@ -769,19 +809,11 @@ go_to_it: if (i < 0) { /* error */ #endif if (locked) { -#ifdef MAILGROUP - /* Be sure we can unlock mail file */ - setgid(return_gid); -#endif /* MAILGROUP */ - - lkfclose (in, newmail); - -#ifdef MAILGROUP - /* And then return us to normal privileges */ - setgid(getgid()); -#endif /* MAILGROUP */ + GETGROUPPRIVS(); /* Be sure we can unlock mail file */ + (void) lkfclose (in, newmail); in = NULL; + DROPGROUPPRIVS(); /* And then return us to normal privileges */ } else { - fclose (in); + fclose (in); in = NULL; } adios (NULL, "failed"); } @@ -840,24 +872,19 @@ go_to_it: */ if (inc_type == INC_FILE) { if (locked) { -#ifdef MAILGROUP - setgid(return_gid); /* Be sure we can unlock mail file */ -#endif /* MAILGROUP */ - - lkfclose (in, newmail); - -#ifdef MAILGROUP - setgid(getgid()); /* And then return us to normal privileges */ -#endif /* MAILGROUP */ + GETGROUPPRIVS(); /* Be sure we can unlock mail file */ + (void) lkfclose (in, newmail); in = NULL; + DROPGROUPPRIVS(); /* And then return us to normal privileges */ } else { - fclose (in); + fclose (in); in = NULL; } } seq_setunseen (mp, 0); /* set the Unseen-Sequence */ seq_save (mp); /* synchronize sequences */ context_save (); /* save the context file */ - return done (0); + done (0); + return 1; } @@ -894,17 +921,23 @@ cpymsg (FILE *in, FILE *out) #endif /* if 0 */ -#ifdef POP -int -done (int status) +static void +inc_done (int status) { +#ifdef POP if (packfile && pd != NOTOK) mbx_close (packfile, pd); - +#endif /* POP */ + if (locked) + { + GETGROUPPRIVS(); + lkfclose(in, newmail); + DROPGROUPPRIVS(); + } exit (status); - return 1; /* dead code to satisfy the compiler */ } +#ifdef POP static int pop_action (char *s) {