/************************************************* * Exim - an Internet mail transport agent * *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2020 */ /* Copyright (c) The Exim maintainers 2020 */ /* See the file NOTICE for conditions of use and distribution. */ #include "../exim.h" #include "appendfile.h" #ifdef SUPPORT_MAILDIR #include "tf_maildir.h" #endif /* Options specific to the appendfile transport. They must be in alphabetic order (note that "_" comes before the lower case letters). Some of them are stored in the publicly visible instance block - these are flagged with the opt_public flag. */ #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field) optionlist appendfile_transport_options[] = { #ifdef SUPPORT_MAILDIR { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) }, #endif { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) }, { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) }, { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) }, #ifdef SUPPORT_MBX { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) }, #endif { "allow_fifo", opt_bool, LOFF(allow_fifo) }, { "allow_symlink", opt_bool, LOFF(allow_symlink) }, { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) }, { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) }, { "check_group", opt_bool, LOFF(check_group) }, { "check_owner", opt_bool, LOFF(check_owner) }, { "check_string", opt_stringptr, LOFF(check_string) }, { "create_directory", opt_bool, LOFF(create_directory) }, { "create_file", opt_stringptr, LOFF(create_file_string) }, { "directory", opt_stringptr, LOFF(dirname) }, { "directory_file", opt_stringptr, LOFF(dirfilename) }, { "directory_mode", opt_octint, LOFF(dirmode) }, { "escape_string", opt_stringptr, LOFF(escape_string) }, { "file", opt_stringptr, LOFF(filename) }, { "file_format", opt_stringptr, LOFF(file_format) }, { "file_must_exist", opt_bool, LOFF(file_must_exist) }, { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) }, { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) }, { "lock_interval", opt_time, LOFF(lock_interval) }, { "lock_retries", opt_int, LOFF(lock_retries) }, { "lockfile_mode", opt_octint, LOFF(lockfile_mode) }, { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) }, { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) }, { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) }, #ifdef SUPPORT_MAILDIR { "maildir_format", opt_bool, LOFF(maildir_format ) } , { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) }, { "maildir_retries", opt_int, LOFF(maildir_retries) }, { "maildir_tag", opt_stringptr, LOFF(maildir_tag) }, { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } , { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) }, #endif /* SUPPORT_MAILDIR */ #ifdef SUPPORT_MAILSTORE { "mailstore_format", opt_bool, LOFF(mailstore_format ) }, { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) }, { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) }, #endif /* SUPPORT_MAILSTORE */ #ifdef SUPPORT_MBX { "mbx_format", opt_bool, LOFF(mbx_format ) } , #endif /* SUPPORT_MBX */ { "message_prefix", opt_stringptr, LOFF(message_prefix) }, { "message_suffix", opt_stringptr, LOFF(message_suffix) }, { "mode", opt_octint, LOFF(mode) }, { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) }, { "notify_comsat", opt_bool, LOFF(notify_comsat) }, { "quota", opt_stringptr, LOFF(quota) }, { "quota_directory", opt_stringptr, LOFF(quota_directory) }, { "quota_filecount", opt_stringptr, LOFF(quota_filecount) }, { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) }, { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) }, { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) }, { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) }, { "use_bsmtp", opt_bool, LOFF(use_bsmtp) }, { "use_crlf", opt_bool, LOFF(use_crlf) }, { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) }, { "use_flock_lock", opt_bool_set, LOFF(use_flock) }, { "use_lockfile", opt_bool_set, LOFF(use_lockfile) }, #ifdef SUPPORT_MBX { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) }, #endif /* SUPPORT_MBX */ }; /* Size of the options list. An extern variable has to be used so that its address can appear in the tables drtables.c. */ int appendfile_transport_options_count = sizeof(appendfile_transport_options)/sizeof(optionlist); #ifdef MACRO_PREDEF /* Dummy values */ appendfile_transport_options_block appendfile_transport_option_defaults = {0}; void appendfile_transport_init(transport_instance *tblock) {} BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;} #else /*!MACRO_PREDEF*/ /* Default private options block for the appendfile transport. */ appendfile_transport_options_block appendfile_transport_option_defaults = { /* all non-mentioned members zero/null/false */ .dirfilename = US"q${base62:$tod_epoch}-$inode", .create_file_string = US"anywhere", .maildir_dir_regex = US"^(?:cur|new|\\..*)$", .mailbox_size_value = -1, .mailbox_filecount_value = -1, .mode = APPENDFILE_MODE, .dirmode = APPENDFILE_DIRECTORY_MODE, .lockfile_mode = APPENDFILE_LOCKFILE_MODE, .lockfile_timeout = 30*60, .lock_retries = 10, .lock_interval = 3, .maildir_retries = 10, .create_file = create_anywhere, .check_owner = TRUE, .create_directory = TRUE, .notify_comsat = FALSE, .use_lockfile = TRUE, .use_fcntl = TRUE, .mode_fail_narrower = TRUE, .quota_is_inclusive = TRUE, }; /* Encodings for mailbox formats, and their names. MBX format is actually supported only if SUPPORT_MBX is set. */ enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore }; static const char *mailbox_formats[] = { "unix", "mbx", "smail", "maildir", "mailstore" }; /* Check warn threshold only if quota size set or not a percentage threshold percentage check should only be done if quota > 0 */ #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \ (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0)) /************************************************* * Setup entry point * *************************************************/ /* Called for each delivery in the privileged state, just before the uid/gid are changed and the main entry point is called. We use this function to expand any quota settings, so that it can access files that may not be readable by the user. It is also used to pick up external mailbox size information, if set. Arguments: tblock points to the transport instance addrlist addresses about to be delivered (not used) dummy not used (doesn't pass back data) uid the uid that will be set (not used) gid the gid that will be set (not used) errmsg where to put an error message Returns: OK, FAIL, or DEFER */ void open_logs(void); static int appendfile_transport_setup(transport_instance *tblock, address_item *addrlist, transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg) { appendfile_transport_options_block *ob = (appendfile_transport_options_block *)(tblock->options_block); uschar *q = ob->quota; double default_value = 0.0; addrlist = addrlist; /* Keep picky compilers happy */ dummy = dummy; uid = uid; gid = gid; /* we can't wait until we're not privileged anymore */ open_logs(); if (ob->expand_maildir_use_size_file) ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file, US"`maildir_use_size_file` in transport", tblock->name); /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size, mailbox_filecount */ for (int i = 0; i < 5; i++) { double d = default_value; int no_check = 0; uschar *which = NULL; if (q) { uschar * rest, * s; if (!(s = expand_string(q))) { *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: " "%s", q, tblock->name, expand_string_message); return f.search_find_defer ? DEFER : FAIL; } d = Ustrtod(s, &rest); /* Handle following characters K, M, G, %, the latter being permitted for quota_warn_threshold only. A threshold with no quota setting is just ignored. */ if (tolower(*rest) == 'k') { d *= 1024.0; rest++; } else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; } else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; } else if (*rest == '%' && i == 2) { if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0; else if ((int)d < 0 || (int)d > 100) { *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)" " for %s transport", (int)d, tblock->name); return FAIL; } ob->quota_warn_threshold_is_percent = TRUE; rest++; } /* For quota and quota_filecount there may be options appended. Currently only "no_check", so we can be lazy parsing it */ if (i < 2 && Ustrstr(rest, "/no_check") == rest) { no_check = 1; rest += sizeof("/no_check") - 1; } Uskip_whitespace(&rest); if (*rest) { *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") " "in %s transport", s, q, tblock->name); return FAIL; } } /* Set each value, checking for possible overflow. */ switch (i) { case 0: if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota"; ob->quota_value = (off_t)d; ob->quota_no_check = no_check; q = ob->quota_filecount; break; case 1: if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount"; ob->quota_filecount_value = (int)d; ob->quota_filecount_no_check = no_check; q = ob->quota_warn_threshold; break; case 2: if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota_warn_threshold"; ob->quota_warn_threshold_value = (off_t)d; q = ob->mailbox_size_string; default_value = -1.0; break; case 3: if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"mailbox_size";; ob->mailbox_size_value = (off_t)d; q = ob->mailbox_filecount_string; break; case 4: if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount"; ob->mailbox_filecount_value = (int)d; break; } if (which) { *errmsg = string_sprintf("%s value %.10g is too large (overflow) in " "%s transport", which, d, tblock->name); return FAIL; } } return OK; } /************************************************* * Initialization entry point * *************************************************/ /* Called for each instance, after its options have been read, to enable consistency checks to be done, or anything else that needs to be set up. */ void appendfile_transport_init(transport_instance *tblock) { appendfile_transport_options_block *ob = (appendfile_transport_options_block *)(tblock->options_block); uschar * s; /* Set up the setup entry point, to be called in the privileged state */ tblock->setup = appendfile_transport_setup; /* Lock_retries must be greater than zero */ if (ob->lock_retries == 0) ob->lock_retries = 1; /* Only one of a file name or directory name must be given. */ if (ob->filename && ob->dirname) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "only one of \"file\" or \"directory\" can be specified", tblock->name); /* If a file name was specified, neither quota_filecount nor quota_directory must be given. */ if (ob->filename) { if (ob->quota_filecount) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "quota_filecount must not be set without \"directory\"", tblock->name); if (ob->quota_directory) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "quota_directory must not be set without \"directory\"", tblock->name); } /* The default locking depends on whether MBX is set or not. Change the built-in default if none of the lock options has been explicitly set. At least one form of locking is required in all cases, but mbx locking changes the meaning of fcntl and flock locking. */ /* Not all operating systems provide flock(). For those that do, if flock is requested, the default for fcntl is FALSE. */ if (ob->use_flock) { #ifdef NO_FLOCK log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "flock() support was not available in the operating system when this " "binary was built", tblock->name); #endif /* NO_FLOCK */ if (!ob->set_use_fcntl) ob->use_fcntl = FALSE; } #ifdef SUPPORT_MBX if (ob->mbx_format) if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock && !ob->set_use_mbx_lock) { ob->use_lockfile = ob->use_flock = FALSE; ob->use_mbx_lock = ob->use_fcntl = TRUE; } else if (ob->use_mbx_lock) { if (!ob->set_use_lockfile) ob->use_lockfile = FALSE; if (!ob->set_use_fcntl) ob->use_fcntl = FALSE; if (!ob->set_use_flock) ob->use_flock = FALSE; if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE; } #endif /* SUPPORT_MBX */ if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "no locking configured", tblock->name); /* Unset timeouts for non-used locking types */ if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0; if (!ob->use_flock) ob->lock_flock_timeout = 0; /* If a directory name was specified, only one of maildir or mailstore may be specified, and if quota_filecount or quota_directory is given, quota must be set. */ if (ob->dirname) { if (ob->maildir_format && ob->mailstore_format) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "only one of maildir and mailstore may be specified", tblock->name); if (ob->quota_filecount != NULL && ob->quota == NULL) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "quota must be set if quota_filecount is set", tblock->name); if (ob->quota_directory != NULL && ob->quota == NULL) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " "quota must be set if quota_directory is set", tblock->name); } /* If a fixed uid field is set, then a gid field must also be set. */ if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid) log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "user set without group for the %s transport", tblock->name); /* If "create_file" is set, check that a valid option is given, and set the integer variable. */ if ((s = ob->create_file_string ) && *s) { int val = 0; if (Ustrcmp(s, "anywhere") == 0) val = create_anywhere; else if (*s == '/' || Ustrcmp(s, "belowhome") == 0) val = create_belowhome; else if (Ustrcmp(s, "inhome") == 0) val = create_inhome; else log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid value given for \"file_create\" for the %s transport: '%s'", tblock->name, s); ob->create_file = val; } /* If quota_warn_threshold is set, set up default for warn_message. It may not be used if the actual threshold for a given delivery ends up as zero, of if it's given as a percentage and there's no quota setting. */ if (ob->quota_warn_threshold) { if (!tblock->warn_message) tblock->warn_message = US "To: $local_part@$domain\n" "Subject: Your mailbox\n\n" "This message is automatically created by mail delivery software (Exim).\n\n" "The size of your mailbox has exceeded a warning threshold that is\n" "set by the system administrator.\n"; } /* If batch SMTP is set, force the check and escape strings, and arrange that headers are also escaped. */ if (ob->use_bsmtp) { ob->check_string = US"."; ob->escape_string = US".."; ob->options |= topt_escape_headers; } /* If not batch SMTP, not maildir, not mailstore, and directory is not set, insert default values for for the affixes and the check/escape strings. */ else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format) { if (!ob->message_prefix) ob->message_prefix = US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n"; if (!ob->message_suffix) ob->message_suffix = US"\n"; if (!ob->check_string) ob->check_string = US"From "; if (!ob->escape_string) ob->escape_string = US">From "; } /* Set up the bitwise options for transport_write_message from the various driver options. Only one of body_only and headers_only can be set. */ ob->options |= (tblock->body_only ? topt_no_headers : 0) | (tblock->headers_only ? topt_no_body : 0) | (tblock->return_path_add ? topt_add_return_path : 0) | (tblock->delivery_date_add ? topt_add_delivery_date : 0) | (tblock->envelope_to_add ? topt_add_envelope_to : 0) | ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0); } /************************************************* * Notify comsat * *************************************************/ /* The comsat daemon is the thing that provides asynchronous notification of the arrival of local messages, if requested by the user by "biff y". It is a BSD thing that uses a TCP/IP protocol for communication. A message consisting of the text "user@offset" must be sent, where offset is the place in the mailbox where new mail starts. There is no scope for telling it which file to look at, which makes it a less than useful if mail is being delivered into a non-standard place such as the user's home directory. In fact, it doesn't seem to pay much attention to the offset. Arguments: user user name offset offset in mailbox Returns: nothing */ static void notify_comsat(uschar *user, off_t offset) { struct servent *sp; host_item host; uschar * s; DEBUG(D_transport) debug_printf("notify_comsat called\n"); s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset); if ((sp = getservbyname("biff", "udp")) == NULL) { DEBUG(D_transport) debug_printf("biff/udp is an unknown service"); return; } host.name = US"localhost"; host.next = NULL; /* This code is all set up to look up "localhost" and use all its addresses until one succeeds. However, it appears that at least on some systems, comsat doesn't listen on the ::1 address. So for the moment, just force the address to be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this can be changed. (But actually, comsat is probably dying out anyway.) */ /****** if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED) { DEBUG(D_transport) debug_printf("\"localhost\" unknown\n"); return; } ******/ host.address = US"127.0.0.1"; for (host_item * h = &host; h; h = h->next) { int sock, rc; int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET; DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address); if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue; /* Connect never fails for a UDP socket, so don't set a timeout. */ (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL); rc = send(sock, s, Ustrlen(s) + 1, 0); (void)close(sock); if (rc >= 0) break; DEBUG(D_transport) debug_printf("send to comsat failed for %s: %s\n", strerror(errno), h->address); } } /************************************************* * Check the format of a file * *************************************************/ /* This function is called when file_format is set, to check that an existing file has the right format. The format string contains text/transport pairs. The string matching is literal. we just read big_buffer_size bytes, because this is all about the first few bytes of a file. Arguments: cfd the open file tblock the transport block addr the address block - for inserting error data Returns: pointer to the required transport, or NULL */ transport_instance * check_file_format(int cfd, transport_instance *tblock, address_item *addr) { const uschar *format = ((appendfile_transport_options_block *)(tblock->options_block))->file_format; uschar data[256]; int len = read(cfd, data, sizeof(data)); int sep = 0; uschar *s; DEBUG(D_transport) debug_printf("checking file format\n"); /* An empty file matches the current transport */ if (len == 0) return tblock; /* Search the formats for a match */ /* not expanded so cannot be tainted */ while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size))) { int slen = Ustrlen(s); BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0; uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size); if (match && tp) { for (transport_instance * tt = transports; tt; tt = tt->next) if (Ustrcmp(tp, tt->name) == 0) { DEBUG(D_transport) debug_printf("file format -> %s transport\n", tt->name); return tt; } addr->basic_errno = ERRNO_BADTRANSPORT; addr->message = string_sprintf("%s transport (for %.*s format) not found", tp, slen, data); return NULL; } } /* Failed to find a match */ addr->basic_errno = ERRNO_FORMATUNKNOWN; addr->message = US"mailbox file format unrecognized"; return NULL; } /************************************************* * Check directory's files for quota * *************************************************/ /* This function is called if quota is set for one of the delivery modes that delivers into a specific directory. It scans the directory and stats all the files in order to get a total size and count. This is an expensive thing to do, but some people are prepared to bear the cost. Alternatively, if size_regex is set, it is used as a regex to try to extract the size from the file name, a strategy that some people use on maildir files on systems where the users have no shell access. The function is global, because it is also called from tf_maildir.c for maildir folders (which should contain only regular files). Note: Any problems can be written to debugging output, but cannot be written to the log, because we are running as an unprivileged user here. Arguments: dirname the name of the directory countptr where to add the file count (because this function recurses) re a compiled regex to get the size from a name Returns: the sum of the sizes of the stattable files zero if the directory cannot be opened */ off_t check_dir_size(const uschar * dirname, int * countptr, const pcre2_code * re) { DIR *dir; off_t sum = 0; int count = *countptr; if (!(dir = exim_opendir(dirname))) return 0; for (struct dirent *ent; ent = readdir(dir); ) { uschar * path, * name = US ent->d_name; struct stat statbuf; if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue; count++; /* If there's a regex, try to find the size using it */ if (re) { pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx); int rc = pcre2_match(re, (PCRE2_SPTR)name, PCRE2_ZERO_TERMINATED, 0, 0, md, pcre_mtc_ctx); PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md); if ( rc >= 0 && (rc = pcre2_get_ovector_count(md)) >= 2) { uschar *endptr; off_t size = (off_t)Ustrtod(name + ovec[2], &endptr); if (endptr == name + ovec[3]) { sum += size; DEBUG(D_transport) debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name, size); continue; } } DEBUG(D_transport) debug_printf("check_dir_size: regex did not match %s\n", name); } /* No regex or no match for the regex, or captured non-digits */ path = string_sprintf("%s/%s", dirname, name); if (Ustat(path, &statbuf) < 0) { DEBUG(D_transport) debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path, strerror(errno)); } else if ((statbuf.st_mode & S_IFMT) == S_IFREG) sum += statbuf.st_size / statbuf.st_nlink; else if ((statbuf.st_mode & S_IFMT) == S_IFDIR) sum += check_dir_size(path, &count, re); } closedir(dir); DEBUG(D_transport) debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname, sum, count); *countptr = count; return sum; } /************************************************* * Apply a lock to a file descriptor * *************************************************/ /* This function applies a lock to a file descriptor, using a blocking or non-blocking lock, depending on the timeout value. It can apply either or both of a fcntl() and a flock() lock. However, not all OS support flock(); for those that don't, the use_flock option cannot be set. Arguments: fd the file descriptor fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in fcntl() format); the flock() type is deduced if needed dofcntl do fcntl() locking fcntltime non-zero to use blocking fcntl() doflock do flock() locking flocktime non-zero to use blocking flock() Returns: yield of the fcntl() or flock() call, with errno preserved; sigalrm_seen set if there has been a timeout */ static int apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock, int flocktime) { int yield = 0; int save_errno; struct flock lock_data; lock_data.l_type = fcntltype; lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0; sigalrm_seen = FALSE; if (dofcntl) { if (fcntltime > 0) { ALARM(fcntltime); yield = fcntl(fd, F_SETLKW, &lock_data); save_errno = errno; ALARM_CLR(0); errno = save_errno; } else yield = fcntl(fd, F_SETLK, &lock_data); } #ifndef NO_FLOCK if (doflock && (yield >= 0)) { int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH; if (flocktime > 0) { ALARM(flocktime); yield = flock(fd, flocktype); save_errno = errno; ALARM_CLR(0); errno = save_errno; } else yield = flock(fd, flocktype | LOCK_NB); } #endif /* NO_FLOCK */ return yield; } #ifdef SUPPORT_MBX /************************************************* * Copy message into MBX mailbox * *************************************************/ /* This function is called when a message intended for a MBX mailbox has been written to a temporary file. We can now get the size of the message and then copy it in MBX format to the mailbox. Arguments: to_fd fd to write to (the real mailbox) from_fd fd to read from (the temporary file) saved_size current size of mailbox Returns: OK if all went well, DEFER otherwise, with errno preserved the number of bytes written are added to transport_count by virtue of calling transport_write_block() */ /* Values taken from c-client */ #define MBX_HDRSIZE 2048 #define MBX_NUSERFLAGS 30 static int copy_mbx_message(int to_fd, int from_fd, off_t saved_size) { int used; off_t size; struct stat statbuf; transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket }; /* If the current mailbox size is zero, write a header block */ if (saved_size == 0) { uschar *s; memset (deliver_out_buffer, '\0', MBX_HDRSIZE); sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012", (long int)time(NULL)); for (int i = 0; i < MBX_NUSERFLAGS; i++) sprintf (CS(s += Ustrlen(s)), "\015\012"); if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE)) return DEFER; } DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n"); /* Now construct the message's header from the time and the RFC822 file size, including CRLFs, which is the size of the input (temporary) file. */ if (fstat(from_fd, &statbuf) < 0) return DEFER; size = statbuf.st_size; sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012", tod_stamp(tod_mbx), size, 0L, 0, 0); used = Ustrlen(deliver_out_buffer); /* Rewind the temporary file, and copy it over in chunks. */ if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER; while (size > 0) { int len = read(from_fd, deliver_out_buffer + used, DELIVER_OUT_BUFFER_SIZE - used); if (len <= 0) { if (len == 0) errno = ERRNO_MBXLENGTH; return DEFER; } if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE)) return DEFER; size -= len; used = 0; } return OK; } #endif /* SUPPORT_MBX */ /************************************************* * Check creation is permitted * *************************************************/ /* This function checks whether a given file name is permitted to be created, as controlled by the create_file option. If no home directory is set, however, we can't do any tests. Arguments: filename the file name create_file the ob->create_file option deliver_dir the delivery directory Returns: TRUE if creation is permitted */ static BOOL check_creation(uschar *filename, int create_file, const uschar * deliver_dir) { BOOL yield = TRUE; if (deliver_dir && create_file != create_anywhere) { int len = Ustrlen(deliver_dir); uschar *file = filename; while (file[0] == '/' && file[1] == '/') file++; if ( Ustrncmp(file, deliver_dir, len) != 0 || file[len] != '/' || Ustrchr(file+len+2, '/') != NULL && ( create_file != create_belowhome || Ustrstr(file+len, "/../") != NULL ) ) yield = FALSE; /* If yield is TRUE, the file name starts with the home directory, and does not contain any instances of "/../" in the "belowhome" case. However, it may still contain symbolic links. We can check for this by making use of realpath(), which most Unixes seem to have (but make it possible to cut this out). We can't just use realpath() on the whole file name, because we know the file itself doesn't exist, and intermediate directories may also not exist. What we want to know is the real path of the longest existing part of the path. That must match the home directory's beginning, whichever is the shorter. */ #ifndef NO_REALPATH if (yield && create_file == create_belowhome) { uschar *next; uschar *rp = NULL; for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */ !rp && slash > file; /* Stop if reached beginning */ slash = next) { *slash = 0; rp = US realpath(CS file, CS big_buffer); next = Ustrrchr(file, '/'); *slash = '/'; } /* If rp == NULL it means that none of the relevant directories exist. This is not a problem here - it means that no symbolic links can exist, which is all we are worried about. Otherwise, we must compare it against the start of the home directory. However, that may itself contain symbolic links, so we have to "realpath" it as well, if possible. */ if (rp) { uschar hdbuffer[PATH_MAX+1]; const uschar * rph = deliver_dir; int rlen = Ustrlen(big_buffer); if ((rp = US realpath(CS deliver_dir, CS hdbuffer))) { rph = hdbuffer; len = Ustrlen(rph); } if (rlen > len) rlen = len; if (Ustrncmp(rph, big_buffer, rlen) != 0) { yield = FALSE; DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n", big_buffer, deliver_dir); } } } #endif /* NO_REALPATH */ } return yield; } /************************************************* * Main entry point * *************************************************/ /* See local README for general interface details. This transport always returns FALSE, indicating that the status which has been placed in the first address should be copied to any other addresses in a batch. Appendfile delivery is tricky and has led to various security problems in other mailers. The logic used here is therefore laid out in some detail. When this function is called, we are running in a subprocess which has had its gid and uid set to the appropriate values. Therefore, we cannot write directly to the exim logs. Any errors must be handled by setting appropriate return codes. Note that the default setting for addr->transport_return is DEFER, so it need not be set unless some other value is required. The code below calls geteuid() rather than getuid() to get the current uid because in weird configurations not running setuid root there may be a difference. In the standard configuration, where setuid() has been used in the delivery process, there will be no difference between the uid and the euid. (1) If the af_file flag is set, this is a delivery to a file after .forward or alias expansion. Otherwise, there must be a configured file name or directory name. The following items apply in the case when a file name (as opposed to a directory name) is given, that is, when appending to a single file: (2f) Expand the file name. (3f) If the file name is /dev/null, return success (optimization). (4f) If the file_format options is set, open the file for reading, and check that the bytes at the start of the file match one of the given strings. If the check indicates a transport other than the current one should be used, pass control to that other transport. Otherwise continue. An empty or non-existent file matches the current transport. The file is closed after the check. (5f) If a lock file is required, create it (see extensive separate comments below about the algorithm for doing this). It is important to do this before opening the mailbox if NFS is in use. (6f) Stat the file, using lstat() rather than stat(), in order to pick up details of any symbolic link. (7f) If the file already exists: Check the owner and group if necessary, and defer if they are wrong. If it is a symbolic link AND the allow_symlink option is set (NOT the default), go back to (6f) but this time use stat() instead of lstat(). If it's not a regular file (or FIFO when permitted), defer delivery. Check permissions. If the required permissions are *less* than the existing ones, or supplied by the address (often by the user via filter), chmod() the file. Otherwise, defer. Save the inode number. Open with O_RDRW + O_APPEND, thus failing if the file has vanished. If open fails because the file does not exist, go to (6f); on any other failure, defer. Check the inode number hasn't changed - I realize this isn't perfect (an inode can be reused) but it's cheap and will catch some of the races. Check it's still a regular file (or FIFO if permitted). Check that the owner and permissions haven't changed. If file_format is set, check that the file still matches the format for the current transport. If not, defer delivery. (8f) If file does not exist initially: Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know this is via a symbolic link (only possible if allow_symlinks is set), in which case don't use O_EXCL, as it doesn't work. If open fails because the file already exists, go to (6f). To avoid looping for ever in a situation where the file is continuously being created and deleted, all of this happens inside a loop that operates lock_retries times and includes the fcntl and flock locking. If the loop completes without the file getting opened, defer and request freezing, because something really weird is happening. If open fails for any other reason, defer for subsequent delivery except when this is a file delivery resulting from an alias or forward expansion and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is most likely a user rather than a configuration error. (9f) We now have the file checked and open for writing. If so configured, lock it using fcntl, flock, or MBX locking rules. If this fails, close the file and goto (6f), up to lock_retries times, after sleeping for a while. If it still fails, give up and defer delivery. (10f)Save the access time (for subsequent restoration) and the size of the file, for comsat and for re-setting if delivery fails in the middle - e.g. for quota exceeded. The following items apply in the case when a directory name is given: (2d) Create a new file in the directory using a temporary name, by opening for writing and with O_CREAT. If maildir format is being used, the file is created in a temporary subdirectory with a prescribed name. If mailstore format is being used, the envelope file is first created with a temporary name, then the data file. The following items apply in all cases: (11) We now have the file open for writing, and locked if it was given as a file name. Write the message and flush the file, unless there is a setting of the local quota option, in which case we can check for its excession without doing any writing. In the case of MBX format mailboxes, the message is first written to a temporary file, in order to get its correct length. This is then copied to the real file, preceded by an MBX header. If there is a quota error on writing, defer the address. Timeout logic will determine for how long retries are attempted. We restore the mailbox to its original length if it's a single file. There doesn't seem to be a uniform error code for quota excession (it even differs between SunOS4 and some versions of SunOS5) so a system-dependent macro called ERRNO_QUOTA is used for it, and the value gets put into errno_quota at compile time. For any other error (most commonly disk full), do the same. The following applies after appending to a file: (12f)Restore the atime; notify_comsat if required; close the file (which unlocks it if it was locked). Delete the lock file if it exists. The following applies after writing a unique file in a directory: (12d)For maildir format, rename the file into the new directory. For mailstore format, rename the envelope file to its correct name. Otherwise, generate a unique name from the directory_file option, and rename to that, possibly trying a few times if the file exists and re-expanding the name gives a different string. This transport yields FAIL only when a file name is generated by an alias or forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES. All other failures return DEFER (in addr->transport_return). */ BOOL appendfile_transport_entry( transport_instance *tblock, /* data for this instantiation */ address_item *addr) /* address we are working on */ { appendfile_transport_options_block *ob = (appendfile_transport_options_block *)(tblock->options_block); struct stat statbuf; const uschar * deliver_dir; uschar *fdname = NULL; uschar *filename = NULL; uschar *hitchname = NULL; uschar *dataname = NULL; uschar *lockname = NULL; uschar *newname = NULL; uschar *nametag = NULL; uschar *cr = US""; uschar *filecount_msg = US""; uschar *path; struct utimbuf times; struct timeval msg_tv; BOOL disable_quota = FALSE; BOOL isdirectory = FALSE; BOOL isfifo = FALSE; BOOL wait_for_tick = FALSE; uid_t uid = geteuid(); /* See note above */ gid_t gid = getegid(); int mbformat; int mode = (addr->mode > 0) ? addr->mode : ob->mode; off_t saved_size = -1; off_t mailbox_size = ob->mailbox_size_value; int mailbox_filecount = ob->mailbox_filecount_value; int hd = -1; int fd = -1; int yield = FAIL; int i; #ifdef SUPPORT_MBX int save_fd = 0; int mbx_lockfd = -1; uschar mbx_lockname[40]; FILE *temp_file = NULL; #endif /* SUPPORT_MBX */ #ifdef SUPPORT_MAILDIR int maildirsize_fd = -1; /* fd for maildirsize file */ int maildir_save_errno; #endif DEBUG(D_transport) debug_printf("appendfile transport entered\n"); /* An "address_file" or "address_directory" transport is used to deliver to files specified via .forward or an alias file. Prior to release 4.20, the "file" and "directory" options were ignored in this case. This has been changed to allow the redirection data to specify what is in effect a folder, whose location is determined by the options on the transport. Compatibility with the case when neither option is set is retained by forcing a value for the file or directory name. A directory delivery is assumed if the last character of the path from the router is '/'. The file path is in the local part of the address, but not in the $local_part variable (that holds the parent local part). It is, however, in the $address_file variable. Below, we update the local part in the address if it changes by expansion, so that the final path ends up in the log. */ if (testflag(addr, af_file) && !ob->filename && !ob->dirname) { fdname = US"$address_file"; if (address_file[Ustrlen(address_file)-1] == '/' || ob->maildir_format || ob->mailstore_format) isdirectory = TRUE; } /* Handle (a) an "address file" delivery where "file" or "directory" is explicitly set and (b) a non-address_file delivery, where one of "file" or "directory" must be set; initialization ensures that they are not both set. */ if (!fdname) { if (!(fdname = ob->filename)) { fdname = ob->dirname; isdirectory = TRUE; } if (!fdname) { addr->message = string_sprintf("Mandatory file or directory option " "missing from %s transport", tblock->name); goto ret_panic; } } /* Maildir and mailstore require a directory */ if ((ob->maildir_format || ob->mailstore_format) && !isdirectory) { addr->message = string_sprintf("mail%s_format requires \"directory\" " "to be specified for the %s transport", ob->maildir_format ? "dir" : "store", tblock->name); goto ret_panic; } if (!(path = expand_string(fdname))) { addr->message = string_sprintf("Expansion of \"%s\" (file or directory " "name for %s transport) failed: %s", fdname, tblock->name, expand_string_message); goto ret_panic; } if (path[0] != '/') { addr->message = string_sprintf("appendfile: file or directory name " "\"%s\" is not absolute", path); addr->basic_errno = ERRNO_NOTABSOLUTE; return FALSE; } /* For a file delivery, make sure the local part in the address(es) is updated to the true local part. */ if (testflag(addr, af_file)) for (address_item * addr2 = addr; addr2; addr2 = addr2->next) addr2->local_part = string_copy(path); /* The available mailbox formats depend on whether it is a directory or a file delivery. */ if (isdirectory) { mbformat = #ifdef SUPPORT_MAILDIR ob->maildir_format ? mbf_maildir : #endif #ifdef SUPPORT_MAILSTORE ob->mailstore_format ? mbf_mailstore : #endif mbf_smail; } else { mbformat = #ifdef SUPPORT_MBX ob->mbx_format ? mbf_mbx : #endif mbf_unix; } DEBUG(D_transport) { debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT "%s%s" " warning=" OFF_T_FMT "%s\n" " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n " "maildir_use_size_file=%s\n", mode, ob->notify_comsat, ob->quota_value, ob->quota_no_check ? " (no_check)" : "", ob->quota_filecount_no_check ? " (no_check_filecount)" : "", ob->quota_warn_threshold_value, ob->quota_warn_threshold_is_percent ? "%" : "", isdirectory ? "directory" : "file", path, mailbox_formats[mbformat], !ob->message_prefix ? US"null" : string_printing(ob->message_prefix), !ob->message_suffix ? US"null" : string_printing(ob->message_suffix), ob->maildir_use_size_file ? "yes" : "no"); if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n", ob->use_lockfile ? "lockfile " : "", ob->use_mbx_lock ? "mbx locking (" : "", ob->use_fcntl ? "fcntl " : "", ob->use_flock ? "flock" : "", ob->use_mbx_lock ? ")" : ""); } /* If the -N option is set, can't do any more. */ if (f.dont_deliver) { DEBUG(D_transport) debug_printf("*** delivery by %s transport bypassed by -N option\n", tblock->name); addr->transport_return = OK; return FALSE; } /* If an absolute path was given for create_file the it overrides deliver_home (here) and de-taints the filename (below, after check_creation() */ deliver_dir = *ob->create_file_string == '/' ? ob->create_file_string : deliver_home; /* Handle the case of a file name. If the file name is /dev/null, we can save ourselves some effort and just give a success return right away. */ if (!isdirectory) { BOOL use_lstat = TRUE; BOOL file_opened = FALSE; BOOL allow_creation_here = TRUE; if (Ustrcmp(path, "/dev/null") == 0) { addr->transport_return = OK; return FALSE; } /* Set the name of the file to be opened, and the file to which the data is written, and find out if we are permitted to create a non-existent file. If the create_file option is an absolute path and the file was within it, de-taint. Chaeck for a tainted path. */ if ( (allow_creation_here = check_creation(path, ob->create_file, deliver_dir)) && ob->create_file == create_belowhome) if (is_tainted(path)) { DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path); path = string_copy_taint(path, FALSE); } if (is_tainted(path)) goto tainted_ret_panic; dataname = filename = path; /* If ob->create_directory is set, attempt to create the directories in which this mailbox lives, but only if we are permitted to create the file itself. We know we are dealing with an absolute path, because this was checked above. */ if (ob->create_directory && allow_creation_here) { uschar *p = Ustrrchr(path, '/'); p = string_copyn(path, p - path); if (!directory_make(NULL, p, ob->dirmode, FALSE)) { addr->basic_errno = errno; addr->message = string_sprintf("failed to create directories for %s: %s", path, exim_errstr(errno)); DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path); return FALSE; } } /* If file_format is set we must check that any existing file matches one of the configured formats by checking the bytes it starts with. A match then indicates a specific transport - if it is not this one, pass control to it. Otherwise carry on here. An empty or non-existent file matches the current transport. We don't need to distinguish between non-existence and other open failures because if an existing file fails to open here, it will also fail again later when O_RDWR is used. */ if (ob->file_format) { int cfd = Uopen(path, O_RDONLY, 0); if (cfd >= 0) { transport_instance *tt = check_file_format(cfd, tblock, addr); (void)close(cfd); /* If another transport is indicated, call it and return; if no transport was found, just return - the error data will have been set up.*/ if (tt != tblock) { if (tt) { set_process_info("delivering %s to %s using %s", message_id, addr->local_part, tt->name); debug_print_string(tt->debug_string); addr->transport = tt; (tt->info->code)(tt, addr); } return FALSE; } } } /* The locking of mailbox files is worse than the naming of cats, which is known to be "a difficult matter" (T.S. Eliot) and just as cats must have three different names, so several different styles of locking are used. Research in other programs that lock mailboxes shows that there is no universally standard method. Having mailboxes NFS-mounted on the system that is delivering mail is not the best thing, but people do run like this, and so the code must do its best to cope. Three different locking mechanisms are supported. The initialization function checks that at least one is configured. LOCK FILES Unless no_use_lockfile is set, we attempt to build a lock file in a way that will work over NFS. Only after that is done do we actually open the mailbox and apply locks to it (if configured). Originally, Exim got the file opened before doing anything about locking. However, a very occasional problem was observed on Solaris 2 when delivering over NFS. It is seems that when a file is opened with O_APPEND, the file size gets remembered at open time. If another process on another host (that's important) has the file open and locked and writes to it and then releases the lock while the first process is waiting to get the lock, the first process may fail to write at the new end point of the file - despite the very definite statement about O_APPEND in the man page for write(). Experiments have reproduced this problem, but I do not know any way of forcing a host to update its attribute cache for an open NFS file. It would be nice if it did so when a lock was taken out, but this does not seem to happen. Anyway, to reduce the risk of this problem happening, we now create the lock file (if configured) *before* opening the mailbox. That will prevent two different Exims opening the file simultaneously. It may not prevent clashes with MUAs, however, but Pine at least seems to operate in the same way. Lockfiles should normally be used when NFS is involved, because of the above problem. The logic for creating the lock file is: . The name of the lock file is .lock . First, create a "hitching post" name by adding the primary host name, current time and pid to the lock file name. This should be unique. . Create the hitching post file using WRONLY + CREAT + EXCL. . If that fails EACCES, we assume it means that the user is unable to create files in the mail spool directory. Some installations might operate in this manner, so there is a configuration option to allow this state not to be an error - we proceed to lock using fcntl only, after the file is open. . Otherwise, an error causes a deferment of the address. . Hard link the hitching post to the lock file name. . If the link succeeds, we have successfully created the lock file. Simply close and unlink the hitching post file. . If the link does not succeed, proceed as follows: o Fstat the hitching post file, and then close and unlink it. o Now examine the stat data. If the number of links to the file is exactly 2, the linking succeeded but for some reason, e.g. an NFS server crash, the return never made it back, so the link() function gave a failure return. . This method allows for the lock file to be created by some other process right up to the moment of the attempt to hard link it, and is also robust against NFS server crash-reboots, which would probably result in timeouts in the middle of link(). . System crashes may cause lock files to get left lying around, and some means of flushing them is required. The approach of writing a pid (used by smail and by elm) into the file isn't useful when NFS may be in use. Pine uses a timeout, which seems a better approach. Since any program that writes to a mailbox using a lock file should complete its task very quickly, Pine removes lock files that are older than 5 minutes. We allow the value to be configurable on the transport. FCNTL LOCKING If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the mailbox once it is open. This is done by default with a non-blocking lock. Failures to lock cause retries after a sleep, but only for a certain number of tries. A blocking lock is deliberately not used so that we don't hold the mailbox open. This minimizes the possibility of the NFS problem described under LOCK FILES above, if for some reason NFS deliveries are happening without lock files. However, the use of a non-blocking lock and sleep, though the safest approach, does not give the best performance on very busy systems. A blocking lock plus timeout does better. Therefore Exim has an option to allow it to work this way. If lock_fcntl_timeout is set greater than zero, it enables the use of blocking fcntl() calls. FLOCK LOCKING If use_flock_lock is set, then Exim gets an exclusive flock() lock in the same manner as for fcntl locking above. No-blocking/timeout is also set as above in lock_flock_timeout. Not all operating systems provide or support flock(). For those that don't (as determined by the definition of LOCK_SH in /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock() is implemented (not precisely) on top of fcntl(), which means there's no point in actually using it. MBX LOCKING If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined) then the rules used for locking in c-client are used. Exim takes out a shared lock on the mailbox file, and an exclusive lock on the file whose name is /tmp/... The shared lock on the mailbox stops any other MBX client from getting an exclusive lock on it and expunging it. It also stops any other MBX client from unlinking the /tmp lock when it has finished with it. The exclusive lock on the /tmp file prevents any other MBX client from updating the mailbox in any way. When writing is finished, if an exclusive lock on the mailbox can be obtained, indicating there are no current sharers, the /tmp file is unlinked. MBX locking can use either fcntl() or flock() locking. If neither use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only. The calls for getting these locks are by default non-blocking, as for non-mbx locking, but can be made blocking by setting lock_fcntl_timeout and/or lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it probably makes sense to set timeouts for any MBX deliveries. */ /* Build a lock file if configured to do so - the existence of a lock file is subsequently checked by looking for a non-negative value of the file descriptor hd - even though the file is no longer open. */ if (ob->use_lockfile) { /* cf. exim_lock.c */ lockname = string_sprintf("%s.lock", filename); hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname, (unsigned int)(time(NULL)), (unsigned int)getpid()); DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname, hitchname); /* Lock file creation retry loop */ for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++) { int rc; hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode); if (hd < 0) { addr->basic_errno = errno; addr->message = string_sprintf("creating lock file hitching post %s " "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(), (long int)getegid()); return FALSE; } /* Attempt to hitch the hitching post to the lock file. If link() succeeds (the common case, we hope) all is well. Otherwise, fstat the file, and get rid of the hitching post. If the number of links was 2, the link was created, despite the failure of link(). If the hitch was not successful, try again, having unlinked the lock file if it is too old. There's a version of Linux (2.0.27) which doesn't update its local cache of the inode after link() by default - which many think is a bug - but if the link succeeds, this code will be OK. It just won't work in the case when link() fails after having actually created the link. The Linux NFS person is fixing this; a temporary patch is available if anyone is sufficiently worried. */ if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf); (void)close(hd); Uunlink(hitchname); if (rc != 0 && statbuf.st_nlink != 2) { if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 && time(NULL) - statbuf.st_ctime > ob->lockfile_timeout) { DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n"); Uunlink(lockname); } DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n"); continue; } DEBUG(D_transport) debug_printf("lock file created\n"); break; } /* Check for too many tries at creating the lock file */ if (i >= ob->lock_retries) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("failed to lock mailbox %s (lock file)", filename); return FALSE; } } /* We now have to get the file open. First, stat() it and act on existence or non-existence. This is in a loop to handle the case of a file's being created or deleted as we watch, and also to handle retries when the locking fails. Rather than holding the file open while waiting for the fcntl() and/or flock() lock, we close and do the whole thing again. This should be safer, especially for NFS files, which might get altered from other hosts, making their cached sizes incorrect. With the default settings, no symlinks are permitted, but there is an option to permit symlinks for those sysadmins that know what they are doing. Shudder. However, insist that the initial symlink is owned by the right user. Thus lstat() is used initially; if a symlink is discovered, the loop is repeated such that stat() is used, to look at the end file. */ for (i = 0; i < ob->lock_retries; i++) { int sleep_before_retry = TRUE; file_opened = FALSE; if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0) { /* Let's hope that failure to stat (other than non-existence) is a rare event. */ if (errno != ENOENT) { addr->basic_errno = errno; addr->message = string_sprintf("attempting to stat mailbox %s", filename); goto RETURN; } /* File does not exist. If it is required to pre-exist this state is an error. */ if (ob->file_must_exist) { addr->basic_errno = errno; addr->message = string_sprintf("mailbox %s does not exist, " "but file_must_exist is set", filename); goto RETURN; } /* If not permitted to create this file because it isn't in or below the home directory, generate an error. */ if (!allow_creation_here) { addr->basic_errno = ERRNO_BADCREATE; addr->message = string_sprintf("mailbox %s does not exist, " "but creation outside the home directory is not permitted", filename); goto RETURN; } /* Attempt to create and open the file. If open fails because of pre-existence, go round the loop again. For any other error, defer the address, except for an alias or forward generated file name with EPERM, ENOENT, or EACCES, as those are most likely to be user errors rather than Exim config errors. When a symbolic link is permitted and points to a non-existent file, we get here with use_lstat = FALSE. In this case we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for consistency and because MBX locking requires it in order to be able to get a shared lock. */ fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT | (use_lstat ? O_EXCL : 0), mode); if (fd < 0) { if (errno == EEXIST) continue; addr->basic_errno = errno; addr->message = string_sprintf("while creating mailbox %s", filename); if (testflag(addr, af_file) && (errno == EPERM || errno == ENOENT || errno == EACCES)) addr->transport_return = FAIL; goto RETURN; } /* We have successfully created and opened the file. Ensure that the group and the mode are correct. */ if (exim_chown(filename, uid, gid) || Uchmod(filename, mode)) { addr->basic_errno = errno; addr->message = string_sprintf("while setting perms on mailbox %s", filename); addr->transport_return = FAIL; goto RETURN; } } /* The file already exists. Test its type, ownership, and permissions, and save the inode for checking later. If symlinks are permitted (not the default or recommended state) it may be a symlink that already exists. Check its ownership and then look for the file at the end of the link(s). This at least prevents one user creating a symlink for another user in a sticky directory. */ else { int oldmode = (int)statbuf.st_mode; ino_t inode = statbuf.st_ino; BOOL islink = (oldmode & S_IFMT) == S_IFLNK; isfifo = FALSE; /* In case things are changing */ /* Check owner if required - the default. */ if (ob->check_owner && statbuf.st_uid != uid) { addr->basic_errno = ERRNO_BADUGID; addr->message = string_sprintf("mailbox %s%s has wrong uid " "(%ld != %ld)", filename, islink ? " (symlink)" : "", (long int)(statbuf.st_uid), (long int)uid); goto RETURN; } /* Group is checked only if check_group is set. */ if (ob->check_group && statbuf.st_gid != gid) { addr->basic_errno = ERRNO_BADUGID; addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)", filename, islink ? " (symlink)" : "", statbuf.st_gid, gid); goto RETURN; } /* Just in case this is a sticky-bit mail directory, we don't want users to be able to create hard links to other users' files. */ if (statbuf.st_nlink != 1) { addr->basic_errno = ERRNO_NOTREGULAR; addr->message = string_sprintf("mailbox %s%s has too many links (%lu)", filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink); goto RETURN; } /* If symlinks are permitted (not recommended), the lstat() above will have found the symlink. Its ownership has just been checked; go round the loop again, using stat() instead of lstat(). That will never yield a mode of S_IFLNK. */ if (islink && ob->allow_symlink) { use_lstat = FALSE; i--; /* Don't count this time round */ continue; } /* An actual file exists. Check that it is a regular file, or FIFO if permitted. */ if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE; else if ((oldmode & S_IFMT) != S_IFREG) { addr->basic_errno = ERRNO_NOTREGULAR; addr->message = string_sprintf("mailbox %s is not a regular file%s", filename, ob->allow_fifo ? " or named pipe" : ""); goto RETURN; } /* If the mode is not what it would be for a newly created file, change the permissions if the mode is supplied for the address. Otherwise, reduce but do not extend the permissions. If the newly created permissions are greater than the existing permissions, don't change things when the mode is not from the address. */ if ((oldmode &= 07777) != mode) { int diffs = oldmode ^ mode; if (addr->mode > 0 || (diffs & oldmode) == diffs) { DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename); if (Uchmod(filename, mode) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("attempting to chmod mailbox %s", filename); goto RETURN; } oldmode = mode; } /* Mode not from address, and newly-created permissions are greater than existing permissions. Default is to complain, but it can be configured to go ahead and try to deliver anyway if that's what the administration wants. */ else if (ob->mode_fail_narrower) { addr->basic_errno = ERRNO_BADMODE; addr->message = string_sprintf("mailbox %s has the wrong mode %o " "(%o expected)", filename, oldmode, mode); goto RETURN; } } /* We are happy with the existing file. Open it, and then do further tests to ensure that it is the same file that we were just looking at. If the file does not now exist, restart this loop, going back to using lstat again. For an NFS error, just defer; other opening errors are more serious. The file is opened RDWR so that its format can be checked, and also MBX locking requires the use of a shared (read) lock. However, a FIFO is opened WRONLY + NDELAY so that it fails if there is no process reading the pipe. */ fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND), mode); if (fd < 0) { if (errno == ENOENT) { use_lstat = TRUE; continue; } addr->basic_errno = errno; if (isfifo) addr->message = string_sprintf("while opening named pipe %s " "(could mean no process is reading it)", filename); else if (errno != EWOULDBLOCK) addr->message = string_sprintf("while opening mailbox %s", filename); goto RETURN; } /* This fstat really shouldn't fail, as we have an open file! There's a dilemma here. We use fstat in order to be sure we are peering at the file we have got open. However, that won't tell us if the file was reached via a symbolic link. We checked this above, but there is a race exposure if the link was created between the previous lstat and the open. However, it would have to be created with the same inode in order to pass the check below. If ob->allow_symlink is set, causing the use of stat rather than lstat above, symbolic links may be there anyway, and the checking is weaker. */ if (fstat(fd, &statbuf) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("attempting to stat open mailbox %s", filename); goto RETURN; } /* Check the inode; this is isn't a perfect check, but gives some confidence. */ if (inode != statbuf.st_ino) { addr->basic_errno = ERRNO_INODECHANGED; addr->message = string_sprintf("opened mailbox %s inode number changed " "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino); addr->special_action = SPECIAL_FREEZE; goto RETURN; } /* Check it's still a regular file or FIFO, and the uid, gid, and permissions have not changed. */ if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) || (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO)) { addr->basic_errno = ERRNO_NOTREGULAR; addr->message = string_sprintf("opened mailbox %s is no longer a %s", filename, isfifo ? "named pipe" : "regular file"); addr->special_action = SPECIAL_FREEZE; goto RETURN; } if ((ob->check_owner && statbuf.st_uid != uid) || (ob->check_group && statbuf.st_gid != gid)) { addr->basic_errno = ERRNO_BADUGID; addr->message = string_sprintf("opened mailbox %s has wrong uid or gid", filename); addr->special_action = SPECIAL_FREEZE; goto RETURN; } if ((statbuf.st_mode & 07777) != oldmode) { addr->basic_errno = ERRNO_BADMODE; addr->message = string_sprintf("opened mailbox %s has wrong mode %o " "(%o expected)", filename, statbuf.st_mode & 07777, mode); addr->special_action = SPECIAL_FREEZE; goto RETURN; } /* If file_format is set, check that the format of the file has not changed. Error data is set by the testing function. */ if (ob->file_format && check_file_format(fd, tblock, addr) != tblock) { addr->message = US"open mailbox has changed format"; goto RETURN; } /* The file is OK. Carry on to do the locking. */ } /* We now have an open file, and must lock it using fcntl(), flock() or MBX locking rules if configured to do so. If a lock file is also required, it was created above and hd was left >= 0. At least one form of locking is required by the initialization function. If locking fails here, close the file and go round the loop all over again, after waiting for a bit, unless blocking locking was used. */ file_opened = TRUE; if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0)) sleep_before_retry = FALSE; /* Simple fcntl() and/or flock() locking */ if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock)) { if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0) break; } /* MBX locking rules */ #ifdef SUPPORT_MBX else if (ob->use_mbx_lock) { int mbx_tmp_oflags; struct stat lstatbuf, statbuf2; if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0 && fstat(fd, &statbuf) >= 0) { sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev, (long)statbuf.st_ino); /* * 2010-05-29: SECURITY * Dan Rosenberg reported the presence of a race-condition in the * original code here. Beware that many systems still allow symlinks * to be followed in /tmp so an attacker can create a symlink pointing * elsewhere between a stat and an open, which we should avoid * following. * * It's unfortunate that we can't just use all the heavily debugged * locking from above. * * Also: remember to mirror changes into exim_lock.c */ /* first leave the old pre-check in place, it provides better * diagnostics for common cases */ if (Ulstat(mbx_lockname, &statbuf) >= 0) { if ((statbuf.st_mode & S_IFMT) == S_IFLNK) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("symbolic link on MBX lock file %s", mbx_lockname); goto RETURN; } if (statbuf.st_nlink > 1) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("hard link to MBX lock file %s", mbx_lockname); goto RETURN; } } /* If we could just declare "we must be the ones who create this * file" then a hitching post in a subdir would work, since a * subdir directly in /tmp/ which we create wouldn't follow links * but this isn't our locking logic, so we can't safely change the * file existence rules. */ /* On systems which support O_NOFOLLOW, it's the easiest and most * obviously correct security fix */ mbx_tmp_oflags = O_RDWR | O_CREAT; #ifdef O_NOFOLLOW mbx_tmp_oflags |= O_NOFOLLOW; #endif mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode); if (mbx_lockfd < 0) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("failed to open MBX lock file %s :%s", mbx_lockname, strerror(errno)); goto RETURN; } if (Ulstat(mbx_lockname, &lstatbuf) < 0) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("attempting to lstat open MBX " "lock file %s: %s", mbx_lockname, strerror(errno)); goto RETURN; } if (fstat(mbx_lockfd, &statbuf2) < 0) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("attempting to stat fd of open MBX " "lock file %s: %s", mbx_lockname, strerror(errno)); goto RETURN; } /* * At this point: * statbuf: if exists, is file which existed prior to opening the * lockfile, might have been replaced since then * statbuf2: result of stat'ing the open fd, is what was actually * opened * lstatbuf: result of lstat'ing the filename immediately after * the open but there's a race condition again between * those two steps: before open, symlink to foo, after * open but before lstat have one of: * * was no symlink, so is the opened file * (we created it, no messing possible after that point) * * hardlink to foo * * symlink elsewhere * * hardlink elsewhere * * new file/other * Don't want to compare to device of /tmp because some modern systems * have regressed to having /tmp be the safe actual filesystem as * valuable data, so is mostly worthless, unless we assume that *only* * Linux systems do this and that all Linux has O_NOFOLLOW. Something * for further consideration. * No point in doing a readlink on the lockfile as that will always be * at a different point in time from when we open it, so tells us * nothing; attempts to clean up and delete after ourselves would risk * deleting a *third* filename. */ if ((statbuf2.st_nlink > 1) || (lstatbuf.st_nlink > 1) || (!S_ISREG(lstatbuf.st_mode)) || (lstatbuf.st_dev != statbuf2.st_dev) || (lstatbuf.st_ino != statbuf2.st_ino)) { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("RACE CONDITION detected: " "mismatch post-initial-checks between \"%s\" and opened " "fd lead us to abort!", mbx_lockname); goto RETURN; } (void)Uchmod(mbx_lockname, ob->lockfile_mode); if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0) { struct stat ostatbuf; /* This tests for a specific race condition. Ensure that we still have the same file. */ if (Ulstat(mbx_lockname, &statbuf) == 0 && fstat(mbx_lockfd, &ostatbuf) == 0 && statbuf.st_dev == ostatbuf.st_dev && statbuf.st_ino == ostatbuf.st_ino) break; DEBUG(D_transport) debug_printf("MBX lockfile %s changed " "between creation and locking\n", mbx_lockname); } DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname, strerror(errno)); (void)close(mbx_lockfd); mbx_lockfd = -1; } else { DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n", filename, strerror(errno)); } } #endif /* SUPPORT_MBX */ else break; /* No on-file locking required; break the open/lock loop */ DEBUG(D_transport) debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n"); (void)close(fd); fd = -1; use_lstat = TRUE; /* Reset to use lstat first */ /* If a blocking call timed out, break the retry loop if the total time so far is not less than than retries * interval. Use the larger of the flock() and fcntl() timeouts. */ if (sigalrm_seen && (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)? ob->lock_fcntl_timeout : ob->lock_flock_timeout) >= ob->lock_retries * ob->lock_interval) i = ob->lock_retries; /* Wait a bit before retrying, except when it was a blocked fcntl() or flock() that caused the problem. */ if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval); } /* Test for exceeding the maximum number of tries. Either the file remains locked, or, if we haven't got it open, something is terribly wrong... */ if (i >= ob->lock_retries) { if (!file_opened) { addr->basic_errno = ERRNO_EXISTRACE; addr->message = string_sprintf("mailbox %s: existence unclear", filename); addr->special_action = SPECIAL_FREEZE; } else { addr->basic_errno = ERRNO_LOCKFAILED; addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)", filename); } goto RETURN; } DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename); /* Save access time (for subsequent restoration), modification time (for restoration if updating fails), size of file (for comsat and for re-setting if delivery fails in the middle - e.g. for quota exceeded). */ if (fstat(fd, &statbuf) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("while fstatting opened mailbox %s", filename); goto RETURN; } times.actime = statbuf.st_atime; times.modtime = statbuf.st_mtime; saved_size = statbuf.st_size; if (mailbox_size < 0) mailbox_size = saved_size; mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */ } /* Prepare for writing to a new file (as opposed to appending to an old one). There are several different formats, but there is preliminary stuff concerned with quotas that applies to all of them. Finding the current size by directory scanning is expensive; for maildirs some fudges have been invented: (1) A regex can be used to extract a file size from its name; (2) If maildir_use_size is set, a maildirsize file is used to cache the mailbox size. */ else { uschar *check_path; /* Default quota check path */ const pcre2_code * re = NULL; /* Regex for file size from file name */ if (!check_creation(string_sprintf("%s/any", path), ob->create_file, deliver_dir)) { addr->basic_errno = ERRNO_BADCREATE; addr->message = string_sprintf("tried to create file in %s, but " "file creation outside the home directory is not permitted", path); goto RETURN; } /* If the create_file option is an absolute path and the file was within it, de-taint. Otherwise check for taint. */ if (is_tainted(path)) if (ob->create_file == create_belowhome) { DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path); path = string_copy_taint(path, FALSE); } else goto tainted_ret_panic; check_path = path; #ifdef SUPPORT_MAILDIR /* For a maildir delivery, ensure that all the relevant directories exist, and a maildirfolder file if necessary. */ if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr, ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex)) return FALSE; #endif /* SUPPORT_MAILDIR */ /* If we are going to do a quota check, of if maildir_use_size_file is set for a maildir delivery, compile the regular expression if there is one. We may also need to adjust the path that is used. We need to do this for maildir_use_size_file even if the quota is unset, because we still want to create the file. When maildir support is not compiled, ob->maildir_use_size_file is always FALSE. */ if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file) { PCRE2_SIZE offset; int err; /* Compile the regex if there is one. */ if (ob->quota_size_regex) { if (!(re = pcre2_compile((PCRE2_SPTR)ob->quota_size_regex, PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx))) { uschar errbuf[128]; pcre2_get_error_message(err, errbuf, sizeof(errbuf)); addr->message = string_sprintf("appendfile: regular expression " "error: %s at offset %ld while compiling %s", errbuf, (long)offset, ob->quota_size_regex); return FALSE; } DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n", ob->quota_size_regex); } /* Use an explicitly configured directory if set */ if (ob->quota_directory) { if (!(check_path = expand_string(ob->quota_directory))) { addr->message = string_sprintf("Expansion of \"%s\" (quota_directory " "name for %s transport) failed: %s", ob->quota_directory, tblock->name, expand_string_message); goto ret_panic; } if (check_path[0] != '/') { addr->message = string_sprintf("appendfile: quota_directory name " "\"%s\" is not absolute", check_path); addr->basic_errno = ERRNO_NOTABSOLUTE; return FALSE; } } #ifdef SUPPORT_MAILDIR /* Otherwise, if we are handling a maildir delivery, and the directory contains a file called maildirfolder, this is a maildir++ feature telling us that this is a sub-directory of the real inbox. We should therefore do the quota check on the parent directory. Beware of the special case when the directory name itself ends in a slash. */ else if (mbformat == mbf_maildir) { struct stat statbuf; if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0) { uschar *new_check_path = string_copy(check_path); uschar *slash = Ustrrchr(new_check_path, '/'); if (slash) { if (!slash[1]) { *slash = 0; slash = Ustrrchr(new_check_path, '/'); } if (slash) { *slash = 0; check_path = new_check_path; DEBUG(D_transport) debug_printf("maildirfolder file exists: " "quota check directory changed to %s\n", check_path); } } } } #endif /* SUPPORT_MAILDIR */ } /* If we are using maildirsize files, we need to ensure that such a file exists and, if necessary, recalculate its contents. As a byproduct of this, we obtain the current size of the maildir. If no quota is to be enforced (ob->quota_value == 0), we still need the size if a threshold check will happen later. Another regular expression is used to determine which directories inside the maildir are going to be counted. */ #ifdef SUPPORT_MAILDIR if (ob->maildir_use_size_file) { const pcre2_code * dir_regex = NULL; PCRE2_SIZE offset; int err; if (ob->maildir_dir_regex) { int check_path_len = Ustrlen(check_path); if (!(dir_regex = pcre2_compile((PCRE2_SPTR)ob->maildir_dir_regex, PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx))) { uschar errbuf[128]; pcre2_get_error_message(err, errbuf, sizeof(errbuf)); addr->message = string_sprintf("appendfile: regular expression " "error: %s at offset %ld while compiling %s", errbuf, (long)offset, ob->maildir_dir_regex); return FALSE; } DEBUG(D_transport) debug_printf("using regex for maildir directory selection: %s\n", ob->maildir_dir_regex); /* Check to see if we are delivering into an ignored directory, that is, if the delivery path starts with the quota check path, and the rest of the deliver path matches the regex; if so, set a flag to disable quota checking and maildirsize updating. */ if (Ustrncmp(path, check_path, check_path_len) == 0) { uschar *s = path + check_path_len; while (*s == '/') s++; s = *s ? string_sprintf("%s/new", s) : US"new"; if (!regex_match(dir_regex, s, -1, NULL)) { disable_quota = TRUE; DEBUG(D_transport) debug_printf("delivery directory does not match " "maildir_quota_directory_regex: disabling quota\n"); } } } /* Quota enforcement; create and check the file. There is some discussion about whether this should happen if the quota is unset. At present, Exim always creates the file. If we ever want to change this, uncomment appropriate lines below, possibly doing a check on some option. */ /* if (???? || ob->quota_value > 0) */ if (!disable_quota) { off_t size; int filecount; if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, re, dir_regex, &size, &filecount)) == -1) { addr->basic_errno = errno; addr->message = string_sprintf("while opening or reading " "%s/maildirsize", check_path); return FALSE; } /* can also return -2, which means that the file was removed because of raciness; but in this case, the size & filecount will still have been updated. */ if (mailbox_size < 0) mailbox_size = size; if (mailbox_filecount < 0) mailbox_filecount = filecount; } /* No quota enforcement; ensure file does *not* exist; calculate size if needed. */ /* else * { * time_t old_latest; * (void)unlink(CS string_sprintf("%s/maildirsize", check_path)); * if (THRESHOLD_CHECK) * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest, * re, dir_regex, FALSE); * } */ } #endif /* SUPPORT_MAILDIR */ /* Otherwise if we are going to do a quota check later on, and the mailbox size is not set, find the current size of the mailbox. Ditto for the file count. Note that ob->quota_filecount_value cannot be set without ob->quota_value being set. */ if ( !disable_quota && (ob->quota_value > 0 || THRESHOLD_CHECK) && ( mailbox_size < 0 || mailbox_filecount < 0 && ob->quota_filecount_value > 0 ) ) { off_t size; int filecount = 0; DEBUG(D_transport) debug_printf("quota checks on directory %s\n", check_path); size = check_dir_size(check_path, &filecount, re); if (mailbox_size < 0) mailbox_size = size; if (mailbox_filecount < 0) mailbox_filecount = filecount; } /* Handle the case of creating a unique file in a given directory (not in maildir or mailstore format - this is how smail did it). A temporary name is used to create the file. Later, when it is written, the name is changed to a unique one. There is no need to lock the file. An attempt is made to create the directory if it does not exist. */ if (mbformat == mbf_smail) { DEBUG(D_transport) debug_printf("delivering to new file in %s\n", path); filename = dataname = string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname); fd = Uopen(filename, O_WRONLY|O_CREAT, mode); if (fd < 0 && /* failed to open, and */ (errno != ENOENT || /* either not non-exist */ !ob->create_directory || /* or not allowed to make */ !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */ (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */ { addr->basic_errno = errno; addr->message = string_sprintf("while creating file %s", filename); return FALSE; } } #ifdef SUPPORT_MAILDIR /* Handle the case of a unique file in maildir format. The file is written to the tmp subdirectory, with a prescribed form of name. */ else if (mbformat == mbf_maildir) { DEBUG(D_transport) debug_printf("delivering in maildir format in %s\n", path); nametag = ob->maildir_tag; /* Check that nametag expands successfully; a hard failure causes a panic return. The actual expansion for use happens again later, when $message_size is accurately known. */ if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail) { addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag " "for %s transport) failed: %s", nametag, tblock->name, expand_string_message); goto ret_panic; } /* We ensured the existence of all the relevant directories above. Attempt to open the temporary file a limited number of times. I think this rather scary-looking for statement is actually OK. If open succeeds, the loop is broken; if not, there is a test on the value of i. Get the time again afresh each time round the loop. Its value goes into a variable that is checked at the end, to make sure we don't release this process until the clock has ticked. */ for (int i = 1;; i++) { uschar *basename; (void)gettimeofday(&msg_tv, NULL); basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s", msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname); filename = dataname = string_sprintf("tmp/%s", basename); newname = string_sprintf("new/%s", basename); if (Ustat(filename, &statbuf) == 0) errno = EEXIST; else if (errno == ENOENT) { if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0) break; DEBUG (D_transport) debug_printf ("open failed for %s: %s\n", filename, strerror(errno)); } /* Too many retries - give up */ if (i >= ob->maildir_retries) { addr->message = string_sprintf ("failed to open %s (%d tr%s)", filename, i, (i == 1) ? "y" : "ies"); addr->basic_errno = errno; if (errno == errno_quota || errno == ENOSPC) addr->user_message = US"mailbox is full"; return FALSE; } /* Open or stat failed but we haven't tried too many times yet. */ sleep(2); } /* Note that we have to ensure the clock has ticked before leaving */ wait_for_tick = TRUE; /* Why are these here? Put in because they are present in the non-maildir directory case above. */ if (exim_chown(filename, uid, gid) || Uchmod(filename, mode)) { addr->basic_errno = errno; addr->message = string_sprintf("while setting perms on maildir %s", filename); return FALSE; } } #endif /* SUPPORT_MAILDIR */ #ifdef SUPPORT_MAILSTORE /* Handle the case of a unique file in mailstore format. First write the envelope to a temporary file, then open the main file. The unique base name for the files consists of the message id plus the pid of this delivery process. */ else { FILE *env_file; mailstore_basename = string_sprintf("%s/%s-%s", path, message_id, string_base62((long int)getpid())); DEBUG(D_transport) debug_printf("delivering in mailstore format in %s\n", path); filename = string_sprintf("%s.tmp", mailstore_basename); newname = string_sprintf("%s.env", mailstore_basename); dataname = string_sprintf("%s.msg", mailstore_basename); fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode); if ( fd < 0 /* failed to open, and */ && ( errno != ENOENT /* either not non-exist */ || !ob->create_directory /* or not allowed to make */ || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */ || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */ ) ) { addr->basic_errno = errno; addr->message = string_sprintf("while creating file %s", filename); return FALSE; } /* Why are these here? Put in because they are present in the non-maildir directory case above. */ if (exim_chown(filename, uid, gid) || Uchmod(filename, mode)) { addr->basic_errno = errno; addr->message = string_sprintf("while setting perms on file %s", filename); return FALSE; } /* Built a C stream from the open file descriptor. */ if (!(env_file = fdopen(fd, "wb"))) { addr->basic_errno = errno; addr->message = string_sprintf("fdopen of %s (" "for %s transport) failed", filename, tblock->name); (void)close(fd); Uunlink(filename); goto ret_panic; } /* Write the envelope file, then close it. */ if (ob->mailstore_prefix) { uschar *s = expand_string(ob->mailstore_prefix); if (!s) { if (!f.expand_string_forcedfail) { addr->message = string_sprintf("Expansion of \"%s\" (mailstore " "prefix for %s transport) failed: %s", ob->mailstore_prefix, tblock->name, expand_string_message); (void)fclose(env_file); Uunlink(filename); goto ret_panic; } } else { int n = Ustrlen(s); fprintf(env_file, "%s", CS s); if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n"); } } fprintf(env_file, "%s\n", sender_address); for (address_item * taddr = addr; taddr; taddr = taddr->next) fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain); if (ob->mailstore_suffix) { uschar *s = expand_string(ob->mailstore_suffix); if (!s) { if (!f.expand_string_forcedfail) { addr->message = string_sprintf("Expansion of \"%s\" (mailstore " "suffix for %s transport) failed: %s", ob->mailstore_suffix, tblock->name, expand_string_message); (void)fclose(env_file); Uunlink(filename); goto ret_panic; } } else { int n = Ustrlen(s); fprintf(env_file, "%s", CS s); if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n"); } } if (fclose(env_file) != 0) { addr->basic_errno = errno; addr->message = string_sprintf("while closing %s", filename); Uunlink(filename); return FALSE; } DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename); /* Now open the data file, and ensure that it has the correct ownership and mode. */ if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("while creating file %s", dataname); Uunlink(filename); return FALSE; } if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode)) { addr->basic_errno = errno; addr->message = string_sprintf("while setting perms on file %s", dataname); return FALSE; } } #endif /* SUPPORT_MAILSTORE */ /* In all cases of writing to a new file, ensure that the file which is going to be renamed has the correct ownership and mode. */ if (exim_chown(filename, uid, gid) || Uchmod(filename, mode)) { addr->basic_errno = errno; addr->message = string_sprintf("while setting perms on file %s", filename); return FALSE; } } /* At last we can write the message to the file, preceded by any configured prefix line, and followed by any configured suffix line. If there are any writing errors, we must defer. */ DEBUG(D_transport) debug_printf("writing to file %s\n", dataname); yield = OK; errno = 0; /* If there is a local quota setting, check that we are not going to exceed it with this message if quota_is_inclusive is set; if it is not set, the check is for the mailbox already being over quota (i.e. the current message is not included in the check). */ if (!disable_quota && ob->quota_value > 0) { DEBUG(D_transport) { debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT " this message = %d (%sincluded)\n", ob->quota_value, mailbox_size, message_size, ob->quota_is_inclusive ? "" : "not "); debug_printf(" file count quota = %d count = %d\n", ob->quota_filecount_value, mailbox_filecount); } if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value) if (!ob->quota_no_check) { DEBUG(D_transport) debug_printf("mailbox quota exceeded\n"); yield = DEFER; errno = ERRNO_EXIMQUOTA; } else DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n"); if (ob->quota_filecount_value > 0 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) > ob->quota_filecount_value) if (!ob->quota_filecount_no_check) { DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n"); yield = DEFER; errno = ERRNO_EXIMQUOTA; filecount_msg = US" filecount"; } else DEBUG(D_transport) if (ob->quota_filecount_no_check) debug_printf("mailbox file count quota exceeded but ignored\n"); } if (verify_mode) { addr->basic_errno = errno; addr->message = US"Over quota"; addr->transport_return = yield; DEBUG(D_transport) debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n", yield, addr->basic_errno, addr->more_errno); goto RETURN; } /* If we are writing in MBX format, what we actually do is to write the message to a temporary file, and then copy it to the real file once we know its size. This is the most straightforward way of getting the correct length in the separator line. So, what we do here is to save the real file descriptor, and replace it with one for a temporary file. The temporary file gets unlinked once opened, so that it goes away on closure. */ #ifdef SUPPORT_MBX if (yield == OK && ob->mbx_format) { if (!(temp_file = tmpfile())) { addr->basic_errno = errno; addr->message = US"while setting up temporary file"; yield = DEFER; goto RETURN; } save_fd = fd; fd = fileno(temp_file); DEBUG(D_transport) debug_printf("writing to temporary file\n"); } #endif /* SUPPORT_MBX */ /* Zero the count of bytes written. It is incremented by the transport_xxx() functions. */ transport_count = 0; transport_newlines = 0; /* Write any configured prefix text first */ if (yield == OK && ob->message_prefix && *ob->message_prefix) { uschar *prefix = expand_string(ob->message_prefix); if (!prefix) { errno = ERRNO_EXPANDFAIL; addr->transport_return = PANIC; addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s " "transport) failed", ob->message_prefix, tblock->name); yield = DEFER; } else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER; } /* If the use_bsmtp option is on, we need to write SMTP prefix information. The various different values for batching are handled outside; if there is more than one address available here, all must be included. If any address is a file, use its parent in the RCPT TO. */ if (yield == OK && ob->use_bsmtp) { transport_count = 0; transport_newlines = 0; if (ob->use_crlf) cr = US"\r"; if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr)) yield = DEFER; else { transport_newlines++; for (address_item * a = addr; a; a = a->next) { address_item * b = testflag(a, af_pfr) ? a->parent : a; if (!transport_write_string(fd, "RCPT TO:<%s>%s\n", transport_rcpt_address(b, tblock->rcpt_include_affixes), cr)) { yield = DEFER; break; } transport_newlines++; } if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr)) yield = DEFER; else transport_newlines++; } } /* Now the message itself. The options for transport_write_message were set up at initialization time. */ if (yield == OK) { transport_ctx tctx = { .u = {.fd=fd}, .tblock = tblock, .addr = addr, .check_string = ob->check_string, .escape_string = ob->escape_string, .options = ob->options | topt_not_socket }; if (!transport_write_message(&tctx, 0)) yield = DEFER; } /* Now a configured suffix. */ if (yield == OK && ob->message_suffix && *ob->message_suffix) { uschar *suffix = expand_string(ob->message_suffix); if (!suffix) { errno = ERRNO_EXPANDFAIL; addr->transport_return = PANIC; addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s " "transport) failed", ob->message_suffix, tblock->name); yield = DEFER; } else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER; } /* If batch smtp, write the terminating dot. */ if (yield == OK && ob->use_bsmtp) if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER; else transport_newlines++; /* If MBX format is being used, all that writing was to the temporary file. However, if there was an earlier failure (Exim quota exceeded, for example), the temporary file won't have got opened - and no writing will have been done. If writing was OK, we restore the fd, and call a function that copies the message in MBX format into the real file. Otherwise use the temporary name in any messages. */ #ifdef SUPPORT_MBX if (temp_file && ob->mbx_format) { int mbx_save_errno; fd = save_fd; if (yield == OK) { transport_count = 0; /* Reset transport count for actual write */ /* No need to reset transport_newlines as we're just using a block copy * routine so the number won't be affected */ yield = copy_mbx_message(fd, fileno(temp_file), saved_size); } else if (errno >= 0) dataname = US"temporary file"; /* Preserve errno while closing the temporary file. */ mbx_save_errno = errno; (void)fclose(temp_file); errno = mbx_save_errno; } #endif /* SUPPORT_MBX */ /* Force out the remaining data to check for any errors; some OS don't allow fsync() to be called for a FIFO. */ if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER; /* Update message_size and message_linecount to the accurate count of bytes written, including added headers. Note; we subtract 1 from message_linecount as this variable doesn't count the new line between the header and the body of the message. */ message_size = transport_count; message_linecount = transport_newlines - 1; /* If using a maildir++ quota file, add this message's size to it, and close the file descriptor, except when the quota has been disabled because we are delivering into an uncounted folder. */ #ifdef SUPPORT_MAILDIR if (!disable_quota) { if (yield == OK && maildirsize_fd >= 0) maildir_record_length(maildirsize_fd, message_size); maildir_save_errno = errno; /* Preserve errno while closing the file */ if (maildirsize_fd >= 0) (void)close(maildirsize_fd); errno = maildir_save_errno; } #endif /* SUPPORT_MAILDIR */ /* If there is a quota warning threshold and we are have crossed it with this message, set the SPECIAL_WARN flag in the address, to cause a warning message to be sent. */ if (!disable_quota && THRESHOLD_CHECK) { off_t threshold = ob->quota_warn_threshold_value; if (ob->quota_warn_threshold_is_percent) threshold = (off_t)(((double)ob->quota_value * threshold) / 100); DEBUG(D_transport) debug_printf("quota = " OFF_T_FMT " threshold = " OFF_T_FMT " old size = " OFF_T_FMT " message size = %d\n", ob->quota_value, threshold, mailbox_size, message_size); if (mailbox_size <= threshold && mailbox_size + message_size > threshold) addr->special_action = SPECIAL_WARN; /******* You might think that the test ought to be this: * * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 && * mailbox_size <= threshold && mailbox_size + message_size > threshold) * * (indeed, I was sent a patch with that in). However, it is possible to * have a warning threshold without actually imposing a quota, and I have * therefore kept Exim backwards compatible. ********/ } /* Handle error while writing the file. Control should come here directly after the error, with the reason in errno. In the case of expansion failure in prefix or suffix, it will be ERRNO_EXPANDFAIL. */ if (yield != OK) { addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */ /* Save the error number. If positive, it will ultimately cause a strerror() call to generate some text. */ addr->basic_errno = errno; /* For system or Exim quota excession, or disk full, set more_errno to the time since the file was last read. If delivery was into a directory, the time since last read logic is not relevant, in general. However, for maildir deliveries we can approximate it by looking at the last modified time of the "new" subdirectory. Since Exim won't be adding new messages, a change to the "new" subdirectory implies that an MUA has moved a message from there to the "cur" directory. */ if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC) { addr->more_errno = 0; if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime); #ifdef SUPPORT_MAILDIR else if (mbformat == mbf_maildir) { struct stat statbuf; if (Ustat("new", &statbuf) < 0) { DEBUG(D_transport) debug_printf("maildir quota exceeded: " "stat error %d for \"new\": %s\n", errno, strerror(errno)); } else /* Want a repeatable time when in test harness */ addr->more_errno = f.running_in_test_harness ? 10 : (int)time(NULL) - statbuf.st_mtime; DEBUG(D_transport) debug_printf("maildir: time since \"new\" directory modified = %s\n", readconf_printtime(addr->more_errno)); } #endif /* SUPPORT_MAILDIR */ } /* Handle system quota excession. Add an explanatory phrase for the error message, since some systems don't have special quota-excession errors, and on those that do, "quota" doesn't always mean anything to the user. */ if (errno == errno_quota) { #ifndef EDQUOT addr->message = string_sprintf("mailbox is full " "(quota exceeded while writing to file %s)", filename); #else addr->message = US"mailbox is full"; #endif /* EDQUOT */ addr->user_message = US"mailbox is full"; DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n", dataname, isdirectory ? US"" : US": time since file read = ", isdirectory ? US"" : readconf_printtime(addr->more_errno)); } /* Handle Exim's own quota-imposition */ else if (errno == ERRNO_EXIMQUOTA) { addr->message = string_sprintf("mailbox is full " "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg, dataname); addr->user_message = US"mailbox is full"; DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n", filecount_msg, dataname, isdirectory ? US"" : US": time since file read = ", isdirectory ? US"" : readconf_printtime(addr->more_errno)); } /* Handle a process failure while writing via a filter; the return from child_close() is in more_errno. */ else if (errno == ERRNO_FILTER_FAIL) { yield = PANIC; addr->message = string_sprintf("transport filter process failed (%d) " "while writing to %s%s", addr->more_errno, dataname, (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : ""); } /* Handle failure to expand header changes */ else if (errno == ERRNO_CHHEADER_FAIL) { yield = PANIC; addr->message = string_sprintf("failed to expand headers_add or headers_remove while " "writing to %s: %s", dataname, expand_string_message); } /* Handle failure to complete writing of a data block */ else if (errno == ERRNO_WRITEINCOMPLETE) addr->message = string_sprintf("failed to write data block while " "writing to %s", dataname); /* Handle length mismatch on MBX copying */ #ifdef SUPPORT_MBX else if (errno == ERRNO_MBXLENGTH) addr->message = string_sprintf("length mismatch while copying MBX " "temporary file to %s", dataname); #endif /* SUPPORT_MBX */ /* For other errors, a general-purpose explanation, if the message is not already set. */ else if (addr->message == NULL) addr->message = string_sprintf("error while writing to %s", dataname); /* For a file, reset the file size to what it was before we started, leaving the last modification time unchanged, so it will get reset also. All systems investigated so far have ftruncate(), whereas not all have the F_FREESP fcntl() call (BSDI & FreeBSD do not). */ if (!isdirectory && ftruncate(fd, saved_size)) DEBUG(D_transport) debug_printf("Error resetting file size\n"); } /* Handle successful writing - we want the modification time to be now for appended files. Remove the default backstop error number. For a directory, now is the time to rename the file with a unique name. As soon as such a name appears it may get used by another process, so we close the file first and check that all is well. */ else { times.modtime = time(NULL); addr->basic_errno = 0; /* Handle the case of writing to a new file in a directory. This applies to all single-file formats - maildir, mailstore, and "smail format". */ if (isdirectory) { if (fstat(fd, &statbuf) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("while fstatting opened message file %s", filename); yield = DEFER; } else if (close(fd) < 0) { addr->basic_errno = errno; addr->message = string_sprintf("close() error for %s", (ob->mailstore_format) ? dataname : filename); yield = DEFER; } /* File is successfully written and closed. Arrange to rename it. For the different kinds of single-file delivery, some games can be played with the name. The message size is by this time set to the accurate value so that its value can be used in expansions. */ else { uschar *renamename = newname; fd = -1; DEBUG(D_transport) debug_printf("renaming temporary file\n"); /* If there is no rename name set, we are in a non-maildir, non-mailstore situation. The name is built by expanding the directory_file option, and we make the inode number available for use in this. The expansion was checked for syntactic validity above, before we wrote the file. We have to be careful here, in case the file name exists. (In the other cases, the names used are constructed to be unique.) The rename() function just replaces an existing file - we don't want that! So instead of calling rename(), we must use link() and unlink(). In this case, if the link fails because of an existing file, we wait for one second and try the expansion again, to see if it produces a different value. Do this up to 5 times unless the name stops changing. This makes it possible to build values that are based on the time, and still cope with races from multiple simultaneous deliveries. */ if (!newname) { uschar *renameleaf; uschar *old_renameleaf = US""; for (int i = 0; ; sleep(1), i++) { deliver_inode = statbuf.st_ino; renameleaf = expand_string(ob->dirfilename); deliver_inode = 0; if (!renameleaf) { addr->transport_return = PANIC; addr->message = string_sprintf("Expansion of \"%s\" " "(directory_file for %s transport) failed: %s", ob->dirfilename, tblock->name, expand_string_message); goto RETURN; } renamename = string_sprintf("%s/%s", path, renameleaf); if (Ulink(filename, renamename) < 0) { DEBUG(D_transport) debug_printf("link failed: %s\n", strerror(errno)); if (errno != EEXIST || i >= 4 || Ustrcmp(renameleaf, old_renameleaf) == 0) { addr->basic_errno = errno; addr->message = string_sprintf("while renaming %s as %s", filename, renamename); yield = DEFER; break; } old_renameleaf = renameleaf; DEBUG(D_transport) debug_printf("%s exists - trying again\n", renamename); } else { Uunlink(filename); filename = NULL; break; } } /* re-expand loop */ } /* not mailstore or maildir */ /* For maildir and mailstore formats, the new name was created earlier, except that for maildir, there is the possibility of adding a "tag" on the end of the name by expanding the value of nametag. This usually includes a reference to the message size. The expansion of nametag was checked above, before the file was opened. It either succeeded, or provoked a soft failure. So any failure here can be treated as soft. Ignore non-printing characters and / and put a colon at the start if the first character is alphanumeric. */ else { if (nametag) { uschar *iptr = expand_string(nametag); if (iptr) { uschar *etag = store_get(Ustrlen(iptr) + 2, is_tainted(iptr)); uschar *optr = etag; for ( ; *iptr; iptr++) if (mac_isgraph(*iptr) && *iptr != '/') { if (optr == etag && isalnum(*iptr)) *optr++ = ':'; *optr++ = *iptr; } *optr = 0; renamename = string_sprintf("%s%s", newname, etag); } } /* Do the rename. If the name is too long and a tag exists, try again without the tag. */ if (Urename(filename, renamename) < 0 && (nametag == NULL || errno != ENAMETOOLONG || (renamename = newname, Urename(filename, renamename) < 0))) { addr->basic_errno = errno; addr->message = string_sprintf("while renaming %s as %s", filename, renamename); yield = DEFER; } /* Rename succeeded */ else { DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename, renamename); filename = dataname = NULL; /* Prevents attempt to unlink at end */ } } /* maildir or mailstore */ } /* successful write + close */ } /* isdirectory */ } /* write success */ /* For a file, restore the last access time (atime), and set the modification time as required - changed if write succeeded, unchanged if not. */ if (!isdirectory) utime(CS filename, ×); /* Notify comsat if configured to do so. It only makes sense if the configured file is the one that the comsat daemon knows about. */ if (ob->notify_comsat && yield == OK && deliver_localpart) notify_comsat(deliver_localpart, saved_size); /* Pass back the final return code in the address structure */ DEBUG(D_transport) debug_printf("appendfile yields %d with errno=%d more_errno=%d\n", yield, addr->basic_errno, addr->more_errno); addr->transport_return = yield; /* Close the file, which will release the fcntl lock. For a directory write it is closed above, except in cases of error which goto RETURN, when we also need to remove the original file(s). For MBX locking, if all has gone well, before closing the file, see if we can get an exclusive lock on it, in which case we can unlink the /tmp lock file before closing it. This is always a non-blocking lock; there's no need to wait if we can't get it. If everything has gone right but close fails, defer the message. Then unlink the lock file, if present. This point in the code is jumped to from a number of places when errors are detected, in order to get the file closed and the lock file tidied away. */ RETURN: #ifdef SUPPORT_MBX if (mbx_lockfd >= 0) { if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0, ob->use_flock, 0) >= 0) { DEBUG(D_transport) debug_printf("unlinking MBX lock file %s\n", mbx_lockname); Uunlink(mbx_lockname); } (void)close(mbx_lockfd); } #endif /* SUPPORT_MBX */ if (fd >= 0 && close(fd) < 0 && yield == OK) { addr->basic_errno = errno; addr->message = string_sprintf("while closing %s", filename); addr->transport_return = DEFER; } if (hd >= 0) Uunlink(lockname); /* We get here with isdirectory and filename set only in error situations. */ if (isdirectory && filename) { Uunlink(filename); if (dataname != filename) Uunlink(dataname); } /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a file name relies on time + pid. We must not allow the process to finish until the clock has move on by at least one microsecond. Usually we expect this already to be the case, but machines keep getting faster... */ if (wait_for_tick) exim_wait_tick(&msg_tv, 1); /* A return of FALSE means that if there was an error, a common error was put in the first address of a batch. */ return FALSE; tainted_ret_panic: addr->message = string_sprintf("Tainted '%s' (file or directory " "name for %s transport) not permitted", path, tblock->name); ret_panic: addr->transport_return = PANIC; return FALSE; } #endif /*!MACRO_PREDEF*/ /* End of transport/appendfile.c */