-/* $Cambridge: exim/src/src/exim.c,v 1.71 2010/06/07 00:12:42 pdp Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
#include "exim.h"
+extern void init_lookup_list(void);
+
/*************************************************
+/*************************************************
+* Set up processing details *
+*************************************************/
+
+/* Save a text string for dumping when SIGUSR1 is received.
+Do checks for overruns.
+
+Arguments: format and arguments, as for printf()
+Returns: nothing
+*/
+
+void
+set_process_info(const char *format, ...)
+{
+int len;
+va_list ap;
+sprintf(CS process_info, "%5d ", (int)getpid());
+len = Ustrlen(process_info);
+va_start(ap, format);
+if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
+ Ustrcpy(process_info + len, "**** string overflowed buffer ****");
+len = Ustrlen(process_info);
+process_info[len+0] = '\n';
+process_info[len+1] = '\0';
+process_info_len = len + 1;
+DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
+va_end(ap);
+}
+
+
+
+
/*************************************************
* Handler for SIGUSR1 *
*************************************************/
setting up a handler that causes automatic restarting of any system call
that is in progress at the time.
+This function takes care to be signal-safe.
+
Argument: the signal number (SIGUSR1)
Returns: nothing
*/
static void
usr1_handler(int sig)
{
-sig = sig; /* Keep picky compilers happy */
-log_write(0, LOG_PROCESS, "%s", process_info);
-log_close_all();
-os_restarting_signal(SIGUSR1, usr1_handler);
+int fd;
+
+os_restarting_signal(sig, usr1_handler);
+
+fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE);
+if (fd < 0)
+ {
+ /* If we are already running as the Exim user, try to create it in the
+ current process (assuming spool_directory exists). Otherwise, if we are
+ root, do the creation in an exim:exim subprocess. */
+
+ int euid = geteuid();
+ if (euid == exim_uid)
+ fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
+ else if (euid == root_uid)
+ fd = log_create_as_exim(process_log_path);
+ }
+
+/* If we are neither exim nor root, or if we failed to create the log file,
+give up. There is not much useful we can do with errors, since we don't want
+to disrupt whatever is going on outside the signal handler. */
+
+if (fd < 0) return;
+
+(void)write(fd, process_info, process_info_len);
+(void)close(fd);
}
-/*************************************************
-* Set up processing details *
-*************************************************/
-
-/* Save a text string for dumping when SIGUSR1 is received.
-Do checks for overruns.
-
-Arguments: format and arguments, as for printf()
-Returns: nothing
-*/
-
-void
-set_process_info(char *format, ...)
-{
-int len;
-va_list ap;
-sprintf(CS process_info, "%5d ", (int)getpid());
-len = Ustrlen(process_info);
-va_start(ap, format);
-if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
- Ustrcpy(process_info + len, "**** string overflowed buffer ****");
-DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
-va_end(ap);
-}
-
-
-
-
-
/*************************************************
* Call fopen() with umask 777 and adjust mode *
*************************************************/
*/
FILE *
-modefopen(uschar *filename, char *options, mode_t mode)
+modefopen(const uschar *filename, const char *options, mode_t mode)
{
mode_t saved_umask = umask(0777);
FILE *f = Ufopen(filename, options);
DEBUG(D_uid)
{
- int group_count;
+ int group_count, save_errno;
gid_t group_list[NGROUPS_MAX];
debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
(long int)geteuid(), (long int)getegid(), (long int)getpid());
group_count = getgroups(NGROUPS_MAX, group_list);
+ save_errno = errno;
debug_printf(" auxiliary group list:");
if (group_count > 0)
{
int i;
for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
}
+ else if (group_count < 0)
+ debug_printf(" <error: %s>", strerror(save_errno));
else debug_printf(" <none>");
debug_printf("\n");
}
#endif
fprintf(f, "\n");
-fprintf(f, "Lookups:");
-#ifdef LOOKUP_LSEARCH
+fprintf(f, "Lookups (built-in):");
+#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
#endif
-#ifdef LOOKUP_CDB
+#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
fprintf(f, " cdb");
#endif
-#ifdef LOOKUP_DBM
+#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
fprintf(f, " dbm dbmnz");
#endif
-#ifdef LOOKUP_DNSDB
+#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
fprintf(f, " dnsdb");
#endif
-#ifdef LOOKUP_DSEARCH
+#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
fprintf(f, " dsearch");
#endif
-#ifdef LOOKUP_IBASE
+#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
fprintf(f, " ibase");
#endif
-#ifdef LOOKUP_LDAP
+#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
fprintf(f, " ldap ldapdn ldapm");
#endif
-#ifdef LOOKUP_MYSQL
+#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
fprintf(f, " mysql");
#endif
-#ifdef LOOKUP_NIS
+#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
fprintf(f, " nis nis0");
#endif
-#ifdef LOOKUP_NISPLUS
+#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
fprintf(f, " nisplus");
#endif
-#ifdef LOOKUP_ORACLE
+#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
fprintf(f, " oracle");
#endif
-#ifdef LOOKUP_PASSWD
+#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
fprintf(f, " passwd");
#endif
-#ifdef LOOKUP_PGSQL
+#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
fprintf(f, " pgsql");
#endif
-#ifdef LOOKUP_SQLITE
+#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
fprintf(f, " sqlite");
#endif
-#ifdef LOOKUP_TESTDB
+#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
fprintf(f, " testdb");
#endif
-#ifdef LOOKUP_WHOSON
+#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
fprintf(f, " whoson");
#endif
fprintf(f, "\n");
fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
-/* This runtime check is to help diagnose library linkage mismatches which
-result in segfaults and the like; as such, it's left until the end,
-just in case. There will still be a "Configuration file is" line still to
-come. */
+/* Everything else is details which are only worth reporting when debugging.
+Perhaps the tls_version_report should move into this too. */
+DEBUG(D_any) do {
+
+ int i;
+
+/* clang defines __GNUC__ (at least, for me) so test for it first */
+#if defined(__clang__)
+ fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
+#elif defined(__GNUC__)
+ fprintf(f, "Compiler: GCC [%s]\n",
+# ifdef __VERSION__
+ __VERSION__
+# else
+ "? unknown version ?"
+# endif
+ );
+#else
+ fprintf(f, "Compiler: <unknown>\n");
+#endif
+
#ifdef SUPPORT_TLS
-tls_version_report(f);
+ tls_version_report(f);
#endif
+
+#ifdef AUTH_CYRUS_SASL
+ auth_cyrus_sasl_version_report(f);
+#endif
+
+ fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
+ " Runtime: %s\n",
+ PCRE_MAJOR, PCRE_MINOR,
+ /* PRE_PRERELEASE is either defined and empty or a string.
+ * unless its an ancient version of PCRE in which case it
+ * is not defined */
+#ifdef PCRE_PRERELEASE
+ PCRE_PRERELEASE "",
+#else
+ "",
+#endif
+ pcre_version());
+
+ init_lookup_list();
+ for (i = 0; i < lookup_list_count; i++)
+ {
+ if (lookup_list[i]->version_report)
+ lookup_list[i]->version_report(f);
+ }
+
+#ifdef WHITELIST_D_MACROS
+ fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
+#else
+ fprintf(f, "WHITELIST_D_MACROS unset\n");
+#endif
+#ifdef TRUSTED_CONFIG_LIST
+ fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
+#else
+ fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
+#endif
+
+} while (0);
}
*/
static void *
-set_readline(char * (**fn_readline_ptr)(char *),
- char * (**fn_addhist_ptr)(char *))
+set_readline(char * (**fn_readline_ptr)(const char *),
+ void (**fn_addhist_ptr)(const char *))
{
void *dlhandle;
-void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
+void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
-dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
+dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
if (dlhandle != NULL)
{
- *fn_readline_ptr = (char *(*)(char*))dlsym(dlhandle, "readline");
- *fn_addhist_ptr = (char *(*)(char*))dlsym(dlhandle, "add_history");
+ /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
+ * char * readline (const char *prompt);
+ * void add_history (const char *string);
+ */
+ *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
+ *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
}
else
{
*/
static uschar *
-get_stdinput(char *(*fn_readline)(char *), char *(*fn_addhist)(char *))
+get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
{
int i;
int size = 0;
return FALSE;
}
}
-debug_printf("macros_trusted overriden to true by whitelisting\n");
+DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
return TRUE;
#endif
}
int filter_sfd = -1;
int filter_ufd = -1;
int group_count;
-int i;
+int i, rv;
int list_queue_option = 0;
int msg_action = 0;
int msg_action_arg = -1;
EXIM_USERNAME);
exit(EXIT_FAILURE);
}
- exim_gid = pw->pw_gid;
+ /* If ref:name uses a number as the name, route_finduser() returns
+ TRUE with exim_uid set and pw coerced to NULL. */
+ if (pw)
+ exim_gid = pw->pw_gid;
+#ifndef EXIM_GROUPNAME
+ else
+ {
+ fprintf(stderr,
+ "exim: ref:name should specify a usercode, not a group.\n"
+ "exim: can't let you get away with it unless you also specify a group.\n");
+ exit(EXIT_FAILURE);
+ }
+#endif
}
else
{
if (real_uid == root_uid)
{
- setgid(real_gid);
- setuid(real_uid);
+ rv = setgid(real_gid);
+ if (rv)
+ {
+ fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
+ (long int)real_gid, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ rv = setuid(real_uid);
+ if (rv)
+ {
+ fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
+ (long int)real_uid, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
}
/* If neither the original real uid nor the original euid was root, Exim is
#endif
if (real_uid != root_uid)
{
- #ifdef TRUSTED_CONFIG_PREFIX_LIST
+ #ifdef TRUSTED_CONFIG_LIST
- if ((real_uid != exim_uid
- #ifdef CONFIGURE_OWNER
- && real_uid != config_uid
- #endif
- ) || Ustrstr(argrest, "/../"))
+ if (real_uid != exim_uid
+ #ifdef CONFIGURE_OWNER
+ && real_uid != config_uid
+ #endif
+ )
trusted_config = FALSE;
else
{
- FILE *trust_list = Ufopen(TRUSTED_CONFIG_PREFIX_LIST, "rb");
+ FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
if (trust_list)
{
struct stat statbuf;
{
/* Well, the trust list at least is up to scratch... */
void *reset_point = store_get(0);
- uschar *trusted_prefixes[32];
- int nr_prefixes = 0;
+ uschar *trusted_configs[32];
+ int nr_configs = 0;
int i = 0;
while (Ufgets(big_buffer, big_buffer_size, trust_list))
nl = Ustrchr(start, '\n');
if (nl)
*nl = 0;
- trusted_prefixes[nr_prefixes++] = string_copy(start);
- if (nr_prefixes == 32)
+ trusted_configs[nr_configs++] = string_copy(start);
+ if (nr_configs == 32)
break;
}
fclose(trust_list);
- if (nr_prefixes)
+ if (nr_configs)
{
int sep = 0;
uschar *list = argrest;
while (trusted_config && (filename = string_nextinlist(&list,
&sep, big_buffer, big_buffer_size)) != NULL)
{
- for (i=0; i < nr_prefixes; i++)
+ for (i=0; i < nr_configs; i++)
{
- int len = Ustrlen(trusted_prefixes[i]);
- if (Ustrlen(filename) >= len &&
- Ustrncmp(filename, trusted_prefixes[i], len) == 0)
+ if (Ustrcmp(filename, trusted_configs[i]) == 0)
break;
}
- if (i == nr_prefixes)
+ if (i == nr_configs)
{
trusted_config = FALSE;
break;
debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
debug_selector);
- show_whats_supported(stderr);
+ if (!version_printed)
+ show_whats_supported(stderr);
}
}
save the group list here first. */
group_count = getgroups(NGROUPS_MAX, group_list);
+if (group_count < 0)
+ {
+ fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
+ exit(EXIT_FAILURE);
+ }
/* There is a fundamental difference in some BSD systems in the matter of
groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
and should be used for any logging information because attempts to write
to the log will usually fail. To arrange this, we unset really_exim. However,
if no stderr is available there is no point - we might as well have a go
- at the log (if it fails, syslog will be written). */
+ at the log (if it fails, syslog will be written).
- if (log_stderr != NULL) really_exim = FALSE;
+ Note that if the invoker is Exim, the logs remain available. Messing with
+ this causes unlogged successful deliveries. */
+
+ if ((log_stderr != NULL) && (real_uid != exim_uid))
+ really_exim = FALSE;
}
/* Privilege is to be retained for the moment. It may be dropped later,
else
log_write(0, LOG_MAIN|LOG_PANIC,
"exim user lost privilege for using %s option",
- (int)exim_uid, trusted_config? "-D" : "-C");
+ trusted_config? "-D" : "-C");
}
/* Start up Perl interpreter if Perl support is configured and there is a
}
#endif /* EXIM_PERL */
+/* Initialise lookup_list
+If debugging, already called above via version reporting.
+This does mean that debugging causes the list to be initialised while root.
+This *should* be harmless -- all modules are loaded from a fixed dir and
+it's code that would, if not a module, be part of Exim already. */
+init_lookup_list();
+
/* Log the arguments of the call if the configuration file said so. This is
a debugging feature for finding out what arguments certain MUAs actually use.
Don't attempt it if logging is disabled, or if listing variables or if
/* When we are retaining a privileged uid, we still change to the exim gid. */
-else setgid(exim_gid);
+else
+ {
+ int rv;
+ rv = setgid(exim_gid);
+ /* Impact of failure is that some stuff might end up with an incorrect group.
+ We track this for failures from root, since any attempt to change privilege
+ by root should succeed and failures should be examined. For non-root,
+ there's no security risk. For me, it's { exim -bV } on a just-built binary,
+ no need to complain then. */
+ if (rv == -1)
+ {
+ if (!(unprivileged || removed_privilege))
+ {
+ fprintf(stderr,
+ "exim: changing group failed: %s\n", strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ else
+ DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
+ (long int)exim_gid, strerror(errno));
+ }
+ }
/* Handle a request to scan a file for malware */
if (malware_test_file)
else
{
- char *(*fn_readline)(char *) = NULL;
- char *(*fn_addhist)(char *) = NULL;
+ char *(*fn_readline)(const char *) = NULL;
+ void (*fn_addhist)(const char *) = NULL;
#ifdef USE_READLINE
void *dlhandle = set_readline(&fn_readline, &fn_addhist);