48cecd8a58
MFC after: 3 days
647 lines
14 KiB
C
647 lines
14 KiB
C
/*
|
|
* Copyright (c) 2001-2002 Proofpoint, Inc. and its suppliers.
|
|
* All rights reserved.
|
|
*
|
|
* By using this file, you agree to the terms and conditions set
|
|
* forth in the LICENSE file which can be found at the top level of
|
|
* the sendmail distribution.
|
|
*
|
|
*/
|
|
|
|
#include <sm/gen.h>
|
|
SM_RCSID("@(#)$Id: mpeix.c,v 1.8 2013-11-22 20:51:43 ca Exp $")
|
|
|
|
#ifdef MPE
|
|
/*
|
|
** MPE lacks many common functions required across all sendmail programs
|
|
** so we define implementations for these functions here.
|
|
*/
|
|
|
|
# include <errno.h>
|
|
# include <fcntl.h>
|
|
# include <limits.h>
|
|
# include <mpe.h>
|
|
# include <netinet/in.h>
|
|
# include <pwd.h>
|
|
# include <sys/socket.h>
|
|
# include <sys/stat.h>
|
|
# include <unistd.h>
|
|
# include <sm/conf.h>
|
|
|
|
/*
|
|
** CHROOT -- dummy chroot() function
|
|
**
|
|
** The MPE documentation for sendmail says that chroot-based
|
|
** functionality is not implemented because MPE lacks chroot. But
|
|
** rather than mucking around with all the sendmail calls to chroot,
|
|
** we define this dummy function to return an ENOSYS failure just in
|
|
** case a sendmail user attempts to enable chroot-based functionality.
|
|
**
|
|
** Parameters:
|
|
** path -- pathname of new root (ignored).
|
|
**
|
|
** Returns:
|
|
** -1 and errno == ENOSYS (function not implemented)
|
|
*/
|
|
|
|
int
|
|
chroot(path)
|
|
char *path;
|
|
{
|
|
errno = ENOSYS;
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
** ENDPWENT -- dummy endpwent() function
|
|
**
|
|
** Parameters:
|
|
** none
|
|
**
|
|
** Returns:
|
|
** none
|
|
*/
|
|
|
|
void
|
|
endpwent()
|
|
{
|
|
return;
|
|
}
|
|
|
|
/*
|
|
** In addition to missing functions, certain existing MPE functions have
|
|
** slightly different semantics (or bugs) compared to normal Unix OSes.
|
|
**
|
|
** Here we define wrappers for these functions to make them behave in the
|
|
** manner expected by sendmail.
|
|
*/
|
|
|
|
/*
|
|
** SENDMAIL_MPE_BIND -- shadow function for the standard socket bind()
|
|
**
|
|
** MPE requires GETPRIVMODE() for AF_INET sockets less than port 1024.
|
|
**
|
|
** Parameters:
|
|
** sd -- socket descriptor.
|
|
** addr -- socket address.
|
|
** addrlen -- length of socket address.
|
|
**
|
|
** Results:
|
|
** 0 -- success
|
|
** != 0 -- failure
|
|
*/
|
|
|
|
#undef bind
|
|
int
|
|
sendmail_mpe_bind(sd, addr, addrlen)
|
|
int sd;
|
|
void *addr;
|
|
int addrlen;
|
|
{
|
|
bool priv = false;
|
|
int result;
|
|
extern void GETPRIVMODE __P((void));
|
|
extern void GETUSERMODE __P((void));
|
|
|
|
if (addrlen == sizeof(struct sockaddr_in) &&
|
|
((struct sockaddr_in *)addr)->sin_family == AF_INET)
|
|
{
|
|
/* AF_INET */
|
|
if (((struct sockaddr_in *)addr)->sin_port > 0 &&
|
|
((struct sockaddr_in *)addr)->sin_port < 1024)
|
|
{
|
|
priv = true;
|
|
GETPRIVMODE();
|
|
}
|
|
((struct sockaddr_in *)addr)->sin_addr.s_addr = 0;
|
|
result = bind(sd, addr, addrlen);
|
|
if (priv)
|
|
GETUSERMODE();
|
|
return result;
|
|
}
|
|
|
|
/* AF_UNIX */
|
|
return bind(sd, addr, addrlen);
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE__EXIT -- wait for children to terminate, then _exit()
|
|
**
|
|
** Child processes cannot survive the death of their parent on MPE, so
|
|
** we must call wait() before _exit() in order to prevent this
|
|
** infanticide.
|
|
**
|
|
** Parameters:
|
|
** status -- _exit status value.
|
|
**
|
|
** Returns:
|
|
** none.
|
|
*/
|
|
|
|
#undef _exit
|
|
void
|
|
sendmail_mpe__exit(status)
|
|
int status;
|
|
{
|
|
int result;
|
|
|
|
/* Wait for all children to terminate. */
|
|
do
|
|
{
|
|
result = wait(NULL);
|
|
} while (result > 0 || errno == EINTR);
|
|
_exit(status);
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_EXIT -- wait for children to terminate, then exit()
|
|
**
|
|
** Child processes cannot survive the death of their parent on MPE, so
|
|
** we must call wait() before exit() in order to prevent this
|
|
** infanticide.
|
|
**
|
|
** Parameters:
|
|
** status -- exit status value.
|
|
**
|
|
** Returns:
|
|
** none.
|
|
*/
|
|
|
|
#undef exit
|
|
void
|
|
sendmail_mpe_exit(status)
|
|
int status;
|
|
{
|
|
int result;
|
|
|
|
/* Wait for all children to terminate. */
|
|
do
|
|
{
|
|
result = wait(NULL);
|
|
} while (result > 0 || errno == EINTR);
|
|
exit(status);
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_FCNTL -- shadow function for fcntl()
|
|
**
|
|
** MPE requires sfcntl() for sockets, and fcntl() for everything
|
|
** else. This shadow routine determines the descriptor type and
|
|
** makes the appropriate call.
|
|
**
|
|
** Parameters:
|
|
** same as fcntl().
|
|
**
|
|
** Returns:
|
|
** same as fcntl().
|
|
*/
|
|
|
|
#undef fcntl
|
|
int
|
|
sendmail_mpe_fcntl(int fildes, int cmd, ...)
|
|
{
|
|
int len, result;
|
|
struct sockaddr sa;
|
|
|
|
void *arg;
|
|
va_list ap;
|
|
|
|
va_start(ap, cmd);
|
|
arg = va_arg(ap, void *);
|
|
va_end(ap);
|
|
|
|
len = sizeof sa;
|
|
if (getsockname(fildes, &sa, &len) == -1)
|
|
{
|
|
if (errno == EAFNOSUPPORT)
|
|
{
|
|
/* AF_UNIX socket */
|
|
return sfcntl(fildes, cmd, arg);
|
|
}
|
|
else if (errno == ENOTSOCK)
|
|
{
|
|
/* file or pipe */
|
|
return fcntl(fildes, cmd, arg);
|
|
}
|
|
|
|
/* unknown getsockname() failure */
|
|
return (-1);
|
|
}
|
|
else
|
|
{
|
|
/* AF_INET socket */
|
|
if ((result = sfcntl(fildes, cmd, arg)) != -1 &&
|
|
cmd == F_GETFL)
|
|
result |= O_RDWR; /* fill in some missing flags */
|
|
return result;
|
|
}
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_GETPWNAM - shadow function for getpwnam()
|
|
**
|
|
** Several issues apply here:
|
|
**
|
|
** - MPE user names MUST have one '.' separator character
|
|
** - MPE user names MUST be in upper case
|
|
** - MPE does not initialize all fields in the passwd struct
|
|
**
|
|
** Parameters:
|
|
** name -- username string.
|
|
**
|
|
** Returns:
|
|
** pointer to struct passwd if found else NULL
|
|
*/
|
|
|
|
static char *sendmail_mpe_nullstr = "";
|
|
|
|
#undef getpwnam
|
|
extern struct passwd *getpwnam(const char *);
|
|
|
|
struct passwd *
|
|
sendmail_mpe_getpwnam(name)
|
|
const char *name;
|
|
{
|
|
int dots = 0;
|
|
int err;
|
|
int i = strlen(name);
|
|
char *upper;
|
|
struct passwd *result = NULL;
|
|
|
|
if (i <= 0)
|
|
{
|
|
errno = EINVAL;
|
|
return result;
|
|
}
|
|
|
|
if ((upper = (char *)malloc(i + 1)) != NULL)
|
|
{
|
|
/* upshift the username parameter and count the dots */
|
|
while (i >= 0)
|
|
{
|
|
if (name[i] == '.')
|
|
{
|
|
dots++;
|
|
upper[i] = '.';
|
|
}
|
|
else
|
|
upper[i] = toupper(name[i]);
|
|
i--;
|
|
}
|
|
|
|
if (dots != 1)
|
|
{
|
|
/* prevent bug when dots == 0 */
|
|
err = EINVAL;
|
|
}
|
|
else if ((result = getpwnam(upper)) != NULL)
|
|
{
|
|
/* init the uninitialized fields */
|
|
result->pw_gecos = sendmail_mpe_nullstr;
|
|
result->pw_passwd = sendmail_mpe_nullstr;
|
|
result->pw_age = sendmail_mpe_nullstr;
|
|
result->pw_comment = sendmail_mpe_nullstr;
|
|
result->pw_audid = 0;
|
|
result->pw_audflg = 0;
|
|
}
|
|
err = errno;
|
|
free(upper);
|
|
}
|
|
errno = err;
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_GETPWUID -- shadow function for getpwuid()
|
|
**
|
|
** Initializes the uninitalized fields in the passwd struct.
|
|
**
|
|
** Parameters:
|
|
** uid -- uid to obtain passwd data for
|
|
**
|
|
** Returns:
|
|
** pointer to struct passwd or NULL if not found
|
|
*/
|
|
|
|
#undef getpwuid
|
|
extern struct passwd *getpwuid __P((uid_t));
|
|
|
|
struct passwd *
|
|
sendmail_mpe_getpwuid(uid)
|
|
uid_t uid;
|
|
{
|
|
struct passwd *result;
|
|
|
|
if ((result = getpwuid(uid)) != NULL)
|
|
{
|
|
/* initialize the uninitialized fields */
|
|
result->pw_gecos = sendmail_mpe_nullstr;
|
|
result->pw_passwd = sendmail_mpe_nullstr;
|
|
result->pw_age = sendmail_mpe_nullstr;
|
|
result->pw_comment = sendmail_mpe_nullstr;
|
|
result->pw_audid = 0;
|
|
result->pw_audflg = 0;
|
|
}
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
** OK boys and girls, time for some serious voodoo!
|
|
**
|
|
** MPE does not have a complete implementation of POSIX users and groups:
|
|
**
|
|
** - there is no uid 0 superuser
|
|
** - setuid/setgid file permission bits exist but have no-op functionality
|
|
** - setgid() exists, but only supports new gid == current gid (boring!)
|
|
** - setuid() forces a gid change to the new uid's primary (and only) gid
|
|
**
|
|
** ...all of which thoroughly annoys sendmail.
|
|
**
|
|
** So what to do? We can't go on an #ifdef MPE rampage throughout
|
|
** sendmail, because there are only about a zillion references to uid 0
|
|
** and so success (and security) would probably be rather dubious by the
|
|
** time we finished.
|
|
**
|
|
** Instead we take the approach of defining wrapper functions for the
|
|
** gid/uid management functions getegid(), geteuid(), setgid(), and
|
|
** setuid() in order to implement the following model:
|
|
**
|
|
** - the sendmail program thinks it is a setuid-root (uid 0) program
|
|
** - uid 0 is recognized as being valid, but does not grant extra powers
|
|
** - MPE priv mode allows sendmail to call setuid(), not uid 0
|
|
** - file access is still controlled by the real non-zero uid
|
|
** - the other programs (vacation, etc) have standard MPE POSIX behavior
|
|
**
|
|
** This emulation model is activated by use of the program file setgid and
|
|
** setuid mode bits which exist but are unused by MPE. If the setgid mode
|
|
** bit is on, then gid emulation will be enabled. If the setuid mode bit is
|
|
** on, then uid emulation will be enabled. So for the mail daemon, we need
|
|
** to do chmod u+s,g+s /SENDMAIL/CURRENT/SENDMAIL.
|
|
**
|
|
** The following flags determine the current emulation state:
|
|
**
|
|
** true == emulation enabled
|
|
** false == emulation disabled, use unmodified MPE semantics
|
|
*/
|
|
|
|
static bool sendmail_mpe_flaginit = false;
|
|
static bool sendmail_mpe_gidflag = false;
|
|
static bool sendmail_mpe_uidflag = false;
|
|
|
|
/*
|
|
** SENDMAIL_MPE_GETMODE -- return the mode bits for the current process
|
|
**
|
|
** Parameters:
|
|
** none.
|
|
**
|
|
** Returns:
|
|
** file mode bits for the current process program file.
|
|
*/
|
|
|
|
mode_t
|
|
sendmail_mpe_getmode()
|
|
{
|
|
int status = 666;
|
|
int myprogram_length;
|
|
int myprogram_syntax = 2;
|
|
char formaldesig[28];
|
|
char myprogram[PATH_MAX + 2];
|
|
char path[PATH_MAX + 1];
|
|
struct stat st;
|
|
extern HPMYPROGRAM __P((int parms, char *formaldesig, int *status,
|
|
int *length, char *myprogram,
|
|
int *myprogram_length, int *myprogram_syntax));
|
|
|
|
myprogram_length = sizeof(myprogram);
|
|
HPMYPROGRAM(6, formaldesig, &status, NULL, myprogram,
|
|
&myprogram_length, &myprogram_syntax);
|
|
|
|
/* should not occur, do not attempt emulation */
|
|
if (status != 0)
|
|
return 0;
|
|
|
|
memcpy(&path, &myprogram[1], myprogram_length - 2);
|
|
path[myprogram_length - 2] = '\0';
|
|
|
|
/* should not occur, do not attempt emulation */
|
|
if (stat(path, &st) < 0)
|
|
return 0;
|
|
|
|
return st.st_mode;
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_EMULGID -- should we perform gid emulation?
|
|
**
|
|
** If !sendmail_mpe_flaginit then obtain the mode bits to determine
|
|
** if the setgid bit is on, we want gid emulation and so set
|
|
** sendmail_mpe_gidflag to true. Otherwise we do not want gid emulation
|
|
** and so set sendmail_mpe_gidflag to false.
|
|
**
|
|
** Parameters:
|
|
** none.
|
|
**
|
|
** Returns:
|
|
** true -- perform gid emulation
|
|
** false -- do not perform gid emulation
|
|
*/
|
|
|
|
bool
|
|
sendmail_mpe_emulgid()
|
|
{
|
|
if (!sendmail_mpe_flaginit)
|
|
{
|
|
mode_t mode;
|
|
|
|
mode = sendmail_mpe_getmode();
|
|
sendmail_mpe_gidflag = ((mode & S_ISGID) == S_ISGID);
|
|
sendmail_mpe_uidflag = ((mode & S_ISUID) == S_ISUID);
|
|
sendmail_mpe_flaginit = true;
|
|
}
|
|
return sendmail_mpe_gidflag;
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_EMULUID -- should we perform uid emulation?
|
|
**
|
|
** If sendmail_mpe_uidflag == -1 then obtain the mode bits to determine
|
|
** if the setuid bit is on, we want uid emulation and so set
|
|
** sendmail_mpe_uidflag to true. Otherwise we do not want uid emulation
|
|
** and so set sendmail_mpe_uidflag to false.
|
|
**
|
|
** Parameters:
|
|
** none.
|
|
**
|
|
** Returns:
|
|
** true -- perform uid emulation
|
|
** false -- do not perform uid emulation
|
|
*/
|
|
|
|
bool
|
|
sendmail_mpe_emuluid()
|
|
{
|
|
if (!sendmail_mpe_flaginit)
|
|
{
|
|
mode_t mode;
|
|
|
|
mode = sendmail_mpe_getmode();
|
|
sendmail_mpe_gidflag = ((mode & S_ISGID) == S_ISGID);
|
|
sendmail_mpe_uidflag = ((mode & S_ISUID) == S_ISUID);
|
|
sendmail_mpe_flaginit = true;
|
|
}
|
|
return sendmail_mpe_uidflag;
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_GETEGID -- shadow function for getegid()
|
|
**
|
|
** If emulation mode is in effect and the saved egid has been
|
|
** initialized, return the saved egid; otherwise return the value of the
|
|
** real getegid() function.
|
|
**
|
|
** Parameters:
|
|
** none.
|
|
**
|
|
** Returns:
|
|
** emulated egid if present, else true egid.
|
|
*/
|
|
|
|
static gid_t sendmail_mpe_egid = -1;
|
|
|
|
#undef getegid
|
|
gid_t
|
|
sendmail_mpe_getegid()
|
|
{
|
|
if (sendmail_mpe_emulgid() && sendmail_mpe_egid != -1)
|
|
return sendmail_mpe_egid;
|
|
return getegid();
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_GETEUID -- shadow function for geteuid()
|
|
**
|
|
** If emulation mode is in effect, return the saved euid; otherwise
|
|
** return the value of the real geteuid() function.
|
|
**
|
|
** Note that the initial value of the saved euid is zero, to simulate
|
|
** a setuid-root program.
|
|
**
|
|
** Parameters:
|
|
** none
|
|
**
|
|
** Returns:
|
|
** emulated euid if in emulation mode, else true euid.
|
|
*/
|
|
|
|
static uid_t sendmail_mpe_euid = 0;
|
|
|
|
#undef geteuid
|
|
uid_t
|
|
sendmail_mpe_geteuid()
|
|
{
|
|
if (sendmail_mpe_emuluid())
|
|
return sendmail_mpe_euid;
|
|
return geteuid();
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_SETGID -- shadow function for setgid()
|
|
**
|
|
** Simulate a call to setgid() without actually calling the real
|
|
** function. Implement the expected uid 0 semantics.
|
|
**
|
|
** Note that sendmail will also be calling setuid() which will force an
|
|
** implicit real setgid() to the proper primary gid. So it doesn't matter
|
|
** that we don't actually alter the real gid in this shadow function.
|
|
**
|
|
** Parameters:
|
|
** gid -- desired gid.
|
|
**
|
|
** Returns:
|
|
** 0 -- emulated success
|
|
** -1 -- emulated failure
|
|
*/
|
|
|
|
#undef setgid
|
|
int
|
|
sendmail_mpe_setgid(gid)
|
|
gid_t gid;
|
|
{
|
|
if (sendmail_mpe_emulgid())
|
|
{
|
|
if (gid == getgid() || sendmail_mpe_euid == 0)
|
|
{
|
|
sendmail_mpe_egid = gid;
|
|
return 0;
|
|
}
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
return setgid(gid);
|
|
}
|
|
|
|
/*
|
|
** SENDMAIL_MPE_SETUID -- shadow function for setuid()
|
|
**
|
|
** setuid() is broken as of MPE 7.0 in that it changes the current
|
|
** working directory to be the home directory of the new uid. Thus
|
|
** we must obtain the cwd and restore it after the setuid().
|
|
**
|
|
** Note that expected uid 0 semantics have been added, as well as
|
|
** remembering the new uid for later use by the other shadow functions.
|
|
**
|
|
** Parameters:
|
|
** uid -- desired uid.
|
|
**
|
|
** Returns:
|
|
** 0 -- success
|
|
** -1 -- failure
|
|
**
|
|
** Globals:
|
|
** sendmail_mpe_euid
|
|
*/
|
|
|
|
#undef setuid
|
|
int
|
|
sendmail_mpe_setuid(uid)
|
|
uid_t uid;
|
|
{
|
|
char *cwd;
|
|
char cwd_buf[PATH_MAX + 1];
|
|
int result;
|
|
extern void GETPRIVMODE __P((void));
|
|
extern void GETUSERMODE __P((void));
|
|
|
|
if (sendmail_mpe_emuluid())
|
|
{
|
|
if (uid == 0)
|
|
{
|
|
if (sendmail_mpe_euid != 0)
|
|
{
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
sendmail_mpe_euid = 0;
|
|
return 0;
|
|
}
|
|
|
|
/* Preserve the current working directory */
|
|
if ((cwd = getcwd(cwd_buf, PATH_MAX + 1)) == NULL)
|
|
return -1;
|
|
|
|
GETPRIVMODE();
|
|
result = setuid(uid);
|
|
GETUSERMODE();
|
|
|
|
/* Restore the current working directory */
|
|
chdir(cwd_buf);
|
|
|
|
if (result == 0)
|
|
sendmail_mpe_euid = uid;
|
|
|
|
return result;
|
|
}
|
|
return setuid(uid);
|
|
}
|
|
#endif /* MPE */
|