BSD 4_4_Lite1 release

[unix-history] / usr / src / usr.sbin / sendmail / src / recipient.c
diff --git a/usr/src/usr.sbin/sendmail/src/recipient.c b/usr/src/usr.sbin/sendmail/src/recipient.c

index ba08f9d..c6c15c4 100644 (file)
--- a/usr/src/usr.sbin/sendmail/src/recipient.c
+++ b/usr/src/usr.sbin/sendmail/src/recipient.c
@@ -3,11 +3,37 @@
   * Copyright (c) 1988, 1993
   *     The Regents of the University of California.  All rights reserved.
   *
   * Copyright (c) 1988, 1993
   *     The Regents of the University of California.  All rights reserved.
   *
- * %sccs.include.redist.c%
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *     This product includes software developed by the University of
+ *     California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
   */
  
  #ifndef lint
   */
  
  #ifndef lint
-static char sccsid[] = "@(#)recipient.c        8.31 (Berkeley) %G%";
+static char sccsid[] = "@(#)recipient.c        8.44 (Berkeley) 2/28/94";
  #endif /* not lint */
  
  # include "sendmail.h"
  #endif /* not lint */
  
  # include "sendmail.h"
@@ -19,12 +45,6 @@ static char sccsid[] = "@(#)recipient.c      8.31 (Berkeley) %G%";
  **     The parameter is a comma-separated list of people to send to.
  **     This routine arranges to send to all of them.
  **
  **     The parameter is a comma-separated list of people to send to.
  **     This routine arranges to send to all of them.
  **
-**     The `ctladdr' is the address that expanded to be this one,
-**     e.g., in an alias expansion.  This is used for a number of
-**     purposed, most notably inheritance of uid/gid for protection
-**     purposes.  It is also used to detect self-reference in group
-**     expansions and the like.
-**
  **     Parameters:
  **             list -- the send list.
  **             ctladdr -- the address template for the person to
  **     Parameters:
  **             list -- the send list.
  **             ctladdr -- the address template for the person to
@@ -34,10 +54,9 @@ static char sccsid[] = "@(#)recipient.c      8.31 (Berkeley) %G%";
  **             sendq -- a pointer to the head of a queue to put
  **                     these people into.
  **             e -- the envelope in which to add these recipients.
  **             sendq -- a pointer to the head of a queue to put
  **                     these people into.
  **             e -- the envelope in which to add these recipients.
-**             qflags -- special flags to set in the q_flags field.
  **
  **     Returns:
  **
  **     Returns:
-**             pointer to chain of addresses.
+**             The number of addresses actually on the list.
  **
  **     Side Effects:
  **             none.
  **
  **     Side Effects:
  **             none.
@@ -45,13 +64,11 @@ static char sccsid[] = "@(#)recipient.c     8.31 (Berkeley) %G%";
  
  # define MAXRCRSN      10
  
  
  # define MAXRCRSN      10
  
-ADDRESS *
-sendto(list, copyf, ctladdr, qflags)
+sendtolist(list, ctladdr, sendq, e)
         char *list;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
         register ENVELOPE *e;
         char *list;
         ADDRESS *ctladdr;
         ADDRESS **sendq;
         register ENVELOPE *e;
-       u_short qflags;
  {
         register char *p;
         register ADDRESS *al;   /* list of addresses to send to */
  {
         register char *p;
         register ADDRESS *al;   /* list of addresses to send to */
@@ -59,8 +76,6 @@ sendto(list, copyf, ctladdr, qflags)
         char delimiter;         /* the address delimiter */
         int naddrs;
         char *oldto = e->e_to;
         char delimiter;         /* the address delimiter */
         int naddrs;
         char *oldto = e->e_to;
-       ADDRESS *sibl;          /* sibling pointer in tree */
-       ADDRESS *prev;          /* previous sibling */
  
         if (list == NULL)
         {
  
         if (list == NULL)
         {
@@ -101,9 +116,6 @@ sendto(list, copyf, ctladdr, qflags)
                         continue;
                 a->q_next = al;
                 a->q_alias = ctladdr;
                         continue;
                 a->q_next = al;
                 a->q_alias = ctladdr;
-               if (ctladdr != NULL)
-                       a->q_flags |= ctladdr->q_flags & ~QPRIMARY;
-               a->q_flags |= qflags;
  
                 /* see if this should be marked as a primary address */
                 if (ctladdr == NULL ||
  
                 /* see if this should be marked as a primary address */
                 if (ctladdr == NULL ||
@@ -117,72 +129,21 @@ sendto(list, copyf, ctladdr, qflags)
         }
  
         /* arrange to send to everyone on the local send list */
         }
  
         /* arrange to send to everyone on the local send list */
-       prev = sibl = NULL;
-       if (ctladdr != NULL)
-               prev = ctladdr->q_child;
         while (al != NULL)
         {
                 register ADDRESS *a = al;
         while (al != NULL)
         {
                 register ADDRESS *a = al;
-               extern ADDRESS *recipient();
  
                 al = a->q_next;
  
                 al = a->q_next;
-               sibl = recipient(a);
-               if (sibl != NULL)
-               {
-                       extern ADDRESS *addrref();
+               a = recipient(a, sendq, e);
  
  
-                       /* inherit full name */
-                       if (sibl->q_fullname == NULL && ctladdr != NULL)
-                               sibl->q_fullname = ctladdr->q_fullname;
-
-                       /* link tree together (but only if the node is new) */
-                       if (sibl == a)
-                       {
-                               sibl->q_sibling = prev;
-                               prev = sibl;
-                       }
-               }
+               /* arrange to inherit full name */
+               if (a->q_fullname == NULL && ctladdr != NULL)
+                       a->q_fullname = ctladdr->q_fullname;
+               naddrs++;
         }
  
         e->e_to = oldto;
         return (naddrs);
         }
  
         e->e_to = oldto;
         return (naddrs);
-       if (ctladdr != NULL)
-               ctladdr->q_child = prev;
-       return (prev);
-}
-\f/*
-**  ADDRREF -- return pointer to address that references another address.
-**
-**     Parameters:
-**             a -- address to check.
-**             r -- reference to find.
-**
-**     Returns:
-**             address of node in tree rooted at 'a' that references
-**                     'r'.
-**             NULL if no such node exists.
-**
-**     Side Effects:
-**             none.
-*/
-
-ADDRESS *
-addrref(a, r)
-       register ADDRESS *a;
-       register ADDRESS *r;
-{
-       register ADDRESS *q;
-
-       while (a != NULL)
-       {
-               if (a->q_child == r || a->q_sibling == r)
-                       return (a);
-               q = addrref(a->q_child, r);
-               if (q != NULL)
-                       return (q);
-               a = a->q_sibling;
-       }
-       return (NULL);
  }
  \f/*
  **  RECIPIENT -- Designate a message recipient
  }
  \f/*
  **  RECIPIENT -- Designate a message recipient
@@ -197,13 +158,13 @@ addrref(a, r)
  **             e -- the current envelope.
  **
  **     Returns:
  **             e -- the current envelope.
  **
  **     Returns:
-**             pointer to address actually inserted in send list.
+**             The actual address in the queue.  This will be "a" if
+**             the address is not a duplicate, else the original address.
  **
  **     Side Effects:
  **             none.
  */
  
  **
  **     Side Effects:
  **             none.
  */
  
-ADDRESS *
  ADDRESS *
  recipient(a, sendq, e)
         register ADDRESS *a;
  ADDRESS *
  recipient(a, sendq, e)
         register ADDRESS *a;
@@ -241,7 +202,7 @@ recipient(a, sendq, e)
         if (AliasLevel > MAXRCRSN)
         {
                 usrerr("554 aliasing/forwarding loop broken");
         if (AliasLevel > MAXRCRSN)
         {
                 usrerr("554 aliasing/forwarding loop broken");
-               return (NULL);
+               return (a);
         }
  
         /*
         }
  
         /*
@@ -261,10 +222,25 @@ recipient(a, sendq, e)
         stripquotes(buf);
  
         /* check for direct mailing to restricted mailers */
         stripquotes(buf);
  
         /* check for direct mailing to restricted mailers */
-       if (a->q_alias == NULL && m == ProgMailer)
+       if (m == ProgMailer)
         {
         {
-               a->q_flags |= QBADADDR;
-               usrerr("550 Cannot mail directly to programs");
+               if (a->q_alias == NULL)
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Cannot mail directly to programs");
+               }
+               else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 User %s@%s doesn't have a valid shell for mailing to programs",
+                               a->q_alias->q_ruser, MyHostName);
+               }
+               else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Address %s is unsafe for mailing to programs",
+                               a->q_alias->q_paddr);
+               }
         }
  
         /*
         }
  
         /*
@@ -280,10 +256,6 @@ recipient(a, sendq, e)
         {
                 if (sameaddr(q, a))
                 {
         {
                 if (sameaddr(q, a))
                 {
-                       /* if this is a reinsertion, just go ahead */
-                       if (bitset(QVERIFIED, q->q_flags))
-                               break;
-
                         if (tTd(26, 1))
                         {
                                 printf("%s in sendq: ", a->q_paddr);
                         if (tTd(26, 1))
                         {
                                 printf("%s in sendq: ", a->q_paddr);
@@ -295,20 +267,16 @@ recipient(a, sendq, e)
                                         message("duplicate suppressed");
                                 q->q_flags |= a->q_flags;
                         }
                                         message("duplicate suppressed");
                                 q->q_flags |= a->q_flags;
                         }
-                       if (!bitset(QPSEUDO, a->q_flags))
-                               q->q_flags &= ~QPSEUDO;
-                       return (q);
+                       else if (bitset(QSELFREF, q->q_flags))
+                               q->q_flags |= a->q_flags & ~QDONTSEND;
+                       a = q;
+                       goto testselfdestruct;
                 }
         }
  
         /* add address on list */
                 }
         }
  
         /* add address on list */
-       if (*pq != a)
-       {
-               *pq = a;
-               a->q_next = NULL;
-       }
-
-       a->q_flags &= ~QVERIFIED;
+       *pq = a;
+       a->q_next = NULL;
  
         /*
         **  Alias the name and handle special mailer types.
  
         /*
         **  Alias the name and handle special mailer types.
@@ -339,10 +307,12 @@ recipient(a, sendq, e)
                         {
  #ifdef LOG
                                 if (LogLevel > 2)
                         {
  #ifdef LOG
                                 if (LogLevel > 2)
-                                       syslog(LOG_ERR, "%s: include %s: transient error: %e",
-                                               e->e_id, a->q_user, errstring(ret));
+                                       syslog(LOG_ERR, "%s: include %s: transient error: %s",
+                                               e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                                               a->q_user, errstring(ret));
  #endif
                                 a->q_flags |= QQUEUEUP;
  #endif
                                 a->q_flags |= QQUEUEUP;
+                               a->q_flags &= ~QDONTSEND;
                                 usrerr("451 Cannot open %s: %s",
                                         a->q_user, errstring(ret));
                         }
                                 usrerr("451 Cannot open %s: %s",
                                         a->q_user, errstring(ret));
                         }
@@ -364,6 +334,18 @@ recipient(a, sendq, e)
                         a->q_flags |= QBADADDR;
                         usrerr("550 Cannot mail directly to files");
                 }
                         a->q_flags |= QBADADDR;
                         usrerr("550 Cannot mail directly to files");
                 }
+               else if (bitset(QBOGUSSHELL, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 User %s@%s doesn't have a valid shell for mailing to files",
+                               a->q_alias->q_ruser, MyHostName);
+               }
+               else if (bitset(QUNSAFEADDR, a->q_alias->q_flags))
+               {
+                       a->q_flags |= QBADADDR;
+                       usrerr("550 Address %s is unsafe for mailing to files",
+                               a->q_alias->q_paddr);
+               }
                 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
                 {
                         a->q_flags |= QBADADDR;
                 else if (!writable(buf, getctladdr(a), SFF_ANYFILE))
                 {
                         a->q_flags |= QBADADDR;
@@ -395,7 +377,8 @@ recipient(a, sendq, e)
  # ifdef LOG
                         if (LogLevel > 8)
                                 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
  # ifdef LOG
                         if (LogLevel > 8)
                                 syslog(LOG_INFO, "%s: deferred: udbexpand: %s",
-                                       e->e_id, errstring(errno));
+                                       e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                                       errstring(errno));
  # endif
                         message("queued (user database error): %s",
                                 errstring(errno));
  # endif
                         message("queued (user database error): %s",
                                 errstring(errno));
@@ -466,7 +449,10 @@ recipient(a, sendq, e)
                                 (void) strcpy(buf, pw->pw_name);
                                 goto trylocaluser;
                         }
                                 (void) strcpy(buf, pw->pw_name);
                                 goto trylocaluser;
                         }
-                       a->q_home = newstr(pw->pw_dir);
+                       if (strcmp(pw->pw_dir, "/") == 0)
+                               a->q_home = "";
+                       else
+                               a->q_home = newstr(pw->pw_dir);
                         a->q_uid = pw->pw_uid;
                         a->q_gid = pw->pw_gid;
                         a->q_ruser = newstr(pw->pw_name);
                         a->q_uid = pw->pw_uid;
                         a->q_gid = pw->pw_gid;
                         a->q_ruser = newstr(pw->pw_name);
@@ -474,20 +460,11 @@ recipient(a, sendq, e)
                         buildfname(pw->pw_gecos, pw->pw_name, nbuf);
                         if (nbuf[0] != '\0')
                                 a->q_fullname = newstr(nbuf);
                         buildfname(pw->pw_gecos, pw->pw_name, nbuf);
                         if (nbuf[0] != '\0')
                                 a->q_fullname = newstr(nbuf);
-#ifndef NEEDGETUSERSHELL
-                       if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0')
+                       if (pw->pw_shell != NULL && pw->pw_shell[0] != '\0' &&
+                           !usershellok(pw->pw_shell))
                         {
                         {
-                               extern char *getusershell();
-
-                               setusershell();
-                               while ((p = getusershell()) != NULL)
-                                       if (strcmp(p, pw->pw_shell) == 0)
-                                               break;
-                               endusershell();
-                               if (p == NULL)
-                                       a->q_flags |= QBOGUSSHELL;
+                               a->q_flags |= QBOGUSSHELL;
                         }
                         }
-#endif
                         if (!quoted)
                                 forward(a, sendq, e);
                 }
                         if (!quoted)
                                 forward(a, sendq, e);
                 }
@@ -514,8 +491,6 @@ recipient(a, sendq, e)
                 }
         }
         return (a);
                 }
         }
         return (a);
-
-       return (a);
  }
  \f/*
  **  FINDUSER -- find the password entry for a user.
  }
  \f/*
  **  FINDUSER -- find the password entry for a user.
@@ -594,13 +569,13 @@ finduser(name, fuzzyp)
         {
                 char buf[MAXNAME];
  
         {
                 char buf[MAXNAME];
  
-               fullname(pw, buf);
+               buildfname(pw->pw_gecos, pw->pw_name, buf);
                 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
                 {
                         if (tTd(29, 4))
                                 printf("fuzzy matches %s\n", pw->pw_name);
                 if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
                 {
                         if (tTd(29, 4))
                                 printf("fuzzy matches %s\n", pw->pw_name);
-                               message(Arpa_Info, "sending to %s <%s>",
-                                   buf, pw->pw_name);
+                       message("sending to login name %s", pw->pw_name);
+                       *fuzzyp = TRUE;
                         return (pw);
                 }
         }
                         return (pw);
                 }
         }
@@ -674,6 +649,11 @@ writable(filename, ctladdr, flags)
                 return errno == 0;
         }
  
                 return errno == 0;
         }
  
+#ifdef SUID_ROOT_FILES_OK
+       /* really ought to be passed down -- and not a good idea */
+       flags |= SFF_ROOTOK;
+#endif
+
         /*
         **  File does exist -- check that it is writable.
         */
         /*
         **  File does exist -- check that it is writable.
         */
@@ -707,17 +687,14 @@ writable(filename, ctladdr, flags)
                 egid = DefGid;
         if (geteuid() == 0)
         {
                 egid = DefGid;
         if (geteuid() == 0)
         {
-#ifdef SUID_ROOT_FILES_OK
-               if (bitset(S_ISUID, stb.st_mode))
-#else
-               if (bitset(S_ISUID, stb.st_mode) && stb.st_uid != 0)
-#endif
+               if (bitset(S_ISUID, stb.st_mode) &&
+                   (stb.st_uid != 0 || bitset(SFF_ROOTOK, flags)))
                 {
                 {
-                       flags |= SFF_ROOTOK;
                         euid = stb.st_uid;
                         uname = NULL;
                 }
                         euid = stb.st_uid;
                         uname = NULL;
                 }
-               if (bitset(S_ISGID, stb.st_mode) && stb.st_gid != 0)
+               if (bitset(S_ISGID, stb.st_mode) &&
+                   (stb.st_gid != 0 || bitset(SFF_ROOTOK, flags)))
                         egid = stb.st_gid;
         }
  
                         egid = stb.st_gid;
         }
  
@@ -747,11 +724,28 @@ writable(filename, ctladdr, flags)
  **     Side Effects:
  **             reads the :include: file and sends to everyone
  **             listed in that file.
  **     Side Effects:
  **             reads the :include: file and sends to everyone
  **             listed in that file.
+**
+**     Security Note:
+**             If you have restricted chown (that is, you can't
+**             give a file away), it is reasonable to allow programs
+**             and files called from this :include: file to be to be
+**             run as the owner of the :include: file.  This is bogus
+**             if there is any chance of someone giving away a file.
+**             We assume that pre-POSIX systems can give away files.
+**
+**             There is an additional restriction that if you
+**             forward to a :include: file, it will not take on
+**             the ownership of the :include: file.  This may not
+**             be necessary, but shouldn't hurt.
  */
  
  static jmp_buf CtxIncludeTimeout;
  static int     includetimeout();
  
  */
  
  static jmp_buf CtxIncludeTimeout;
  static int     includetimeout();
  
+#ifndef S_IWOTH
+# define S_IWOTH       (S_IWRITE >> 6)
+#endif
+
  int
  include(fname, forwarding, ctladdr, sendq, e)
         char *fname;
  int
  include(fname, forwarding, ctladdr, sendq, e)
         char *fname;
@@ -772,7 +766,26 @@ include(fname, forwarding, ctladdr, sendq, e)
         char *uname;
         int rval = 0;
         int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
         char *uname;
         int rval = 0;
         int sfflags = forwarding ? SFF_MUSTOWN : SFF_ANYFILE;
+       struct stat st;
         char buf[MAXLINE];
         char buf[MAXLINE];
+#ifdef _POSIX_CHOWN_RESTRICTED
+# if _POSIX_CHOWN_RESTRICTED == -1
+#  define safechown    FALSE
+# else
+#  define safechown    TRUE
+# endif
+#else
+# ifdef _PC_CHOWN_RESTRICTED
+       bool safechown;
+# else
+#  ifdef BSD
+#   define safechown   TRUE
+#  else
+#   define safechown   FALSE
+#  endif
+# endif
+#endif
+       extern bool chownsafe();
  
         if (tTd(27, 2))
                 printf("include(%s)\n", fname);
  
         if (tTd(27, 2))
                 printf("include(%s)\n", fname);
@@ -824,7 +837,6 @@ include(fname, forwarding, ctladdr, sendq, e)
         {
                 ctladdr->q_flags |= QQUEUEUP;
                 errno = 0;
         {
                 ctladdr->q_flags |= QQUEUEUP;
                 errno = 0;
-               usrerr("451 open timeout on %s", fname);
  
                 /* return pseudo-error code */
                 rval = EOPENTIMEOUT;
  
                 /* return pseudo-error code */
                 rval = EOPENTIMEOUT;
@@ -837,37 +849,20 @@ include(fname, forwarding, ctladdr, sendq, e)
         if (rval != 0)
         {
                 /* don't use this :include: file */
         if (rval != 0)
         {
                 /* don't use this :include: file */
-               clrevent(ev);
                 if (tTd(27, 4))
                         printf("include: not safe (uid=%d): %s\n",
                                 uid, errstring(rval));
                 if (tTd(27, 4))
                         printf("include: not safe (uid=%d): %s\n",
                                 uid, errstring(rval));
-               goto resetuid;
         }
         }
-
-       fp = fopen(fname, "r");
-       if (fp == NULL)
-       {
-               rval = errno;
-               if (tTd(27, 4))
-                       printf("include: open: %s\n", errstring(rval));
-       }
-       else if (ca == NULL)
+       else
         {
         {
-               struct stat st;
-
-               if (fstat(fileno(fp), &st) < 0)
+               fp = fopen(fname, "r");
+               if (fp == NULL)
                 {
                         rval = errno;
                 {
                         rval = errno;
-                       syserr("Cannot fstat %s!", fname);
-               }
-               else
-               {
-                       ctladdr->q_uid = st.st_uid;
-                       ctladdr->q_gid = st.st_gid;
-                       ctladdr->q_flags |= QGOODUID;
+                       if (tTd(27, 4))
+                               printf("include: open: %s\n", errstring(rval));
                 }
         }
                 }
         }
-
         clrevent(ev);
  
  resetuid:
         clrevent(ev);
  
  resetuid:
@@ -886,9 +881,58 @@ resetuid:
         if (tTd(27, 9))
                 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
  
         if (tTd(27, 9))
                 printf("include: reset uid = %d/%d\n", getuid(), geteuid());
  
+       if (rval == EOPENTIMEOUT)
+               usrerr("451 open timeout on %s", fname);
+
         if (fp == NULL)
                 return rval;
  
         if (fp == NULL)
                 return rval;
  
+       if (fstat(fileno(fp), &st) < 0)
+       {
+               rval = errno;
+               syserr("Cannot fstat %s!", fname);
+               return rval;
+       }
+
+#ifndef safechown
+       safechown = chownsafe(fileno(fp));
+#endif
+       if (ca == NULL && safechown)
+       {
+               ctladdr->q_uid = st.st_uid;
+               ctladdr->q_gid = st.st_gid;
+               ctladdr->q_flags |= QGOODUID;
+       }
+       if (ca != NULL && ca->q_uid == st.st_uid)
+       {
+               /* optimization -- avoid getpwuid if we already have info */
+               ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
+               ctladdr->q_ruser = ca->q_ruser;
+       }
+       else
+       {
+               char *sh;
+               register struct passwd *pw;
+
+               sh = "/SENDMAIL/ANY/SHELL/";
+               pw = getpwuid(st.st_uid);
+               if (pw != NULL)
+               {
+                       ctladdr->q_ruser = newstr(pw->pw_name);
+                       if (safechown)
+                               sh = pw->pw_shell;
+               }
+               if (pw == NULL)
+                       ctladdr->q_flags |= QBOGUSSHELL;
+               else if(!usershellok(sh))
+               {
+                       if (safechown)
+                               ctladdr->q_flags |= QBOGUSSHELL;
+                       else
+                               ctladdr->q_flags |= QUNSAFEADDR;
+               }
+       }
+
         if (bitset(EF_VRFYONLY, e->e_flags))
         {
                 /* don't do any more now */
         if (bitset(EF_VRFYONLY, e->e_flags))
         {
                 /* don't do any more now */
@@ -898,6 +942,19 @@ resetuid:
                 return rval;
         }
  
                 return rval;
         }
  
+       /*
+       ** Check to see if some bad guy can write this file
+       **
+       **      This should really do something clever with group
+       **      permissions; currently we just view world writable
+       **      as unsafe.  Also, we don't check for writable
+       **      directories in the path.  We've got to leave
+       **      something for the local sysad to do.
+       */
+
+       if (bitset(S_IWOTH, st.st_mode))
+               ctladdr->q_flags |= QUNSAFEADDR;
+
         /* read the file -- each line is a comma-separated list. */
         FileName = fname;
         LineNumber = 0;
         /* read the file -- each line is a comma-separated list. */
         FileName = fname;
         LineNumber = 0;
@@ -918,11 +975,12 @@ resetuid:
  #ifdef LOG
                 if (forwarding && LogLevel > 9)
                         syslog(LOG_INFO, "%s: forward %s => %s",
  #ifdef LOG
                 if (forwarding && LogLevel > 9)
                         syslog(LOG_INFO, "%s: forward %s => %s",
-                               e->e_id, oldto, buf);
+                               e->e_id == NULL ? "NOQUEUE" : e->e_id,
+                               oldto, buf);
  #endif
  
                 AliasLevel++;
  #endif
  
                 AliasLevel++;
-               sendto(buf, 1, ctladdr, 0);
+               nincludes += sendtolist(buf, ctladdr, sendq, e);
                 AliasLevel--;
         }
  
                 AliasLevel--;
         }
  
@@ -973,7 +1031,7 @@ sendtoargv(argv, e)
  
         while ((p = *argv++) != NULL)
         {
  
         while ((p = *argv++) != NULL)
         {
-               sendto(p, 0, (ADDRESS *) NULL, 0);
+               (void) sendtolist(p, NULLADDR, &e->e_sendqueue, e);
         }
  }
  \f/*
         }
  }
  \f/*