BSD 4_4_Lite1 release

[unix-history] / usr / src / libexec / mail.local / mail.local.c

diff --git a/usr/src/libexec/mail.local/mail.local.c b/usr/src/libexec/mail.local/mail.local.c
index c87fc8c..0de8978 100644 (file)
--- a/usr/src/libexec/mail.local/mail.local.c
+++ b/usr/src/libexec/mail.local/mail.local.c
@@ -1,18 +1,44 @@
 /*-
 /*-

- * Copyright (c) 1990, 1993
+ * Copyright (c) 1990, 1993, 1994

  *     The Regents of the University of California.  All rights reserved.
  *
  *     The Regents of the University of California.  All rights reserved.
  *

- * %sccs.include.redist.c%
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *     This product includes software developed by the University of
+ *     California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.

  */
 
 #ifndef lint
 static char copyright[] =
  */
 
 #ifndef lint
 static char copyright[] =

-"@(#) Copyright (c) 1990, 1993\n\
+"@(#) Copyright (c) 1990, 1993, 1994\n\

        The Regents of the University of California.  All rights reserved.\n";
 #endif /* not lint */
 
 #ifndef lint
        The Regents of the University of California.  All rights reserved.\n";
 #endif /* not lint */
 
 #ifndef lint

-static char sccsid[] = "@(#)mail.local.c       8.1 (Berkeley) %G%";
+static char sccsid[] = "@(#)mail.local.c       8.6 (Berkeley) 4/8/94";

 #endif /* not lint */
 
 #include <sys/param.h>
 #endif /* not lint */
 
 #include <sys/param.h>


@@ -166,7 +192,7 @@ deliver(fd, name)
        int fd;
        char *name;
 {
        int fd;
        char *name;
 {

-       struct stat sb;
+       struct stat fsb, sb;

        struct passwd *pw;
        int mbfd, nr, nw, off;
        char biffmsg[100], buf[8*1024], path[MAXPATHLEN];
        struct passwd *pw;
        int mbfd, nr, nw, off;
        char biffmsg[100], buf[8*1024], path[MAXPATHLEN];


@@ -186,7 +212,16 @@ deliver(fd, name)
        (void)snprintf(path, sizeof(path), "%s/%s", _PATH_MAILDIR, name);
 
        /*
        (void)snprintf(path, sizeof(path), "%s/%s", _PATH_MAILDIR, name);
 
        /*

-        * If the mailbox is a linked or a symlink, fail.
+        * If the mailbox is linked or a symlink, fail.  There's an obvious
+        * race here, that the file was replaced with a symbolic link after
+        * the lstat returned, but before the open.  We attempt to detect
+        * this by comparing the original stat information and information
+        * returned by an fstat of the file descriptor returned by the open.
+        *
+        * NB: this is a symptom of a larger problem, that the mail spooling
+        * directory is writeable by the wrong users.  If that directory is
+        * writeable, system security is compromised for other reasons, and
+        * it cannot be fixed here.

         *
         * If we created the mailbox, set the owner/group.  If that fails,
         * just return.  Another process may have already opened it, so we
         *
         * If we created the mailbox, set the owner/group.  If that fails,
         * just return.  Another process may have already opened it, so we


@@ -197,11 +232,14 @@ deliver(fd, name)
         * XXX
         * open(2) should support flock'ing the file.
         */
         * XXX
         * open(2) should support flock'ing the file.
         */

+tryagain:

        if (lstat(path, &sb)) {
        if (lstat(path, &sb)) {

-               if ((mbfd = open(path,
-                   O_APPEND|O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR)) < 0)
-                       mbfd = open(path, O_APPEND|O_WRONLY, 0);
-               else if (fchown(mbfd, pw->pw_uid, pw->pw_gid)) {
+               mbfd = open(path,
+                   O_APPEND|O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
+               if (mbfd == -1) {
+                       if (errno == EEXIST)
+                               goto tryagain;
+               } else if (fchown(mbfd, pw->pw_uid, pw->pw_gid)) {

                        e_to_sys(errno);
                        warn("chown %u.%u: %s", pw->pw_uid, pw->pw_gid, name);
                        return;
                        e_to_sys(errno);
                        warn("chown %u.%u: %s", pw->pw_uid, pw->pw_gid, name);
                        return;


@@ -210,8 +248,17 @@ deliver(fd, name)
                e_to_sys(errno);
                warn("%s: linked file", path);
                return;
                e_to_sys(errno);
                warn("%s: linked file", path);
                return;

-       } else
+       } else {

                mbfd = open(path, O_APPEND|O_WRONLY, 0);
                mbfd = open(path, O_APPEND|O_WRONLY, 0);

+               if (mbfd != -1 &&
+                   (fstat(mbfd, &fsb) || fsb.st_nlink != 1 ||
+                   S_ISLNK(fsb.st_mode) || sb.st_dev != fsb.st_dev ||
+                   sb.st_ino != fsb.st_ino)) {
+                       warn("%s: file changed after open", path);
+                       (void)close(mbfd);
+                       return;
+               }
+       }

 
        if (mbfd == -1) {
                e_to_sys(errno);
 
        if (mbfd == -1) {
                e_to_sys(errno);


@@ -307,10 +354,11 @@ usage()
        err("usage: mail.local [-f from] user ...");
 }
 
        err("usage: mail.local [-f from] user ...");
 }
 

-void

 #if __STDC__
 #if __STDC__

+void

 err(const char *fmt, ...)
 #else
 err(const char *fmt, ...)
 #else

+void

 err(fmt, va_alist)
        const char *fmt;
        va_dcl
 err(fmt, va_alist)
        const char *fmt;
        va_dcl