Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
f9ba5e22 | 5 | /* Copyright (c) University of Cambridge 1995 - 2018 */ |
059ec3d9 PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | /* Functions for writing log files. The code for maintaining datestamped | |
9 | log files was originally contributed by Tony Sheen. */ | |
10 | ||
11 | ||
12 | #include "exim.h" | |
13 | ||
14 | #define LOG_NAME_SIZE 256 | |
15 | #define MAX_SYSLOG_LEN 870 | |
16 | ||
17 | #define LOG_MODE_FILE 1 | |
18 | #define LOG_MODE_SYSLOG 2 | |
19 | ||
921b12ca | 20 | enum { lt_main, lt_reject, lt_panic, lt_debug }; |
059ec3d9 | 21 | |
921b12ca | 22 | static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" }; |
059ec3d9 PH |
23 | |
24 | ||
25 | ||
26 | /************************************************* | |
27 | * Local static variables * | |
28 | *************************************************/ | |
29 | ||
30 | static uschar mainlog_name[LOG_NAME_SIZE]; | |
31 | static uschar rejectlog_name[LOG_NAME_SIZE]; | |
ed7f7860 | 32 | static uschar debuglog_name[LOG_NAME_SIZE]; |
059ec3d9 PH |
33 | |
34 | static uschar *mainlog_datestamp = NULL; | |
35 | static uschar *rejectlog_datestamp = NULL; | |
36 | ||
37 | static int mainlogfd = -1; | |
38 | static int rejectlogfd = -1; | |
39 | static ino_t mainlog_inode = 0; | |
40 | static ino_t rejectlog_inode = 0; | |
41 | ||
42 | static uschar *panic_save_buffer = NULL; | |
43 | static BOOL panic_recurseflag = FALSE; | |
44 | ||
45 | static BOOL syslog_open = FALSE; | |
46 | static BOOL path_inspected = FALSE; | |
47 | static int logging_mode = LOG_MODE_FILE; | |
48 | static uschar *file_path = US""; | |
49 | ||
2333e06f HSHR |
50 | static size_t pid_position[2]; |
51 | ||
059ec3d9 | 52 | |
37f3dc43 JH |
53 | /* These should be kept in-step with the private delivery error |
54 | number definitions in macros.h */ | |
55 | ||
56 | static const uschar * exim_errstrings[] = { | |
57 | US"", | |
58 | US"unknown error", | |
59 | US"user slash", | |
60 | US"exist race", | |
61 | US"not regular", | |
62 | US"not directory", | |
63 | US"bad ugid", | |
64 | US"bad mode", | |
65 | US"inode changed", | |
66 | US"lock failed", | |
67 | US"bad address2", | |
68 | US"forbid pipe", | |
69 | US"forbid file", | |
70 | US"forbid reply", | |
71 | US"missing pipe", | |
72 | US"missing file", | |
73 | US"missing reply", | |
74 | US"bad redirect", | |
75 | US"smtp closed", | |
76 | US"smtp format", | |
77 | US"spool format", | |
78 | US"not absolute", | |
79 | US"Exim-imposed quota", | |
80 | US"held", | |
81 | US"Delivery filter process failure", | |
82 | US"Delivery add/remove header failure", | |
83 | US"Delivery write incomplete error", | |
84 | US"Some expansion failed", | |
85 | US"Failed to get gid", | |
86 | US"Failed to get uid", | |
87 | US"Unset or non-existent transport", | |
88 | US"MBX length mismatch", | |
89 | US"Lookup failed routing or in smtp tpt", | |
90 | US"Can't match format in appendfile", | |
91 | US"Creation outside home in appendfile", | |
92 | US"Can't check a list; lookup defer", | |
93 | US"DNS lookup defer", | |
94 | US"Failed to start TLS session", | |
95 | US"Mandatory TLS session not started", | |
96 | US"Failed to chown a file", | |
97 | US"Failed to create a pipe", | |
98 | US"When verifying", | |
99 | US"When required by client", | |
100 | US"Used internally in smtp transport", | |
101 | US"RCPT gave 4xx error", | |
102 | US"MAIL gave 4xx error", | |
103 | US"DATA gave 4xx error", | |
104 | US"Negotiation failed for proxy configured host", | |
105 | US"Authenticator 'other' failure", | |
106 | US"target not supporting SMTPUTF8", | |
107 | US"", | |
108 | ||
109 | US"Not time for routing", | |
110 | US"Not time for local delivery", | |
111 | US"Not time for any remote host", | |
112 | US"Local-only delivery", | |
113 | US"Domain in queue_domains", | |
114 | US"Transport concurrency limit", | |
95938464 | 115 | US"Event requests alternate response", |
37f3dc43 JH |
116 | }; |
117 | ||
118 | ||
119 | /************************************************/ | |
120 | const uschar * | |
121 | exim_errstr(int err) | |
122 | { | |
584ddd64 | 123 | return err < 0 ? exim_errstrings[-err] : CUS strerror(err); |
37f3dc43 | 124 | } |
059ec3d9 PH |
125 | |
126 | /************************************************* | |
127 | * Write to syslog * | |
128 | *************************************************/ | |
129 | ||
130 | /* The given string is split into sections according to length, or at embedded | |
131 | newlines, and syslogged as a numbered sequence if it is overlong or if there is | |
9675b384 PH |
132 | more than one line. However, if we are running in the test harness, do not do |
133 | anything. (The test harness doesn't use syslog - for obvious reasons - but we | |
134 | can get here if there is a failure to open the panic log.) | |
059ec3d9 PH |
135 | |
136 | Arguments: | |
137 | priority syslog priority | |
3203e7ba | 138 | s the string to be written |
059ec3d9 PH |
139 | |
140 | Returns: nothing | |
141 | */ | |
142 | ||
143 | static void | |
3203e7ba | 144 | write_syslog(int priority, const uschar *s) |
059ec3d9 | 145 | { |
d7978c0f | 146 | int len; |
059ec3d9 PH |
147 | int linecount = 0; |
148 | ||
2333e06f | 149 | if (!syslog_pid && LOGGING(pid)) |
3203e7ba JH |
150 | s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]); |
151 | if (!syslog_timestamp) | |
152 | { | |
153 | len = log_timezone ? 26 : 20; | |
154 | if (LOGGING(millisec)) len += 4; | |
155 | s += len; | |
156 | } | |
059ec3d9 PH |
157 | |
158 | len = Ustrlen(s); | |
159 | ||
160 | #ifndef NO_OPENLOG | |
8768d548 | 161 | if (!syslog_open && !f.running_in_test_harness) |
059ec3d9 | 162 | { |
30f962e0 | 163 | # ifdef SYSLOG_LOG_PID |
059ec3d9 | 164 | openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility); |
30f962e0 | 165 | # else |
059ec3d9 | 166 | openlog(CS syslog_processname, LOG_CONS, syslog_facility); |
30f962e0 | 167 | # endif |
059ec3d9 PH |
168 | syslog_open = TRUE; |
169 | } | |
170 | #endif | |
171 | ||
172 | /* First do a scan through the message in order to determine how many lines | |
173 | it is going to end up as. Then rescan to output it. */ | |
174 | ||
d7978c0f | 175 | for (int pass = 0; pass < 2; pass++) |
059ec3d9 | 176 | { |
3203e7ba | 177 | const uschar * ss = s; |
d7978c0f | 178 | for (int i = 1, tlen = len; tlen > 0; i++) |
059ec3d9 PH |
179 | { |
180 | int plen = tlen; | |
181 | uschar *nlptr = Ustrchr(ss, '\n'); | |
182 | if (nlptr != NULL) plen = nlptr - ss; | |
30f962e0 | 183 | #ifndef SYSLOG_LONG_LINES |
059ec3d9 | 184 | if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN; |
30f962e0 | 185 | #endif |
059ec3d9 PH |
186 | tlen -= plen; |
187 | if (ss[plen] == '\n') tlen--; /* chars left */ | |
188 | ||
777e3bea JH |
189 | if (pass == 0) |
190 | linecount++; | |
8768d548 | 191 | else if (f.running_in_test_harness) |
777e3bea JH |
192 | if (linecount == 1) |
193 | fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss); | |
194 | else | |
195 | fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i, | |
196 | ss[plen] == '\n' && tlen != 0 ? '\\' : '/', | |
197 | linecount, plen, ss); | |
198 | else | |
059ec3d9 PH |
199 | if (linecount == 1) |
200 | syslog(priority, "%.*s", plen, ss); | |
201 | else | |
202 | syslog(priority, "[%d%c%d] %.*s", i, | |
30f962e0 | 203 | ss[plen] == '\n' && tlen != 0 ? '\\' : '/', |
059ec3d9 | 204 | linecount, plen, ss); |
777e3bea | 205 | |
059ec3d9 PH |
206 | ss += plen; |
207 | if (*ss == '\n') ss++; | |
208 | } | |
209 | } | |
210 | } | |
211 | ||
212 | ||
213 | ||
214 | /************************************************* | |
215 | * Die tidily * | |
216 | *************************************************/ | |
217 | ||
218 | /* This is called when Exim is dying as a result of something going wrong in | |
219 | the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a | |
220 | message to debug_file or a stderr file, if they exist. Then, if in the middle | |
8f128379 PH |
221 | of accepting a message, throw it away tidily by calling receive_bomb_out(); |
222 | this will attempt to send an SMTP response if appropriate. Passing NULL as the | |
223 | first argument stops it trying to run the NOTQUIT ACL (which might try further | |
224 | logging and thus cause problems). Otherwise, try to close down an outstanding | |
225 | SMTP call tidily. | |
059ec3d9 PH |
226 | |
227 | Arguments: | |
228 | s1 Error message to write to debug_file and/or stderr and syslog | |
229 | s2 Error message for any SMTP call that is in progress | |
230 | Returns: The function does not return | |
231 | */ | |
232 | ||
233 | static void | |
234 | die(uschar *s1, uschar *s2) | |
235 | { | |
571b2715 | 236 | if (s1) |
059ec3d9 PH |
237 | { |
238 | write_syslog(LOG_CRIT, s1); | |
571b2715 | 239 | if (debug_file) debug_printf("%s\n", s1); |
30f962e0 | 240 | if (log_stderr && log_stderr != debug_file) |
059ec3d9 PH |
241 | fprintf(log_stderr, "%s\n", s1); |
242 | } | |
8768d548 | 243 | if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */ |
059ec3d9 | 244 | if (smtp_input) smtp_closedown(s2); |
9bfb7e1b | 245 | exim_exit(EXIT_FAILURE, NULL); |
059ec3d9 PH |
246 | } |
247 | ||
248 | ||
249 | ||
250 | /************************************************* | |
251 | * Create a log file * | |
252 | *************************************************/ | |
253 | ||
254 | /* This function is called to create and open a log file. It may be called in a | |
255 | subprocess when the original process is root. | |
256 | ||
257 | Arguments: | |
258 | name the file name | |
259 | ||
260 | The file name has been build in a working buffer, so it is permissible to | |
261 | overwrite it temporarily if it is necessary to create the directory. | |
262 | ||
263 | Returns: a file descriptor, or < 0 on failure (errno set) | |
264 | */ | |
265 | ||
4840604e | 266 | int |
921b12ca | 267 | log_create(uschar *name) |
059ec3d9 | 268 | { |
92b0827a JH |
269 | int fd = Uopen(name, |
270 | #ifdef O_CLOEXEC | |
271 | O_CLOEXEC | | |
272 | #endif | |
273 | O_CREAT|O_APPEND|O_WRONLY, LOG_MODE); | |
059ec3d9 PH |
274 | |
275 | /* If creation failed, attempt to build a log directory in case that is the | |
276 | problem. */ | |
277 | ||
278 | if (fd < 0 && errno == ENOENT) | |
279 | { | |
280 | BOOL created; | |
281 | uschar *lastslash = Ustrrchr(name, '/'); | |
282 | *lastslash = 0; | |
283 | created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE); | |
284 | DEBUG(D_any) debug_printf("%s log directory %s\n", | |
571b2715 | 285 | created ? "created" : "failed to create", name); |
059ec3d9 | 286 | *lastslash = '/'; |
92b0827a JH |
287 | if (created) fd = Uopen(name, |
288 | #ifdef O_CLOEXEC | |
289 | O_CLOEXEC | | |
290 | #endif | |
291 | O_CREAT|O_APPEND|O_WRONLY, LOG_MODE); | |
059ec3d9 PH |
292 | } |
293 | ||
294 | return fd; | |
295 | } | |
296 | ||
297 | ||
298 | ||
921b12ca TF |
299 | /************************************************* |
300 | * Create a log file as the exim user * | |
301 | *************************************************/ | |
302 | ||
303 | /* This function is called when we are root to spawn an exim:exim subprocess | |
304 | in which we can create a log file. It must be signal-safe since it is called | |
305 | by the usr1_handler(). | |
306 | ||
307 | Arguments: | |
308 | name the file name | |
309 | ||
310 | Returns: a file descriptor, or < 0 on failure (errno set) | |
311 | */ | |
312 | ||
313 | int | |
314 | log_create_as_exim(uschar *name) | |
315 | { | |
316 | pid_t pid = fork(); | |
317 | int status = 1; | |
318 | int fd = -1; | |
319 | ||
320 | /* In the subprocess, change uid/gid and do the creation. Return 0 from the | |
321 | subprocess on success. If we don't check for setuid failures, then the file | |
322 | can be created as root, so vulnerabilities which cause setuid to fail mean | |
323 | that the Exim user can use symlinks to cause a file to be opened/created as | |
324 | root. We always open for append, so can't nuke existing content but it would | |
325 | still be Rather Bad. */ | |
326 | ||
327 | if (pid == 0) | |
328 | { | |
329 | if (setgid(exim_gid) < 0) | |
330 | die(US"exim: setgid for log-file creation failed, aborting", | |
331 | US"Unexpected log failure, please try later"); | |
332 | if (setuid(exim_uid) < 0) | |
333 | die(US"exim: setuid for log-file creation failed, aborting", | |
334 | US"Unexpected log failure, please try later"); | |
335 | _exit((log_create(name) < 0)? 1 : 0); | |
336 | } | |
337 | ||
338 | /* If we created a subprocess, wait for it. If it succeeded, try the open. */ | |
339 | ||
340 | while (pid > 0 && waitpid(pid, &status, 0) != pid); | |
92b0827a JH |
341 | if (status == 0) fd = Uopen(name, |
342 | #ifdef O_CLOEXEC | |
343 | O_CLOEXEC | | |
344 | #endif | |
345 | O_APPEND|O_WRONLY, LOG_MODE); | |
921b12ca TF |
346 | |
347 | /* If we failed to create a subprocess, we are in a bad way. We return | |
348 | with fd still < 0, and errno set, letting the caller handle the error. */ | |
349 | ||
350 | return fd; | |
351 | } | |
352 | ||
353 | ||
354 | ||
059ec3d9 PH |
355 | |
356 | /************************************************* | |
357 | * Open a log file * | |
358 | *************************************************/ | |
359 | ||
921b12ca TF |
360 | /* This function opens one of a number of logs, creating the log directory if |
361 | it does not exist. This may be called recursively on failure, in order to open | |
362 | the panic log. | |
059ec3d9 PH |
363 | |
364 | The directory is in the static variable file_path. This is static so that it | |
365 | the work of sorting out the path is done just once per Exim process. | |
366 | ||
367 | Exim is normally configured to avoid running as root wherever possible, the log | |
368 | files must be owned by the non-privileged exim user. To ensure this, first try | |
369 | an open without O_CREAT - most of the time this will succeed. If it fails, try | |
370 | to create the file; if running as root, this must be done in a subprocess to | |
371 | avoid races. | |
372 | ||
373 | Arguments: | |
374 | fd where to return the resulting file descriptor | |
921b12ca | 375 | type lt_main, lt_reject, lt_panic, or lt_debug |
ed7f7860 | 376 | tag optional tag to include in the name (only hooked up for debug) |
059ec3d9 PH |
377 | |
378 | Returns: nothing | |
379 | */ | |
380 | ||
381 | static void | |
ed7f7860 | 382 | open_log(int *fd, int type, uschar *tag) |
059ec3d9 PH |
383 | { |
384 | uid_t euid; | |
ed7f7860 | 385 | BOOL ok, ok2; |
059ec3d9 PH |
386 | uschar buffer[LOG_NAME_SIZE]; |
387 | ||
921b12ca TF |
388 | /* The names of the log files are controlled by file_path. The panic log is |
389 | written to the same directory as the main and reject logs, but its name does | |
f1e5fef5 PP |
390 | not have a datestamp. The use of datestamps is indicated by %D/%M in file_path. |
391 | When opening the panic log, if %D or %M is present, we remove the datestamp | |
392 | from the generated name; if it is at the start, remove a following | |
393 | non-alphanumeric character as well; otherwise, remove a preceding | |
394 | non-alphanumeric character. This is definitely kludgy, but it sort of does what | |
395 | people want, I hope. */ | |
059ec3d9 | 396 | |
921b12ca TF |
397 | ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]); |
398 | ||
399 | /* Save the name of the mainlog for rollover processing. Without a datestamp, | |
400 | it gets statted to see if it has been cycled. With a datestamp, the datestamp | |
401 | will be compared. The static slot for saving it is the same size as buffer, | |
402 | and the text has been checked above to fit, so this use of strcpy() is OK. */ | |
403 | ||
cd2e3fd0 | 404 | if (type == lt_main && string_datestamp_offset >= 0) |
059ec3d9 | 405 | { |
921b12ca TF |
406 | Ustrcpy(mainlog_name, buffer); |
407 | mainlog_datestamp = mainlog_name + string_datestamp_offset; | |
408 | } | |
059ec3d9 | 409 | |
921b12ca | 410 | /* Ditto for the reject log */ |
059ec3d9 | 411 | |
cd2e3fd0 | 412 | else if (type == lt_reject && string_datestamp_offset >= 0) |
921b12ca TF |
413 | { |
414 | Ustrcpy(rejectlog_name, buffer); | |
415 | rejectlog_datestamp = rejectlog_name + string_datestamp_offset; | |
416 | } | |
059ec3d9 | 417 | |
921b12ca TF |
418 | /* and deal with the debug log (which keeps the datestamp, but does not |
419 | update it) */ | |
059ec3d9 | 420 | |
921b12ca TF |
421 | else if (type == lt_debug) |
422 | { | |
423 | Ustrcpy(debuglog_name, buffer); | |
424 | if (tag) | |
059ec3d9 | 425 | { |
921b12ca TF |
426 | /* this won't change the offset of the datestamp */ |
427 | ok2 = string_format(buffer, sizeof(buffer), "%s%s", | |
428 | debuglog_name, tag); | |
429 | if (ok2) | |
430 | Ustrcpy(debuglog_name, buffer); | |
059ec3d9 | 431 | } |
921b12ca | 432 | } |
059ec3d9 | 433 | |
921b12ca TF |
434 | /* Remove any datestamp if this is the panic log. This is rare, so there's no |
435 | need to optimize getting the datestamp length. We remove one non-alphanumeric | |
436 | char afterwards if at the start, otherwise one before. */ | |
ed7f7860 | 437 | |
921b12ca TF |
438 | else if (string_datestamp_offset >= 0) |
439 | { | |
30f962e0 JH |
440 | uschar * from = buffer + string_datestamp_offset; |
441 | uschar * to = from + string_datestamp_length; | |
442 | ||
921b12ca | 443 | if (from == buffer || from[-1] == '/') |
ed7f7860 | 444 | { |
921b12ca | 445 | if (!isalnum(*to)) to++; |
ed7f7860 | 446 | } |
921b12ca | 447 | else |
921b12ca | 448 | if (!isalnum(from[-1])) from--; |
059ec3d9 | 449 | |
30f962e0 JH |
450 | /* This copy is ok, because we know that to is a substring of from. But |
451 | due to overlap we must use memmove() not Ustrcpy(). */ | |
452 | memmove(from, to, Ustrlen(to)+1); | |
059ec3d9 PH |
453 | } |
454 | ||
455 | /* If the file name is too long, it is an unrecoverable disaster */ | |
456 | ||
457 | if (!ok) | |
059ec3d9 PH |
458 | die(US"exim: log file path too long: aborting", |
459 | US"Logging failure; please try later"); | |
059ec3d9 PH |
460 | |
461 | /* We now have the file name. Try to open an existing file. After a successful | |
462 | open, arrange for automatic closure on exec(), and then return. */ | |
463 | ||
92b0827a JH |
464 | *fd = Uopen(buffer, |
465 | #ifdef O_CLOEXEC | |
466 | O_CLOEXEC | | |
467 | #endif | |
468 | O_APPEND|O_WRONLY, LOG_MODE); | |
059ec3d9 PH |
469 | |
470 | if (*fd >= 0) | |
471 | { | |
92b0827a | 472 | #ifndef O_CLOEXEC |
ff790e47 | 473 | (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC); |
92b0827a | 474 | #endif |
059ec3d9 PH |
475 | return; |
476 | } | |
477 | ||
478 | /* Open was not successful: try creating the file. If this is a root process, | |
479 | we must do the creating in a subprocess set to exim:exim in order to ensure | |
480 | that the file is created with the right ownership. Otherwise, there can be a | |
901f42cb PH |
481 | race if another Exim process is trying to write to the log at the same time. |
482 | The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous | |
483 | writing. */ | |
059ec3d9 PH |
484 | |
485 | euid = geteuid(); | |
486 | ||
487 | /* If we are already running as the Exim user (even if that user is root), | |
488 | we can go ahead and create in the current process. */ | |
489 | ||
921b12ca | 490 | if (euid == exim_uid) *fd = log_create(buffer); |
059ec3d9 PH |
491 | |
492 | /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we | |
493 | are neither exim nor root, creation is not attempted. */ | |
494 | ||
921b12ca | 495 | else if (euid == root_uid) *fd = log_create_as_exim(buffer); |
059ec3d9 PH |
496 | |
497 | /* If we now have an open file, set the close-on-exec flag and return. */ | |
498 | ||
499 | if (*fd >= 0) | |
500 | { | |
92b0827a | 501 | #ifndef O_CLOEXEC |
ff790e47 | 502 | (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC); |
92b0827a | 503 | #endif |
059ec3d9 PH |
504 | return; |
505 | } | |
506 | ||
507 | /* Creation failed. There are some circumstances in which we get here when | |
508 | the effective uid is not root or exim, which is the problem. (For example, a | |
509 | non-setuid binary with log_arguments set, called in certain ways.) Rather than | |
510 | just bombing out, force the log to stderr and carry on if stderr is available. | |
511 | */ | |
512 | ||
513 | if (euid != root_uid && euid != exim_uid && log_stderr != NULL) | |
514 | { | |
515 | *fd = fileno(log_stderr); | |
516 | return; | |
517 | } | |
518 | ||
519 | /* Otherwise this is a disaster. This call is deliberately ONLY to the panic | |
520 | log. If possible, save a copy of the original line that was being logged. If we | |
521 | are recursing (can't open the panic log either), the pointer will already be | |
522 | set. */ | |
523 | ||
40c90bca JH |
524 | if (!panic_save_buffer) |
525 | if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE))) | |
059ec3d9 | 526 | memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE); |
059ec3d9 PH |
527 | |
528 | log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: " | |
529 | "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid()); | |
530 | /* Never returns */ | |
531 | } | |
532 | ||
533 | ||
b0d68adc JH |
534 | static void |
535 | unlink_log(int type) | |
536 | { | |
537 | if (type == lt_debug) unlink(CS debuglog_name); | |
538 | } | |
539 | ||
540 | ||
059ec3d9 PH |
541 | |
542 | /************************************************* | |
543 | * Add configuration file info to log line * | |
544 | *************************************************/ | |
545 | ||
546 | /* This is put in a function because it's needed twice (once for debugging, | |
547 | once for real). | |
548 | ||
549 | Arguments: | |
550 | ptr pointer to the end of the line we are building | |
551 | flags log flags | |
552 | ||
553 | Returns: updated pointer | |
554 | */ | |
555 | ||
d12746bc JH |
556 | static gstring * |
557 | log_config_info(gstring * g, int flags) | |
059ec3d9 | 558 | { |
d12746bc | 559 | g = string_cat(g, US"Exim configuration error"); |
059ec3d9 | 560 | |
94759fce | 561 | if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG)) |
d12746bc | 562 | return string_cat(g, US" for "); |
059ec3d9 | 563 | |
94759fce | 564 | if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG)) |
d12746bc | 565 | g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename); |
059ec3d9 | 566 | |
d12746bc | 567 | return string_catn(g, US":\n ", 4); |
059ec3d9 PH |
568 | } |
569 | ||
570 | ||
571 | /************************************************* | |
572 | * A write() operation failed * | |
573 | *************************************************/ | |
574 | ||
575 | /* This function is called when write() fails on anything other than the panic | |
576 | log, which can happen if a disk gets full or a file gets too large or whatever. | |
577 | We try to save the relevant message in the panic_save buffer before crashing | |
578 | out. | |
579 | ||
23ecb73d PP |
580 | The potential invoker should probably not call us for EINTR -1 writes. But |
581 | otherwise, short writes are bad as we don't do non-blocking writes to fds | |
582 | subject to flow control. (If we do, that's new and the logic of this should | |
583 | be reconsidered). | |
584 | ||
059ec3d9 PH |
585 | Arguments: |
586 | name the name of the log being written | |
587 | length the string length being written | |
588 | rc the return value from write() | |
589 | ||
590 | Returns: does not return | |
591 | */ | |
592 | ||
593 | static void | |
594 | log_write_failed(uschar *name, int length, int rc) | |
595 | { | |
596 | int save_errno = errno; | |
597 | ||
40c90bca JH |
598 | if (!panic_save_buffer) |
599 | if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE))) | |
059ec3d9 | 600 | memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE); |
059ec3d9 PH |
601 | |
602 | log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d " | |
603 | "errno=%d (%s)", name, length, rc, save_errno, | |
604 | (save_errno == 0)? "write incomplete" : strerror(save_errno)); | |
605 | /* Never returns */ | |
606 | } | |
607 | ||
608 | ||
609 | ||
0599f9cf PP |
610 | /************************************************* |
611 | * Write to an fd, retrying after signals * | |
612 | *************************************************/ | |
613 | ||
614 | /* Basic write to fd for logs, handling EINTR. | |
615 | ||
616 | Arguments: | |
617 | fd the fd to write to | |
618 | buf the string to write | |
619 | length the string length being written | |
620 | ||
621 | Returns: | |
622 | length actually written, persisting an errno from write() | |
623 | */ | |
624 | ssize_t | |
17c76198 | 625 | write_to_fd_buf(int fd, const uschar *buf, size_t length) |
0599f9cf PP |
626 | { |
627 | ssize_t wrote; | |
628 | size_t total_written = 0; | |
17c76198 | 629 | const uschar *p = buf; |
0599f9cf PP |
630 | size_t left = length; |
631 | ||
632 | while (1) | |
633 | { | |
634 | wrote = write(fd, p, left); | |
635 | if (wrote == (ssize_t)-1) | |
636 | { | |
637 | if (errno == EINTR) continue; | |
638 | return wrote; | |
639 | } | |
640 | total_written += wrote; | |
641 | if (wrote == left) | |
642 | break; | |
643 | else | |
644 | { | |
645 | p += wrote; | |
646 | left -= wrote; | |
647 | } | |
648 | } | |
649 | return total_written; | |
650 | } | |
651 | ||
652 | ||
e4a6fb35 JH |
653 | |
654 | static void | |
655 | set_file_path(void) | |
656 | { | |
657 | int sep = ':'; /* Fixed separator - outside use */ | |
658 | uschar *t; | |
659 | const uschar *tt = US LOG_FILE_PATH; | |
660 | while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE))) | |
661 | { | |
662 | if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue; | |
663 | file_path = string_copy(t); | |
664 | break; | |
665 | } | |
666 | } | |
667 | ||
668 | ||
9cd319d9 JH |
669 | void |
670 | mainlog_close(void) | |
671 | { | |
672 | if (mainlogfd < 0) return; | |
673 | (void)close(mainlogfd); | |
674 | mainlogfd = -1; | |
675 | mainlog_inode = 0; | |
676 | } | |
e4a6fb35 | 677 | |
059ec3d9 PH |
678 | /************************************************* |
679 | * Write message to log file * | |
680 | *************************************************/ | |
681 | ||
682 | /* Exim can be configured to log to local files, or use syslog, or both. This | |
683 | is controlled by the setting of log_file_path. The following cases are | |
684 | recognized: | |
685 | ||
686 | log_file_path = "" write files in the spool/log directory | |
687 | log_file_path = "xxx" write files in the xxx directory | |
688 | log_file_path = "syslog" write to syslog | |
689 | log_file_path = "syslog : xxx" write to syslog and to files (any order) | |
690 | ||
059ec3d9 PH |
691 | The message always gets '\n' added on the end of it, since more than one |
692 | process may be writing to the log at once and we don't want intermingling to | |
693 | happen in the middle of lines. To be absolutely sure of this we write the data | |
694 | into a private buffer and then put it out in a single write() call. | |
695 | ||
696 | The flags determine which log(s) the message is written to, or for syslogging, | |
697 | which priority to use, and in the case of the panic log, whether the process | |
698 | should die afterwards. | |
699 | ||
700 | The variable really_exim is TRUE only when exim is running in privileged state | |
701 | (i.e. not with a changed configuration or with testing options such as -brw). | |
702 | If it is not, don't try to write to the log because permission will probably be | |
703 | denied. | |
704 | ||
705 | Avoid actually writing to the logs when exim is called with -bv or -bt to | |
4c04137d | 706 | test an address, but take other actions, such as panicking. |
059ec3d9 PH |
707 | |
708 | In Exim proper, the buffer for building the message is got at start-up, so that | |
709 | nothing gets done if it can't be got. However, some functions that are also | |
710 | used in utilities occasionally obey log_write calls in error situations, and it | |
711 | is simplest to put a single malloc() here rather than put one in each utility. | |
712 | Malloc is used directly because the store functions may call log_write(). | |
713 | ||
714 | If a message_id exists, we include it after the timestamp. | |
715 | ||
716 | Arguments: | |
717 | selector write to main log or LOG_INFO only if this value is zero, or if | |
6c6d6e48 | 718 | its bit is set in log_selector[0] |
059ec3d9 PH |
719 | flags each bit indicates some independent action: |
720 | LOG_SENDER add raw sender to the message | |
721 | LOG_RECIPIENTS add raw recipients list to message | |
722 | LOG_CONFIG add "Exim configuration error" | |
723 | LOG_CONFIG_FOR add " for " instead of ":\n " | |
724 | LOG_CONFIG_IN add " in line x[ of file y]" | |
725 | LOG_MAIN write to main log or syslog LOG_INFO | |
726 | LOG_REJECT write to reject log or syslog LOG_NOTICE | |
727 | LOG_PANIC write to panic log or syslog LOG_ALERT | |
728 | LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash | |
059ec3d9 PH |
729 | format a printf() format |
730 | ... arguments for format | |
731 | ||
732 | Returns: nothing | |
733 | */ | |
734 | ||
735 | void | |
1ba28e2b | 736 | log_write(unsigned int selector, int flags, const char *format, ...) |
059ec3d9 | 737 | { |
059ec3d9 | 738 | int paniclogfd; |
23ecb73d | 739 | ssize_t written_len; |
d12746bc JH |
740 | gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer }; |
741 | gstring * g; | |
059ec3d9 PH |
742 | va_list ap; |
743 | ||
744 | /* If panic_recurseflag is set, we have failed to open the panic log. This is | |
745 | the ultimate disaster. First try to write the message to a debug file and/or | |
746 | stderr and also to syslog. If panic_save_buffer is not NULL, it contains the | |
747 | original log line that caused the problem. Afterwards, expire. */ | |
748 | ||
749 | if (panic_recurseflag) | |
750 | { | |
30f962e0 JH |
751 | uschar *extra = panic_save_buffer ? panic_save_buffer : US""; |
752 | if (debug_file) debug_printf("%s%s", extra, log_buffer); | |
753 | if (log_stderr && log_stderr != debug_file) | |
059ec3d9 | 754 | fprintf(log_stderr, "%s%s", extra, log_buffer); |
30f962e0 | 755 | if (*extra) write_syslog(LOG_CRIT, extra); |
059ec3d9 PH |
756 | write_syslog(LOG_CRIT, log_buffer); |
757 | die(US"exim: could not open panic log - aborting: see message(s) above", | |
758 | US"Unexpected log failure, please try later"); | |
759 | } | |
760 | ||
761 | /* Ensure we have a buffer (see comment above); this should never be obeyed | |
762 | when running Exim proper, only when running utilities. */ | |
763 | ||
40c90bca JH |
764 | if (!log_buffer) |
765 | if (!(log_buffer = US malloc(LOG_BUFFER_SIZE))) | |
059ec3d9 PH |
766 | { |
767 | fprintf(stderr, "exim: failed to get store for log buffer\n"); | |
9bfb7e1b | 768 | exim_exit(EXIT_FAILURE, NULL); |
059ec3d9 | 769 | } |
059ec3d9 PH |
770 | |
771 | /* If we haven't already done so, inspect the setting of log_file_path to | |
772 | determine whether to log to files and/or to syslog. Bits in logging_mode | |
773 | control this, and for file logging, the path must end up in file_path. This | |
774 | variable must be in permanent store because it may be required again later in | |
775 | the process. */ | |
776 | ||
777 | if (!path_inspected) | |
778 | { | |
779 | BOOL multiple = FALSE; | |
780 | int old_pool = store_pool; | |
781 | ||
782 | store_pool = POOL_PERM; | |
783 | ||
784 | /* If nothing has been set, don't waste effort... the default values for the | |
785 | statics are file_path="" and logging_mode = LOG_MODE_FILE. */ | |
786 | ||
e4a6fb35 | 787 | if (*log_file_path) |
059ec3d9 PH |
788 | { |
789 | int sep = ':'; /* Fixed separator - outside use */ | |
790 | uschar *s; | |
55414b25 | 791 | const uschar *ss = log_file_path; |
30f962e0 | 792 | |
059ec3d9 | 793 | logging_mode = 0; |
55414b25 | 794 | while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE))) |
059ec3d9 PH |
795 | { |
796 | if (Ustrcmp(s, "syslog") == 0) | |
797 | logging_mode |= LOG_MODE_SYSLOG; | |
30f962e0 JH |
798 | else if (logging_mode & LOG_MODE_FILE) |
799 | multiple = TRUE; | |
059ec3d9 PH |
800 | else |
801 | { | |
802 | logging_mode |= LOG_MODE_FILE; | |
803 | ||
804 | /* If a non-empty path is given, use it */ | |
805 | ||
e4a6fb35 | 806 | if (*s) |
059ec3d9 | 807 | file_path = string_copy(s); |
059ec3d9 PH |
808 | |
809 | /* If the path is empty, we want to use the first non-empty, non- | |
810 | syslog item in LOG_FILE_PATH, if there is one, since the value of | |
811 | log_file_path may have been set at runtime. If there is no such item, | |
812 | use the ultimate default in the spool directory. */ | |
813 | ||
814 | else | |
e4a6fb35 | 815 | set_file_path(); /* Empty item in log_file_path */ |
059ec3d9 PH |
816 | } /* First non-syslog item in log_file_path */ |
817 | } /* Scan of log_file_path */ | |
818 | } | |
819 | ||
820 | /* If no modes have been selected, it is a major disaster */ | |
821 | ||
822 | if (logging_mode == 0) | |
823 | die(US"Neither syslog nor file logging set in log_file_path", | |
824 | US"Unexpected logging failure"); | |
825 | ||
826 | /* Set up the ultimate default if necessary. Then revert to the old store | |
827 | pool, and record that we've sorted out the path. */ | |
828 | ||
30f962e0 | 829 | if (logging_mode & LOG_MODE_FILE && !file_path[0]) |
059ec3d9 PH |
830 | file_path = string_sprintf("%s/log/%%slog", spool_directory); |
831 | store_pool = old_pool; | |
832 | path_inspected = TRUE; | |
833 | ||
834 | /* If more than one file path was given, log a complaint. This recursive call | |
835 | should work since we have now set up the routing. */ | |
836 | ||
837 | if (multiple) | |
059ec3d9 PH |
838 | log_write(0, LOG_MAIN|LOG_PANIC, |
839 | "More than one path given in log_file_path: using %s", file_path); | |
059ec3d9 PH |
840 | } |
841 | ||
842 | /* If debugging, show all log entries, but don't show headers. Do it all | |
843 | in one go so that it doesn't get split when multi-processing. */ | |
844 | ||
845 | DEBUG(D_any|D_v) | |
846 | { | |
847 | int i; | |
059ec3d9 | 848 | |
d12746bc | 849 | g = string_catn(&gs, US"LOG:", 4); |
059ec3d9 | 850 | |
6c6d6e48 | 851 | /* Show the selector that was passed into the call. */ |
059ec3d9 PH |
852 | |
853 | for (i = 0; i < log_options_count; i++) | |
854 | { | |
ac881e27 TF |
855 | unsigned int bitnum = log_options[i].bit; |
856 | if (bitnum < BITWORDSIZE && selector == BIT(bitnum)) | |
d12746bc | 857 | g = string_fmt_append(g, " %s", log_options[i].name); |
059ec3d9 PH |
858 | } |
859 | ||
d12746bc | 860 | g = string_fmt_append(g, "%s%s%s%s\n ", |
30f962e0 JH |
861 | flags & LOG_MAIN ? " MAIN" : "", |
862 | flags & LOG_PANIC ? " PANIC" : "", | |
863 | (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "", | |
864 | flags & LOG_REJECT ? " REJECT" : ""); | |
059ec3d9 | 865 | |
d12746bc | 866 | if (flags & LOG_CONFIG) g = log_config_info(g, flags); |
059ec3d9 | 867 | |
f3ebb786 JH |
868 | /* We want to be able to log tainted info, but log_buffer is directly |
869 | malloc'd. So use deliberately taint-nonchecking routines to build into | |
870 | it, trusting that we will never expand the results. */ | |
871 | ||
059ec3d9 | 872 | va_start(ap, format); |
d12746bc | 873 | i = g->ptr; |
f3ebb786 | 874 | if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap)) |
d12746bc JH |
875 | { |
876 | g->ptr = i; | |
877 | g = string_cat(g, US"**** log string overflowed log buffer ****"); | |
878 | } | |
059ec3d9 PH |
879 | va_end(ap); |
880 | ||
d12746bc JH |
881 | g->size = LOG_BUFFER_SIZE; |
882 | g = string_catn(g, US"\n", 1); | |
883 | debug_printf("%s", string_from_gstring(g)); | |
059ec3d9 | 884 | |
d12746bc JH |
885 | gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */ |
886 | gs.ptr = 0; /* reset it for the real use. */ | |
887 | gs.s = log_buffer; | |
888 | } | |
059ec3d9 PH |
889 | /* If no log file is specified, we are in a mess. */ |
890 | ||
30f962e0 | 891 | if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT))) |
059ec3d9 PH |
892 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log " |
893 | "flags set"); | |
894 | ||
895 | /* There are some weird circumstances in which logging is disabled. */ | |
896 | ||
8768d548 | 897 | if (f.disable_logging) |
059ec3d9 PH |
898 | { |
899 | DEBUG(D_any) debug_printf("log writing disabled\n"); | |
900 | return; | |
901 | } | |
902 | ||
a7d7aa58 PH |
903 | /* Handle disabled reject log */ |
904 | ||
905 | if (!write_rejectlog) flags &= ~LOG_REJECT; | |
906 | ||
921b12ca TF |
907 | /* Create the main message in the log buffer. Do not include the message id |
908 | when called by a utility. */ | |
059ec3d9 | 909 | |
d12746bc | 910 | g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log)); |
f3f065bb | 911 | |
6c6d6e48 | 912 | if (LOGGING(pid)) |
f3f065bb | 913 | { |
d12746bc JH |
914 | if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */ |
915 | g = string_fmt_append(g, "[%d] ", (int)getpid()); | |
916 | if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */ | |
f3f065bb PH |
917 | } |
918 | ||
8768d548 | 919 | if (f.really_exim && message_id[0] != 0) |
d12746bc | 920 | g = string_fmt_append(g, "%s ", message_id); |
059ec3d9 | 921 | |
d12746bc JH |
922 | if (flags & LOG_CONFIG) |
923 | g = log_config_info(g, flags); | |
059ec3d9 PH |
924 | |
925 | va_start(ap, format); | |
d12746bc JH |
926 | { |
927 | int i = g->ptr; | |
f3ebb786 JH |
928 | |
929 | /* We want to be able to log tainted info, but log_buffer is directly | |
930 | malloc'd. So use deliberately taint-nonchecking routines to build into | |
931 | it, trusting that we will never expand the results. */ | |
932 | ||
933 | if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap)) | |
d12746bc JH |
934 | { |
935 | g->ptr = i; | |
936 | g = string_cat(g, US"**** log string overflowed log buffer ****\n"); | |
937 | } | |
938 | } | |
059ec3d9 PH |
939 | va_end(ap); |
940 | ||
941 | /* Add the raw, unrewritten, sender to the message if required. This is done | |
942 | this way because it kind of fits with LOG_RECIPIENTS. */ | |
943 | ||
30f962e0 | 944 | if ( flags & LOG_SENDER |
d12746bc | 945 | && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender)) |
f3ebb786 | 946 | g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender); |
059ec3d9 PH |
947 | |
948 | /* Add list of recipients to the message if required; the raw list, | |
949 | before rewriting, was saved in raw_recipients. There may be none, if an ACL | |
950 | discarded them all. */ | |
951 | ||
30f962e0 | 952 | if ( flags & LOG_RECIPIENTS |
d12746bc | 953 | && g->ptr < LOG_BUFFER_SIZE - 6 |
30f962e0 | 954 | && raw_recipients_count > 0) |
059ec3d9 PH |
955 | { |
956 | int i; | |
f3ebb786 | 957 | g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL); |
059ec3d9 PH |
958 | for (i = 0; i < raw_recipients_count; i++) |
959 | { | |
571b2715 | 960 | uschar * s = raw_recipients[i]; |
d12746bc | 961 | if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break; |
f3ebb786 | 962 | g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s); |
059ec3d9 PH |
963 | } |
964 | } | |
965 | ||
d12746bc JH |
966 | g = string_catn(g, US"\n", 1); |
967 | string_from_gstring(g); | |
059ec3d9 PH |
968 | |
969 | /* Handle loggable errors when running a utility, or when address testing. | |
970 | Write to log_stderr unless debugging (when it will already have been written), | |
971 | or unless there is no log_stderr (expn called from daemon, for example). */ | |
972 | ||
8768d548 | 973 | if (!f.really_exim || f.log_testing_mode) |
059ec3d9 | 974 | { |
30f962e0 JH |
975 | if ( !debug_selector |
976 | && log_stderr | |
977 | && (selector == 0 || (selector & log_selector[0]) != 0) | |
978 | ) | |
059ec3d9 PH |
979 | if (host_checking) |
980 | fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */ | |
981 | else | |
982 | fprintf(log_stderr, "%s", CS log_buffer); | |
30f962e0 | 983 | |
9bfb7e1b | 984 | if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE, US""); |
059ec3d9 PH |
985 | return; |
986 | } | |
987 | ||
988 | /* Handle the main log. We know that either syslog or file logging (or both) is | |
989 | set up. A real file gets left open during reception or delivery once it has | |
990 | been opened, but we don't want to keep on writing to it for too long after it | |
991 | has been renamed. Therefore, do a stat() and see if the inode has changed, and | |
992 | if so, re-open. */ | |
993 | ||
3cc3f762 JH |
994 | if ( flags & LOG_MAIN |
995 | && (!selector || selector & log_selector[0])) | |
059ec3d9 | 996 | { |
3cc3f762 JH |
997 | if ( logging_mode & LOG_MODE_SYSLOG |
998 | && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC)))) | |
059ec3d9 PH |
999 | write_syslog(LOG_INFO, log_buffer); |
1000 | ||
3cc3f762 | 1001 | if (logging_mode & LOG_MODE_FILE) |
059ec3d9 PH |
1002 | { |
1003 | struct stat statbuf; | |
1004 | ||
1005 | /* Check for a change to the mainlog file name when datestamping is in | |
1006 | operation. This happens at midnight, at which point we want to roll over | |
1007 | the file. Closing it has the desired effect. */ | |
1008 | ||
cd2e3fd0 | 1009 | if (mainlog_datestamp) |
059ec3d9 | 1010 | { |
f1e5fef5 | 1011 | uschar *nowstamp = tod_stamp(string_datestamp_type); |
059ec3d9 PH |
1012 | if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0) |
1013 | { | |
f1e894f3 | 1014 | (void)close(mainlogfd); /* Close the file */ |
059ec3d9 PH |
1015 | mainlogfd = -1; /* Clear the file descriptor */ |
1016 | mainlog_inode = 0; /* Unset the inode */ | |
1017 | mainlog_datestamp = NULL; /* Clear the datestamp */ | |
1018 | } | |
1019 | } | |
1020 | ||
1021 | /* Otherwise, we want to check whether the file has been renamed by a | |
1022 | cycling script. This could be "if else", but for safety's sake, leave it as | |
1023 | "if" so that renaming the log starts a new file even when datestamping is | |
1024 | happening. */ | |
1025 | ||
1026 | if (mainlogfd >= 0) | |
059ec3d9 | 1027 | if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode) |
9cd319d9 | 1028 | mainlog_close(); |
059ec3d9 PH |
1029 | |
1030 | /* If the log is closed, open it. Then write the line. */ | |
1031 | ||
1032 | if (mainlogfd < 0) | |
1033 | { | |
ed7f7860 | 1034 | open_log(&mainlogfd, lt_main, NULL); /* No return on error */ |
059ec3d9 PH |
1035 | if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino; |
1036 | } | |
1037 | ||
1038 | /* Failing to write to the log is disastrous */ | |
1039 | ||
d12746bc JH |
1040 | written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr); |
1041 | if (written_len != g->ptr) | |
059ec3d9 | 1042 | { |
d12746bc | 1043 | log_write_failed(US"main log", g->ptr, written_len); |
059ec3d9 PH |
1044 | /* That function does not return */ |
1045 | } | |
1046 | } | |
1047 | } | |
1048 | ||
a7d7aa58 PH |
1049 | /* Handle the log for rejected messages. This can be globally disabled, in |
1050 | which case the flags are altered above. If there are any header lines (i.e. if | |
1051 | the rejection is happening after the DATA phase), log the recipients and the | |
1052 | headers. */ | |
059ec3d9 | 1053 | |
30f962e0 | 1054 | if (flags & LOG_REJECT) |
059ec3d9 | 1055 | { |
30f962e0 | 1056 | if (header_list && LOGGING(rejected_header)) |
059ec3d9 | 1057 | { |
f3ebb786 | 1058 | gstring * g2; |
d12746bc JH |
1059 | int i; |
1060 | ||
059ec3d9 PH |
1061 | if (recipients_count > 0) |
1062 | { | |
059ec3d9 PH |
1063 | /* List the sender */ |
1064 | ||
f3ebb786 JH |
1065 | g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, |
1066 | "Envelope-from: <%s>\n", sender_address); | |
1067 | if (g2) g = g2; | |
059ec3d9 PH |
1068 | |
1069 | /* List up to 5 recipients */ | |
1070 | ||
f3ebb786 JH |
1071 | g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, |
1072 | "Envelope-to: <%s>\n", recipients_list[0].address); | |
1073 | if (g2) g = g2; | |
059ec3d9 PH |
1074 | |
1075 | for (i = 1; i < recipients_count && i < 5; i++) | |
1076 | { | |
f3ebb786 JH |
1077 | g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, |
1078 | " <%s>\n", recipients_list[i].address); | |
1079 | if (g2) g = g2; | |
059ec3d9 PH |
1080 | } |
1081 | ||
1082 | if (i < recipients_count) | |
1083 | { | |
f3ebb786 JH |
1084 | g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL); |
1085 | if (g2) g = g2; | |
059ec3d9 PH |
1086 | } |
1087 | } | |
1088 | ||
1089 | /* A header with a NULL text is an unfilled in Received: header */ | |
1090 | ||
d7978c0f | 1091 | for (header_line * h = header_list; h; h = h->next) if (h->text) |
059ec3d9 | 1092 | { |
f3ebb786 JH |
1093 | g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, |
1094 | "%c %s", h->type, h->text); | |
1095 | if (g2) | |
1096 | g = g2; | |
1097 | else /* Buffer is full; truncate */ | |
059ec3d9 | 1098 | { |
d12746bc JH |
1099 | g->ptr -= 100; /* For message and separator */ |
1100 | if (g->s[g->ptr-1] == '\n') g->ptr--; | |
1101 | g = string_cat(g, US"\n*** truncated ***\n"); | |
059ec3d9 PH |
1102 | break; |
1103 | } | |
1104 | } | |
059ec3d9 PH |
1105 | } |
1106 | ||
1107 | /* Write to syslog or to a log file */ | |
1108 | ||
30f962e0 JH |
1109 | if ( logging_mode & LOG_MODE_SYSLOG |
1110 | && (syslog_duplication || !(flags & LOG_PANIC))) | |
d12746bc | 1111 | write_syslog(LOG_NOTICE, string_from_gstring(g)); |
059ec3d9 PH |
1112 | |
1113 | /* Check for a change to the rejectlog file name when datestamping is in | |
1114 | operation. This happens at midnight, at which point we want to roll over | |
1115 | the file. Closing it has the desired effect. */ | |
1116 | ||
30f962e0 | 1117 | if (logging_mode & LOG_MODE_FILE) |
059ec3d9 PH |
1118 | { |
1119 | struct stat statbuf; | |
1120 | ||
571b2715 | 1121 | if (rejectlog_datestamp) |
059ec3d9 | 1122 | { |
f1e5fef5 | 1123 | uschar *nowstamp = tod_stamp(string_datestamp_type); |
059ec3d9 PH |
1124 | if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0) |
1125 | { | |
f1e894f3 | 1126 | (void)close(rejectlogfd); /* Close the file */ |
059ec3d9 PH |
1127 | rejectlogfd = -1; /* Clear the file descriptor */ |
1128 | rejectlog_inode = 0; /* Unset the inode */ | |
1129 | rejectlog_datestamp = NULL; /* Clear the datestamp */ | |
1130 | } | |
1131 | } | |
1132 | ||
1133 | /* Otherwise, we want to check whether the file has been renamed by a | |
1134 | cycling script. This could be "if else", but for safety's sake, leave it as | |
1135 | "if" so that renaming the log starts a new file even when datestamping is | |
1136 | happening. */ | |
1137 | ||
1138 | if (rejectlogfd >= 0) | |
059ec3d9 PH |
1139 | if (Ustat(rejectlog_name, &statbuf) < 0 || |
1140 | statbuf.st_ino != rejectlog_inode) | |
1141 | { | |
f1e894f3 | 1142 | (void)close(rejectlogfd); |
059ec3d9 PH |
1143 | rejectlogfd = -1; |
1144 | rejectlog_inode = 0; | |
1145 | } | |
059ec3d9 PH |
1146 | |
1147 | /* Open the file if necessary, and write the data */ | |
1148 | ||
1149 | if (rejectlogfd < 0) | |
1150 | { | |
ed7f7860 | 1151 | open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */ |
059ec3d9 PH |
1152 | if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino; |
1153 | } | |
1154 | ||
d12746bc JH |
1155 | written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr); |
1156 | if (written_len != g->ptr) | |
059ec3d9 | 1157 | { |
d12746bc | 1158 | log_write_failed(US"reject log", g->ptr, written_len); |
059ec3d9 PH |
1159 | /* That function does not return */ |
1160 | } | |
1161 | } | |
1162 | } | |
1163 | ||
1164 | ||
059ec3d9 PH |
1165 | /* Handle the panic log, which is not kept open like the others. If it fails to |
1166 | open, there will be a recursive call to log_write(). We detect this above and | |
1167 | attempt to write to the system log as a last-ditch try at telling somebody. In | |
47c7a64a | 1168 | all cases except mua_wrapper, try to write to log_stderr. */ |
059ec3d9 | 1169 | |
30f962e0 | 1170 | if (flags & LOG_PANIC) |
059ec3d9 | 1171 | { |
30f962e0 | 1172 | if (log_stderr && log_stderr != debug_file && !mua_wrapper) |
d12746bc | 1173 | fprintf(log_stderr, "%s", CS string_from_gstring(g)); |
059ec3d9 | 1174 | |
30f962e0 | 1175 | if (logging_mode & LOG_MODE_SYSLOG) |
059ec3d9 | 1176 | write_syslog(LOG_ALERT, log_buffer); |
059ec3d9 PH |
1177 | |
1178 | /* If this panic logging was caused by a failure to open the main log, | |
1179 | the original log line is in panic_save_buffer. Make an attempt to write it. */ | |
1180 | ||
30f962e0 | 1181 | if (logging_mode & LOG_MODE_FILE) |
059ec3d9 PH |
1182 | { |
1183 | panic_recurseflag = TRUE; | |
ed7f7860 | 1184 | open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */ |
059ec3d9 PH |
1185 | panic_recurseflag = FALSE; |
1186 | ||
30f962e0 | 1187 | if (panic_save_buffer) |
1ac6b2e7 JH |
1188 | { |
1189 | int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer)); | |
1190 | i = i; /* compiler quietening */ | |
1191 | } | |
059ec3d9 | 1192 | |
d12746bc JH |
1193 | written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr); |
1194 | if (written_len != g->ptr) | |
059ec3d9 PH |
1195 | { |
1196 | int save_errno = errno; | |
1197 | write_syslog(LOG_CRIT, log_buffer); | |
1198 | sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d " | |
d12746bc JH |
1199 | "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno)); |
1200 | write_syslog(LOG_CRIT, string_from_gstring(g)); | |
059ec3d9 PH |
1201 | flags |= LOG_PANIC_DIE; |
1202 | } | |
1203 | ||
f1e894f3 | 1204 | (void)close(paniclogfd); |
059ec3d9 PH |
1205 | } |
1206 | ||
1207 | /* Give up if the DIE flag is set */ | |
1208 | ||
1209 | if ((flags & LOG_PANIC_DIE) != LOG_PANIC) | |
1210 | die(NULL, US"Unexpected failure, please try later"); | |
1211 | } | |
1212 | } | |
1213 | ||
1214 | ||
1215 | ||
1216 | /************************************************* | |
1217 | * Close any open log files * | |
1218 | *************************************************/ | |
1219 | ||
1220 | void | |
1221 | log_close_all(void) | |
1222 | { | |
1223 | if (mainlogfd >= 0) | |
f1e894f3 | 1224 | { (void)close(mainlogfd); mainlogfd = -1; } |
059ec3d9 | 1225 | if (rejectlogfd >= 0) |
f1e894f3 | 1226 | { (void)close(rejectlogfd); rejectlogfd = -1; } |
059ec3d9 PH |
1227 | closelog(); |
1228 | syslog_open = FALSE; | |
1229 | } | |
1230 | ||
ed7f7860 PP |
1231 | |
1232 | ||
6c6d6e48 TF |
1233 | /************************************************* |
1234 | * Multi-bit set or clear * | |
1235 | *************************************************/ | |
1236 | ||
1237 | /* These functions take a list of bit indexes (terminated by -1) and | |
1238 | clear or set the corresponding bits in the selector. | |
1239 | ||
1240 | Arguments: | |
1241 | selector address of the bit string | |
1242 | selsize number of words in the bit string | |
1243 | bits list of bits to set | |
1244 | */ | |
1245 | ||
1246 | void | |
1247 | bits_clear(unsigned int *selector, size_t selsize, int *bits) | |
1248 | { | |
1249 | for(; *bits != -1; ++bits) | |
1250 | BIT_CLEAR(selector, selsize, *bits); | |
1251 | } | |
1252 | ||
1253 | void | |
1254 | bits_set(unsigned int *selector, size_t selsize, int *bits) | |
1255 | { | |
1256 | for(; *bits != -1; ++bits) | |
1257 | BIT_SET(selector, selsize, *bits); | |
1258 | } | |
1259 | ||
1260 | ||
1261 | ||
ed7f7860 PP |
1262 | /************************************************* |
1263 | * Decode bit settings for log/debug * | |
1264 | *************************************************/ | |
1265 | ||
1266 | /* This function decodes a string containing bit settings in the form of +name | |
1267 | and/or -name sequences, and sets/unsets bits in a bit string accordingly. It | |
1268 | also recognizes a numeric setting of the form =<number>, but this is not | |
1269 | intended for user use. It's an easy way for Exim to pass the debug settings | |
1270 | when it is re-exec'ed. | |
1271 | ||
6c6d6e48 TF |
1272 | The option table is a list of names and bit indexes. The index -1 |
1273 | means "set all bits, except for those listed in notall". The notall | |
1274 | list is terminated by -1. | |
ed7f7860 PP |
1275 | |
1276 | The action taken for bad values varies depending upon why we're here. | |
1277 | For log messages, or if the debugging is triggered from config, then we write | |
1278 | to the log on the way out. For debug setting triggered from the command-line, | |
1279 | we treat it as an unknown option: error message to stderr and die. | |
1280 | ||
1281 | Arguments: | |
6c6d6e48 TF |
1282 | selector address of the bit string |
1283 | selsize number of words in the bit string | |
1284 | notall list of bits to exclude from "all" | |
ed7f7860 PP |
1285 | string the configured string |
1286 | options the table of option names | |
1287 | count size of table | |
1288 | which "log" or "debug" | |
1289 | flags DEBUG_FROM_CONFIG | |
1290 | ||
1291 | Returns: nothing on success - bomb out on failure | |
1292 | */ | |
1293 | ||
1294 | void | |
6c6d6e48 TF |
1295 | decode_bits(unsigned int *selector, size_t selsize, int *notall, |
1296 | uschar *string, bit_table *options, int count, uschar *which, int flags) | |
ed7f7860 PP |
1297 | { |
1298 | uschar *errmsg; | |
1299 | if (string == NULL) return; | |
1300 | ||
1301 | if (*string == '=') | |
1302 | { | |
1303 | char *end; /* Not uschar */ | |
6c6d6e48 TF |
1304 | memset(selector, 0, sizeof(*selector)*selsize); |
1305 | *selector = strtoul(CS string+1, &end, 0); | |
ed7f7860 PP |
1306 | if (*end == 0) return; |
1307 | errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which, | |
1308 | string); | |
1309 | goto ERROR_RETURN; | |
1310 | } | |
1311 | ||
1312 | /* Handle symbolic setting */ | |
1313 | ||
1314 | else for(;;) | |
1315 | { | |
1316 | BOOL adding; | |
1317 | uschar *s; | |
1318 | int len; | |
1319 | bit_table *start, *end; | |
1320 | ||
1321 | while (isspace(*string)) string++; | |
1322 | if (*string == 0) return; | |
1323 | ||
1324 | if (*string != '+' && *string != '-') | |
1325 | { | |
1326 | errmsg = string_sprintf("malformed %s_selector setting: " | |
1327 | "+ or - expected but found \"%s\"", which, string); | |
1328 | goto ERROR_RETURN; | |
1329 | } | |
1330 | ||
1331 | adding = *string++ == '+'; | |
1332 | s = string; | |
1333 | while (isalnum(*string) || *string == '_') string++; | |
1334 | len = string - s; | |
1335 | ||
1336 | start = options; | |
1337 | end = options + count; | |
1338 | ||
1339 | while (start < end) | |
1340 | { | |
1341 | bit_table *middle = start + (end - start)/2; | |
1342 | int c = Ustrncmp(s, middle->name, len); | |
1343 | if (c == 0) | |
1344 | { | |
1345 | if (middle->name[len] != 0) c = -1; else | |
1346 | { | |
1347 | unsigned int bit = middle->bit; | |
ed7f7860 | 1348 | |
6c6d6e48 TF |
1349 | if (bit == -1) |
1350 | { | |
1351 | if (adding) | |
1352 | { | |
1353 | memset(selector, -1, sizeof(*selector)*selsize); | |
1354 | bits_clear(selector, selsize, notall); | |
1355 | } | |
1356 | else | |
1357 | memset(selector, 0, sizeof(*selector)*selsize); | |
1358 | } | |
1359 | else if (adding) | |
1360 | BIT_SET(selector, selsize, bit); | |
1361 | else | |
1362 | BIT_CLEAR(selector, selsize, bit); | |
1363 | ||
ed7f7860 PP |
1364 | break; /* Out of loop to match selector name */ |
1365 | } | |
1366 | } | |
1367 | if (c < 0) end = middle; else start = middle + 1; | |
1368 | } /* Loop to match selector name */ | |
1369 | ||
1370 | if (start >= end) | |
1371 | { | |
1372 | errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which, | |
1373 | adding? '+' : '-', len, s); | |
1374 | goto ERROR_RETURN; | |
1375 | } | |
1376 | } /* Loop for selector names */ | |
1377 | ||
1378 | /* Handle disasters */ | |
1379 | ||
1380 | ERROR_RETURN: | |
1381 | if (Ustrcmp(which, "debug") == 0) | |
1382 | { | |
1383 | if (flags & DEBUG_FROM_CONFIG) | |
1384 | { | |
1385 | log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg); | |
1386 | return; | |
1387 | } | |
1388 | fprintf(stderr, "exim: %s\n", errmsg); | |
1389 | exit(EXIT_FAILURE); | |
1390 | } | |
1391 | else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg); | |
1392 | } | |
1393 | ||
1394 | ||
1395 | ||
1396 | /************************************************* | |
1397 | * Activate a debug logfile (late) * | |
1398 | *************************************************/ | |
1399 | ||
1400 | /* Normally, debugging is activated from the command-line; it may be useful | |
1401 | within the configuration to activate debugging later, based on certain | |
1402 | conditions. If debugging is already in progress, we return early, no action | |
1403 | taken (besides debug-logging that we wanted debug-logging). | |
1404 | ||
1405 | Failures in options are not fatal but will result in paniclog entries for the | |
1406 | misconfiguration. | |
1407 | ||
1408 | The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand" | |
1409 | which can be combined with conditions, etc, to activate extra logging only | |
9ee44efb | 1410 | for certain sources. The second use is inetd wait mode debug preservation. */ |
ed7f7860 PP |
1411 | |
1412 | void | |
1413 | debug_logging_activate(uschar *tag_name, uschar *opts) | |
1414 | { | |
1415 | int fd = -1; | |
1416 | ||
1417 | if (debug_file) | |
1418 | { | |
1419 | debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n" | |
b0d68adc | 1420 | "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US""); |
ed7f7860 PP |
1421 | return; |
1422 | } | |
1423 | ||
1424 | if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL)) | |
1425 | { | |
1426 | log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s", | |
1427 | tag_name); | |
1428 | return; | |
1429 | } | |
1430 | ||
1431 | debug_selector = D_default; | |
1432 | if (opts) | |
6c6d6e48 | 1433 | decode_bits(&debug_selector, 1, debug_notall, opts, |
ed7f7860 | 1434 | debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG); |
ed7f7860 | 1435 | |
e4a6fb35 JH |
1436 | /* When activating from a transport process we may never have logged at all |
1437 | resulting in certain setup not having been done. Hack this for now so we | |
1438 | do not segfault; note that nondefault log locations will not work */ | |
1439 | ||
1440 | if (!*file_path) set_file_path(); | |
1441 | ||
ed7f7860 PP |
1442 | open_log(&fd, lt_debug, tag_name); |
1443 | ||
1444 | if (fd != -1) | |
1445 | debug_file = fdopen(fd, "w"); | |
1446 | else | |
1447 | log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log"); | |
1448 | } | |
1449 | ||
1450 | ||
b0d68adc JH |
1451 | void |
1452 | debug_logging_stop(void) | |
1453 | { | |
1454 | if (!debug_file || !debuglog_name[0]) return; | |
1455 | ||
1456 | debug_selector = 0; | |
1457 | fclose(debug_file); | |
1458 | debug_file = NULL; | |
1459 | unlink_log(lt_debug); | |
1460 | } | |
1461 | ||
1462 | ||
059ec3d9 | 1463 | /* End of log.c */ |