-/* $Cambridge: exim/src/src/transports/appendfile.c,v 1.24 2009/11/16 19:50:39 nm4 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
-static char *mailbox_formats[] = {
+static const char *mailbox_formats[] = {
"unix", "mbx", "smail", "maildir", "mailstore" };
opt_public flag. */
optionlist appendfile_transport_options[] = {
+#ifdef SUPPORT_MAILDIR
+ { "*expand_maildir_use_size_file", opt_stringptr,
+ (void *)offsetof(appendfile_transport_options_block, expand_maildir_use_size_file) },
+#endif
{ "*set_use_fcntl_lock",opt_bool | opt_hidden,
(void *)offsetof(appendfile_transport_options_block, set_use_fcntl) },
{ "*set_use_flock_lock",opt_bool | opt_hidden,
(void *)offsetof(appendfile_transport_options_block, maildir_retries) },
{ "maildir_tag", opt_stringptr,
(void *)offsetof(appendfile_transport_options_block, maildir_tag) },
- { "maildir_use_size_file", opt_bool,
+ { "maildir_use_size_file", opt_expand_bool,
(void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } ,
{ "maildirfolder_create_regex", opt_stringptr,
(void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) },
NULL, /* quota_warn_threshold */
NULL, /* mailbox_size_string */
NULL, /* mailbox_filecount_string */
+ NULL, /* expand_maildir_use_size_file */
US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
NULL, /* maildir_tag */
NULL, /* maildirfolder_create_regex */
uid = uid;
gid = gid;
+if (ob->expand_maildir_use_size_file)
+ ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
+ US"`maildir_use_size_file` in transport", tblock->name);
+
/* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
mailbox_filecount */
if (ob->use_lockfile)
{
+ /* cf. exim_lock.c */
lockname = string_sprintf("%s.lock", filename);
hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
(unsigned int)(time(NULL)), (unsigned int)getpid());
/* We have successfully created and opened the file. Ensure that the group
and the mode are correct. */
- (void)Uchown(filename, uid, gid);
- (void)Uchmod(filename, mode);
+ if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
+ {
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("while setting perms on mailbox %s",
+ filename);
+ addr->transport_return = FAIL;
+ goto RETURN;
+ }
}
goto RETURN;
}
+ /* Just in case this is a sticky-bit mail directory, we don't want
+ users to be able to create hard links to other users' files. */
+
+ if (statbuf.st_nlink != 1)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+ addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
+ filename, islink? " (symlink)" : "", statbuf.st_nlink);
+ goto RETURN;
+
+ }
+
/* If symlinks are permitted (not recommended), the lstat() above will
have found the symlink. Its ownership has just been checked; go round
the loop again, using stat() instead of lstat(). That will never yield a
#ifdef SUPPORT_MBX
else if (ob->use_mbx_lock)
{
+ int mbx_tmp_oflags;
+ struct stat lstatbuf, statbuf2;
if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
ob->use_flock, ob->lock_flock_timeout) >= 0 &&
fstat(fd, &statbuf) >= 0)
sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
(long)statbuf.st_ino);
+ /*
+ * 2010-05-29: SECURITY
+ * Dan Rosenberg reported the presence of a race-condition in the
+ * original code here. Beware that many systems still allow symlinks
+ * to be followed in /tmp so an attacker can create a symlink pointing
+ * elsewhere between a stat and an open, which we should avoid
+ * following.
+ *
+ * It's unfortunate that we can't just use all the heavily debugged
+ * locking from above.
+ *
+ * Also: remember to mirror changes into exim_lock.c */
+
+ /* first leave the old pre-check in place, it provides better
+ * diagnostics for common cases */
if (Ulstat(mbx_lockname, &statbuf) >= 0)
{
if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
}
}
- mbx_lockfd = Uopen(mbx_lockname, O_RDWR | O_CREAT, ob->lockfile_mode);
+ /* If we could just declare "we must be the ones who create this
+ * file" then a hitching post in a subdir would work, since a
+ * subdir directly in /tmp/ which we create wouldn't follow links
+ * but this isn't our locking logic, so we can't safely change the
+ * file existence rules. */
+
+ /* On systems which support O_NOFOLLOW, it's the easiest and most
+ * obviously correct security fix */
+ mbx_tmp_oflags = O_RDWR | O_CREAT;
+#ifdef O_NOFOLLOW
+ mbx_tmp_oflags |= O_NOFOLLOW;
+#endif
+ mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
if (mbx_lockfd < 0)
{
addr->basic_errno = ERRNO_LOCKFAILED;
goto RETURN;
}
+ if (Ulstat(mbx_lockname, &lstatbuf) < 0)
+ {
+ addr->basic_errno = ERRNO_LOCKFAILED;
+ addr->message = string_sprintf("attempting to lstat open MBX "
+ "lock file %s: %s", mbx_lockname, strerror(errno));
+ goto RETURN;
+ }
+ if (fstat(mbx_lockfd, &statbuf2) < 0)
+ {
+ addr->basic_errno = ERRNO_LOCKFAILED;
+ addr->message = string_sprintf("attempting to stat fd of open MBX "
+ "lock file %s: %s", mbx_lockname, strerror(errno));
+ goto RETURN;
+ }
+
+ /*
+ * At this point:
+ * statbuf: if exists, is file which existed prior to opening the
+ * lockfile, might have been replaced since then
+ * statbuf2: result of stat'ing the open fd, is what was actually
+ * opened
+ * lstatbuf: result of lstat'ing the filename immediately after
+ * the open but there's a race condition again between
+ * those two steps: before open, symlink to foo, after
+ * open but before lstat have one of:
+ * * was no symlink, so is the opened file
+ * (we created it, no messing possible after that point)
+ * * hardlink to foo
+ * * symlink elsewhere
+ * * hardlink elsewhere
+ * * new file/other
+ * Don't want to compare to device of /tmp because some modern systems
+ * have regressed to having /tmp be the safe actual filesystem as
+ * valuable data, so is mostly worthless, unless we assume that *only*
+ * Linux systems do this and that all Linux has O_NOFOLLOW. Something
+ * for further consideration.
+ * No point in doing a readlink on the lockfile as that will always be
+ * at a different point in time from when we open it, so tells us
+ * nothing; attempts to clean up and delete after ourselves would risk
+ * deleting a *third* filename.
+ */
+ if ((statbuf2.st_nlink > 1) ||
+ (lstatbuf.st_nlink > 1) ||
+ (!S_ISREG(lstatbuf.st_mode)) ||
+ (lstatbuf.st_dev != statbuf2.st_dev) ||
+ (lstatbuf.st_ino != statbuf2.st_ino))
+ {
+ addr->basic_errno = ERRNO_LOCKFAILED;
+ addr->message = string_sprintf("RACE CONDITION detected: "
+ "mismatch post-initial-checks between \"%s\" and opened "
+ "fd lead us to abort!", mbx_lockname);
+ goto RETURN;
+ }
+
(void)Uchmod(mbx_lockname, ob->lockfile_mode);
if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
"%s/maildirsize", check_path);
return FALSE;
}
+ /* can also return -2, which means that the file was removed because of
+ raciness; but in this case, the size & filecount will still have been
+ updated. */
if (mailbox_size < 0) mailbox_size = size;
if (mailbox_filecount < 0) mailbox_filecount = filecount;
/* Why are these here? Put in because they are present in the non-maildir
directory case above. */
- (void)Uchown(filename, uid, gid);
- (void)Uchmod(filename, mode);
+ if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
+ {
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("while setting perms on maildir %s",
+ filename);
+ return FALSE;
+ }
}
#endif /* SUPPORT_MAILDIR */
/* Why are these here? Put in because they are present in the non-maildir
directory case above. */
- (void)Uchown(filename, uid, gid);
- (void)Uchmod(filename, mode);
+ if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
+ {
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("while setting perms on file %s",
+ filename);
+ return FALSE;
+ }
/* Built a C stream from the open file descriptor. */
Uunlink(filename);
return FALSE;
}
- (void)Uchown(dataname, uid, gid);
- (void)Uchmod(dataname, mode);
+ if(Uchown(dataname, uid, gid) || Uchmod(dataname, mode))
+ {
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("while setting perms on file %s",
+ dataname);
+ return FALSE;
+ }
}
#endif /* SUPPORT_MAILSTORE */
/* In all cases of writing to a new file, ensure that the file which is
going to be renamed has the correct ownership and mode. */
- (void)Uchown(filename, uid, gid);
- (void)Uchmod(filename, mode);
+ if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
+ {
+ addr->basic_errno = errno;
+ addr->message = string_sprintf("while setting perms on file %s",
+ filename);
+ return FALSE;
+ }
}
functions. */
transport_count = 0;
+transport_newlines = 0;
/* Write any configured prefix text first */
if (yield == OK && ob->use_bsmtp)
{
transport_count = 0;
+ transport_newlines = 0;
if (ob->use_crlf) cr = US"\r";
if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
yield = DEFER;
else
{
address_item *a;
+ transport_newlines++;
for (a = addr; a != NULL; a = a->next)
{
address_item *b = testflag(a, af_pfr)? a->parent: a;
if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
{ yield = DEFER; break; }
+ transport_newlines++;
}
if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
yield = DEFER;
+ else
+ transport_newlines++;
}
}
/* If batch smtp, write the terminating dot. */
-if (yield == OK && ob->use_bsmtp &&
- !transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
+if (yield == OK && ob->use_bsmtp ) {
+ if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
+ else transport_newlines++;
+}
/* If MBX format is being used, all that writing was to the temporary file.
However, if there was an earlier failure (Exim quota exceeded, for example),
if (yield == OK)
{
transport_count = 0; /* Reset transport count for actual write */
+ /* No need to reset transport_newlines as we're just using a block copy
+ * routine so the number won't be affected */
yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
}
else if (errno >= 0) dataname = US"temporary file";
if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
-/* Update message_size to the accurate count of bytes written, including
-added headers. */
+/* Update message_size and message_linecount to the accurate count of bytes
+written, including added headers. Note; we subtract 1 from message_linecount as
+this variable doesn't count the new line between the header and the body of the
+message. */
message_size = transport_count;
+message_linecount = transport_newlines - 1;
/* If using a maildir++ quota file, add this message's size to it, and
close the file descriptor, except when the quota has been disabled because we
if (yield == OK && maildirsize_fd >= 0)
maildir_record_length(maildirsize_fd, message_size);
maildir_save_errno = errno; /* Preserve errno while closing the file */
- (void)close(maildirsize_fd);
+ if (maildirsize_fd >= 0)
+ (void)close(maildirsize_fd);
errno = maildir_save_errno;
}
#endif /* SUPPORT_MAILDIR */
investigated so far have ftruncate(), whereas not all have the F_FREESP
fcntl() call (BSDI & FreeBSD do not). */
- if (!isdirectory) (void)ftruncate(fd, saved_size);
+ if (!isdirectory && ftruncate(fd, saved_size))
+ DEBUG(D_transport) debug_printf("Error restting file size\n");
}
/* Handle successful writing - we want the modification time to be now for
projects / exim.git / blobdiff