usr/src/cmd/sendmail/src/recipient.c

root/usr/src/cmd/sendmail/src/recipient.c
/*
 * Copyright (c) 1998-2003, 2006 Sendmail, Inc. and its suppliers.
 *      All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
 *      The Regents of the University of California.  All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
 */

#include <sendmail.h>

SM_RCSID("@(#)$Id: recipient.c,v 8.349 2007/07/10 17:01:22 ca Exp $")

static void     includetimeout __P((int));
static ADDRESS  *self_reference __P((ADDRESS *));
static int      sortexpensive __P((ADDRESS *, ADDRESS *));
static int      sortbysignature __P((ADDRESS *, ADDRESS *));
static int      sorthost __P((ADDRESS *, ADDRESS *));

typedef int     sortfn_t __P((ADDRESS *, ADDRESS *));

/*
**  SORTHOST -- strcmp()-like func for host portion of an ADDRESS
**
**      Parameters:
**              xx -- first ADDRESS
**              yy -- second ADDRESS
**
**      Returns:
**              <0 when xx->q_host is less than yy->q_host
**              >0 when xx->q_host is greater than yy->q_host
**              0 when equal
*/

static int
sorthost(xx, yy)
        register ADDRESS *xx;
        register ADDRESS *yy;
{
#if _FFR_HOST_SORT_REVERSE
        /* XXX maybe compare hostnames from the end? */
        return sm_strrevcasecmp(xx->q_host, yy->q_host);
#else /* _FFR_HOST_SORT_REVERSE */
        return sm_strcasecmp(xx->q_host, yy->q_host);
#endif /* _FFR_HOST_SORT_REVERSE */
}

/*
**  SORTEXPENSIVE -- strcmp()-like func for expensive mailers
**
**  The mailer has been noted already as "expensive" for 'xx'. This
**  will give a result relative to 'yy'. Expensive mailers get rated
**  "greater than" non-expensive mailers because during the delivery phase
**  it will get queued -- no use it getting in the way of less expensive
**  recipients. We avoid an MX RR lookup when both 'xx' and 'yy' are
**  expensive since an MX RR lookup happens when extracted from the queue
**  later.
**
**      Parameters:
**              xx -- first ADDRESS
**              yy -- second ADDRESS
**
**      Returns:
**              <0 when xx->q_host is less than yy->q_host and both are
**                      expensive
**              >0 when xx->q_host is greater than yy->q_host, or when
**                      'yy' is non-expensive
**              0 when equal (by expense and q_host)
*/

static int
sortexpensive(xx, yy)
        ADDRESS *xx;
        ADDRESS *yy;
{
        if (!bitnset(M_EXPENSIVE, yy->q_mailer->m_flags))
                return 1; /* xx should go later */
#if _FFR_HOST_SORT_REVERSE
        /* XXX maybe compare hostnames from the end? */
        return sm_strrevcasecmp(xx->q_host, yy->q_host);
#else /* _FFR_HOST_SORT_REVERSE */
        return sm_strcasecmp(xx->q_host, yy->q_host);
#endif /* _FFR_HOST_SORT_REVERSE */
}

/*
**  SORTBYSIGNATURE -- a strcmp()-like func for q_mailer and q_host in ADDRESS
**
**      Parameters:
**              xx -- first ADDRESS
**              yy -- second ADDRESS
**
**      Returns:
**              0 when the "signature"'s are same
**              <0 when xx->q_signature is less than yy->q_signature
**              >0 when xx->q_signature is greater than yy->q_signature
**
**      Side Effect:
**              May set ADDRESS pointer for q_signature if not already set.
*/

static int
sortbysignature(xx, yy)
        ADDRESS *xx;
        ADDRESS *yy;
{
        register int ret;

        /* Let's avoid redoing the signature over and over again */
        if (xx->q_signature == NULL)
                xx->q_signature = hostsignature(xx->q_mailer, xx->q_host);
        if (yy->q_signature == NULL)
                yy->q_signature = hostsignature(yy->q_mailer, yy->q_host);
        ret = strcmp(xx->q_signature, yy->q_signature);

        /*
        **  If the two signatures are the same then we will return a sort
        **  value based on 'q_user'. But note that we have reversed xx and yy
        **  on purpose. This additional compare helps reduce the number of
        **  sameaddr() calls and loops in recipient() for the case when
        **  the rcpt list has been provided already in-order.
        */

        if (ret == 0)
                return strcmp(yy->q_user, xx->q_user);
        else
                return ret;
}

/*
**  SENDTOLIST -- Designate a send list.
**
**      The parameter is a comma-separated list of people to send to.
**      This routine arranges to send to all of them.
**
**      Parameters:
**              list -- the send list.
**              ctladdr -- the address template for the person to
**                      send to -- effective uid/gid are important.
**                      This is typically the alias that caused this
**                      expansion.
**              sendq -- a pointer to the head of a queue to put
**                      these people into.
**              aliaslevel -- the current alias nesting depth -- to
**                      diagnose loops.
**              e -- the envelope in which to add these recipients.
**
**      Returns:
**              The number of addresses actually on the list.
*/

/* q_flags bits inherited from ctladdr */
#define QINHERITEDBITS  (QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY|QHASNOTIFY)

int
sendtolist(list, ctladdr, sendq, aliaslevel, e)
        char *list;
        ADDRESS *ctladdr;
        ADDRESS **sendq;
        int aliaslevel;
        register ENVELOPE *e;
{
        register char *p;
        register ADDRESS *SM_NONVOLATILE al; /* list of addresses to send to */
        SM_NONVOLATILE char delimiter;          /* the address delimiter */
        SM_NONVOLATILE int naddrs;
        SM_NONVOLATILE int i;
        char *endp;
        char *oldto = e->e_to;
        char *SM_NONVOLATILE bufp;
        char buf[MAXNAME + 1];

        if (list == NULL)
        {
                syserr("sendtolist: null list");
                return 0;
        }

        if (tTd(25, 1))
        {
                sm_dprintf("sendto: %s\n   ctladdr=", list);
                printaddr(sm_debug_file(), ctladdr, false);
        }

        /* heuristic to determine old versus new style addresses */
        if (ctladdr == NULL &&
            (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
             strchr(list, '<') != NULL || strchr(list, '(') != NULL))
                e->e_flags &= ~EF_OLDSTYLE;
        delimiter = ' ';
        if (!bitset(EF_OLDSTYLE, e->e_flags) || ctladdr != NULL)
                delimiter = ',';

        al = NULL;
        naddrs = 0;

        /* make sure we have enough space to copy the string */
        i = strlen(list) + 1;
        if (i <= sizeof(buf))
        {
                bufp = buf;
                i = sizeof(buf);
        }
        else
                bufp = sm_malloc_x(i);
        endp = bufp + i;

        SM_TRY
        {
                (void) sm_strlcpy(bufp, denlstring(list, false, true), i);

                macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r");
                for (p = bufp; *p != '\0'; )
                {
                        auto char *delimptr;
                        register ADDRESS *a;

                        SM_ASSERT(p < endp);

                        /* parse the address */
                        while ((isascii(*p) && isspace(*p)) || *p == ',')
                                p++;
                        SM_ASSERT(p < endp);
                        a = parseaddr(p, NULLADDR, RF_COPYALL, delimiter,
                                      &delimptr, e, true);
                        p = delimptr;
                        SM_ASSERT(p < endp);
                        if (a == NULL)
                                continue;
                        a->q_next = al;
                        a->q_alias = ctladdr;

                        /* arrange to inherit attributes from parent */
                        if (ctladdr != NULL)
                        {
                                ADDRESS *b;

                                /* self reference test */
                                if (sameaddr(ctladdr, a))
                                {
                                        if (tTd(27, 5))
                                        {
                                                sm_dprintf("sendtolist: QSELFREF ");
                                                printaddr(sm_debug_file(), ctladdr, false);
                                        }
                                        ctladdr->q_flags |= QSELFREF;
                                }

                                /* check for address loops */
                                b = self_reference(a);
                                if (b != NULL)
                                {
                                        b->q_flags |= QSELFREF;
                                        if (tTd(27, 5))
                                        {
                                                sm_dprintf("sendtolist: QSELFREF ");
                                                printaddr(sm_debug_file(), b, false);
                                        }
                                        if (a != b)
                                        {
                                                if (tTd(27, 5))
                                                {
                                                        sm_dprintf("sendtolist: QS_DONTSEND ");
                                                        printaddr(sm_debug_file(), a, false);
                                                }
                                                a->q_state = QS_DONTSEND;
                                                b->q_flags |= a->q_flags & QNOTREMOTE;
                                                continue;
                                        }
                                }

                                /* full name */
                                if (a->q_fullname == NULL)
                                        a->q_fullname = ctladdr->q_fullname;

                                /* various flag bits */
                                a->q_flags &= ~QINHERITEDBITS;
                                a->q_flags |= ctladdr->q_flags & QINHERITEDBITS;

                                /* DSN recipient information */
                                a->q_finalrcpt = ctladdr->q_finalrcpt;
                                a->q_orcpt = ctladdr->q_orcpt;
                        }

                        al = a;
                }

                /* arrange to send to everyone on the local send list */
                while (al != NULL)
                {
                        register ADDRESS *a = al;

                        al = a->q_next;
                        a = recipient(a, sendq, aliaslevel, e);
                        naddrs++;
                }
        }
        SM_FINALLY
        {
                e->e_to = oldto;
                if (bufp != buf)
                        sm_free(bufp);
                macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
        }
        SM_END_TRY
        return naddrs;
}

#if MILTER
/*
**  REMOVEFROMLIST -- Remove addresses from a send list.
**
**      The parameter is a comma-separated list of recipients to remove.
**      Note that it only deletes matching addresses.  If those addresses
**      have been expanded already in the sendq, it won't mark the
**      expanded recipients as QS_REMOVED.
**
**      Parameters:
**              list -- the list to remove.
**              sendq -- a pointer to the head of a queue to remove
**                      these addresses from.
**              e -- the envelope in which to remove these recipients.
**
**      Returns:
**              The number of addresses removed from the list.
**
*/

int
removefromlist(list, sendq, e)
        char *list;
        ADDRESS **sendq;
        ENVELOPE *e;
{
        SM_NONVOLATILE char delimiter;          /* the address delimiter */
        SM_NONVOLATILE int naddrs;
        SM_NONVOLATILE int i;
        char *p;
        char *oldto = e->e_to;
        char *SM_NONVOLATILE bufp;
        char buf[MAXNAME + 1];

        if (list == NULL)
        {
                syserr("removefromlist: null list");
                return 0;
        }

        if (tTd(25, 1))
                sm_dprintf("removefromlist: %s\n", list);

        /* heuristic to determine old versus new style addresses */
        if (strchr(list, ',') != NULL || strchr(list, ';') != NULL ||
            strchr(list, '<') != NULL || strchr(list, '(') != NULL)
                e->e_flags &= ~EF_OLDSTYLE;
        delimiter = ' ';
        if (!bitset(EF_OLDSTYLE, e->e_flags))
                delimiter = ',';

        naddrs = 0;

        /* make sure we have enough space to copy the string */
        i = strlen(list) + 1;
        if (i <= sizeof(buf))
        {
                bufp = buf;
                i = sizeof(buf);
        }
        else
                bufp = sm_malloc_x(i);

        SM_TRY
        {
                (void) sm_strlcpy(bufp, denlstring(list, false, true), i);

#if _FFR_ADDR_TYPE_MODES
                if (AddrTypeModes)
                        macdefine(&e->e_macro, A_PERM, macid("{addr_type}"),
                                  "e r d");
                else
#endif /* _FFR_ADDR_TYPE_MODES */
                macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e r");
                for (p = bufp; *p != '\0'; )
                {
                        ADDRESS a;      /* parsed address to be removed */
                        ADDRESS *q;
                        ADDRESS **pq;
                        char *delimptr;

                        /* parse the address */
                        while ((isascii(*p) && isspace(*p)) || *p == ',')
                                p++;
                        if (parseaddr(p, &a, RF_COPYALL|RF_RM_ADDR,
                                      delimiter, &delimptr, e, true) == NULL)
                        {
                                p = delimptr;
                                continue;
                        }
                        p = delimptr;
                        for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
                        {
                                if (!QS_IS_DEAD(q->q_state) &&
                                    (sameaddr(q, &a) ||
                                     strcmp(q->q_paddr, a.q_paddr) == 0))
                                {
                                        if (tTd(25, 5))
                                        {
                                                sm_dprintf("removefromlist: QS_REMOVED ");
                                                printaddr(sm_debug_file(), &a, false);
                                        }
                                        q->q_state = QS_REMOVED;
                                        naddrs++;
                                        break;
                                }
                        }
                }
        }
        SM_FINALLY
        {
                e->e_to = oldto;
                if (bufp != buf)
                        sm_free(bufp);
                macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
        }
        SM_END_TRY
        return naddrs;
}
#endif /* MILTER */

/*
**  RECIPIENT -- Designate a message recipient
**      Saves the named person for future mailing (after some checks).
**
**      Parameters:
**              new -- the (preparsed) address header for the recipient.
**              sendq -- a pointer to the head of a queue to put the
**                      recipient in.  Duplicate suppression is done
**                      in this queue.
**              aliaslevel -- the current alias nesting depth.
**              e -- the current envelope.
**
**      Returns:
**              The actual address in the queue.  This will be "a" if
**              the address is not a duplicate, else the original address.
**
*/

ADDRESS *
recipient(new, sendq, aliaslevel, e)
        register ADDRESS *new;
        register ADDRESS **sendq;
        int aliaslevel;
        register ENVELOPE *e;
{
        register ADDRESS *q;
        ADDRESS **pq;
        ADDRESS **prev;
        register struct mailer *m;
        register char *p;
        int i, buflen;
        bool quoted;            /* set if the addr has a quote bit */
        bool insert;
        int findusercount;
        bool initialdontsend;
        char *buf;
        char buf0[MAXNAME + 1];         /* unquoted image of the user name */
        sortfn_t *sortfn;

        p = NULL;
        quoted = false;
        insert = false;
        findusercount = 0;
        initialdontsend = QS_IS_DEAD(new->q_state);
        e->e_to = new->q_paddr;
        m = new->q_mailer;
        errno = 0;
        if (aliaslevel == 0)
                new->q_flags |= QPRIMARY;
        if (tTd(26, 1))
        {
                sm_dprintf("\nrecipient (%d): ", aliaslevel);
                printaddr(sm_debug_file(), new, false);
        }

        /* if this is primary, use it as original recipient */
        if (new->q_alias == NULL)
        {
                if (e->e_origrcpt == NULL)
                        e->e_origrcpt = new->q_paddr;
                else if (e->e_origrcpt != new->q_paddr)
                        e->e_origrcpt = "";
        }

        /* find parent recipient for finalrcpt and orcpt */
        for (q = new; q->q_alias != NULL; q = q->q_alias)
                continue;

        /* find final recipient DSN address */
        if (new->q_finalrcpt == NULL &&
            e->e_from.q_mailer != NULL)
        {
                char frbuf[MAXLINE];

                p = e->e_from.q_mailer->m_addrtype;
                if (p == NULL)
                        p = "rfc822";
                if (sm_strcasecmp(p, "rfc822") != 0)
                {
                        (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
                                           q->q_mailer->m_addrtype,
                                           q->q_user);
                }
                else if (strchr(q->q_user, '@') != NULL)
                {
                        (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
                                           p, q->q_user);
                }
                else if (strchr(q->q_paddr, '@') != NULL)
                {
                        char *qp;
                        bool b;

                        qp = q->q_paddr;

                        /* strip brackets from address */
                        b = false;
                        if (*qp == '<')
                        {
                                b = qp[strlen(qp) - 1] == '>';
                                if (b)
                                        qp[strlen(qp) - 1] = '\0';
                                qp++;
                        }
                        (void) sm_snprintf(frbuf, sizeof(frbuf), "%s; %.800s",
                                           p, qp);

                        /* undo damage */
                        if (b)
                                qp[strlen(qp)] = '>';
                }
                else
                {
                        (void) sm_snprintf(frbuf, sizeof(frbuf),
                                           "%s; %.700s@%.100s",
                                           p, q->q_user, MyHostName);
                }
                new->q_finalrcpt = sm_rpool_strdup_x(e->e_rpool, frbuf);
        }

#if _FFR_GEN_ORCPT
        /* set ORCPT DSN arg if not already set */
        if (new->q_orcpt == NULL)
        {
                /* check for an existing ORCPT */
                if (q->q_orcpt != NULL)
                        new->q_orcpt = q->q_orcpt;
                else
                {
                        /* make our own */
                        bool b = false;
                        char *qp;
                        char obuf[MAXLINE];

                        if (e->e_from.q_mailer != NULL)
                                p = e->e_from.q_mailer->m_addrtype;
                        if (p == NULL)
                                p = "rfc822";
                        (void) sm_strlcpyn(obuf, sizeof(obuf), 2, p, ";");

                        qp = q->q_paddr;

                        /* FFR: Needs to strip comments from stdin addrs */

                        /* strip brackets from address */
                        if (*qp == '<')
                        {
                                b = qp[strlen(qp) - 1] == '>';
                                if (b)
                                        qp[strlen(qp) - 1] = '\0';
                                qp++;
                        }

                        p = xtextify(denlstring(qp, true, false), "=");

                        if (sm_strlcat(obuf, p, sizeof(obuf)) >= sizeof(obuf))
                        {
                                /* if too big, don't use it */
                                obuf[0] = '\0';
                        }

                        /* undo damage */
                        if (b)
                                qp[strlen(qp)] = '>';

                        if (obuf[0] != '\0')
                                new->q_orcpt =
                                        sm_rpool_strdup_x(e->e_rpool, obuf);
                }
        }
#endif /* _FFR_GEN_ORCPT */

        /* break aliasing loops */
        if (aliaslevel > MaxAliasRecursion)
        {
                new->q_state = QS_BADADDR;
                new->q_status = "5.4.6";
                if (new->q_alias != NULL)
                {
                        new->q_alias->q_state = QS_BADADDR;
                        new->q_alias->q_status = "5.4.6";
                }
                if ((SuprErrs || !LogUsrErrs) && LogLevel > 0)
                {
                        sm_syslog(LOG_ERR, e->e_id,
                                "aliasing/forwarding loop broken: %s (%d aliases deep; %d max)",
                                FileName != NULL ? FileName : "", aliaslevel,
                                MaxAliasRecursion);
                }
                usrerrenh(new->q_status,
                          "554 aliasing/forwarding loop broken (%d aliases deep; %d max)",
                          aliaslevel, MaxAliasRecursion);
                return new;
        }

        /*
        **  Finish setting up address structure.
        */

        /* get unquoted user for file, program or user.name check */
        i = strlen(new->q_user);
        if (i >= sizeof(buf0))
        {
                buflen = i + 1;
                buf = xalloc(buflen);
        }
        else
        {
                buf = buf0;
                buflen = sizeof(buf0);
        }
        (void) sm_strlcpy(buf, new->q_user, buflen);
        for (p = buf; *p != '\0' && !quoted; p++)
        {
                if (*p == '\\')
                        quoted = true;
        }
        stripquotes(buf);

        /* check for direct mailing to restricted mailers */
        if (m == ProgMailer)
        {
                if (new->q_alias == NULL || UseMSP ||
                    bitset(EF_UNSAFE, e->e_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        usrerrenh(new->q_status,
                                  "550 Cannot mail directly to programs");
                }
                else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        if (new->q_alias->q_ruser == NULL)
                                usrerrenh(new->q_status,
                                          "550 UID %d is an unknown user: cannot mail to programs",
                                          new->q_alias->q_uid);
                        else
                                usrerrenh(new->q_status,
                                          "550 User %s@%s doesn't have a valid shell for mailing to programs",
                                          new->q_alias->q_ruser, MyHostName);
                }
                else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        new->q_rstatus = "550 Unsafe for mailing to programs";
                        usrerrenh(new->q_status,
                                  "550 Address %s is unsafe for mailing to programs",
                                  new->q_alias->q_paddr);
                }
        }

        /*
        **  Look up this person in the recipient list.
        **      If they are there already, return, otherwise continue.
        **      If the list is empty, just add it.  Notice the cute
        **      hack to make from addresses suppress things correctly:
        **      the QS_DUPLICATE state will be set in the send list.
        **      [Please note: the emphasis is on "hack."]
        */

        prev = NULL;

        /*
        **  If this message is going to the queue or FastSplit is set
        **  and it is the first try and the envelope hasn't split, then we
        **  avoid doing an MX RR lookup now because one will be done when the
        **  message is extracted from the queue later. It can go to the queue
        **  because all messages are going to the queue or this mailer of
        **  the current recipient is marked expensive.
        */

        if (UseMSP || WILL_BE_QUEUED(e->e_sendmode) ||
            (!bitset(EF_SPLIT, e->e_flags) && e->e_ntries == 0 &&
             FastSplit > 0))
                sortfn = sorthost;
        else if (NoConnect && bitnset(M_EXPENSIVE, new->q_mailer->m_flags))
                sortfn = sortexpensive;
        else
                sortfn = sortbysignature;

        for (pq = sendq; (q = *pq) != NULL; pq = &q->q_next)
        {
                /*
                **  If address is "less than" it should be inserted now.
                **  If address is "greater than" current comparison it'll
                **  insert later in the list; so loop again (if possible).
                **  If address is "equal" (different equal than sameaddr()
                **  call) then check if sameaddr() will be true.
                **  Because this list is now sorted, it'll mean fewer
                **  comparisons and fewer loops which is important for more
                **  recipients.
                */

                i = (*sortfn)(new, q);
                if (i == 0) /* equal */
                {
                        /*
                        **  Sortbysignature() has said that the two have
                        **  equal MX RR's and the same user. Calling sameaddr()
                        **  now checks if the two hosts are as identical as the
                        **  MX RR's are (which might not be the case)
                        **  before saying these are the identical addresses.
                        */

                        if (sameaddr(q, new) &&
                            (bitset(QRCPTOK, q->q_flags) ||
                             !bitset(QPRIMARY, q->q_flags)))
                        {
                                if (tTd(26, 1))
                                {
                                        sm_dprintf("%s in sendq: ",
                                                   new->q_paddr);
                                        printaddr(sm_debug_file(), q, false);
                                }
                                if (!bitset(QPRIMARY, q->q_flags))
                                {
                                        if (!QS_IS_DEAD(new->q_state))
                                                message("duplicate suppressed");
                                        else
                                                q->q_state = QS_DUPLICATE;
                                        q->q_flags |= new->q_flags;
                                }
                                else if (bitset(QSELFREF, q->q_flags)
                                         || q->q_state == QS_REMOVED)
                                {
                                        /*
                                        **  If an earlier milter removed the
                                        **  address, a later one can still add
                                        **  it back.
                                        */

                                        q->q_state = new->q_state;
                                        q->q_flags |= new->q_flags;
                                }
                                new = q;
                                goto done;
                        }
                }
                else if (i < 0) /* less than */
                {
                        insert = true;
                        break;
                }
                prev = pq;
        }

        /* pq should point to an address, never NULL */
        SM_ASSERT(pq != NULL);

        /* add address on list */
        if (insert)
        {
                /*
                **  insert before 'pq'. Only possible when at least 1
                **  ADDRESS is in the list already.
                */

                new->q_next = *pq;
                if (prev == NULL)
                        *sendq = new; /* To be the first ADDRESS */
                else
                        (*prev)->q_next = new;
        }
        else
        {
                /*
                **  Place in list at current 'pq' position. Possible
                **  when there are 0 or more ADDRESS's in the list.
                */

                new->q_next = NULL;
                *pq = new;
        }

        /* added a new address: clear split flag */
        e->e_flags &= ~EF_SPLIT;

        /*
        **  Alias the name and handle special mailer types.
        */

  trylocaluser:
        if (tTd(29, 7))
        {
                sm_dprintf("at trylocaluser: ");
                printaddr(sm_debug_file(), new, false);
        }

        if (!QS_IS_OK(new->q_state))
        {
                if (QS_IS_UNDELIVERED(new->q_state))
                        e->e_nrcpts++;
                goto testselfdestruct;
        }

        if (m == InclMailer)
        {
                new->q_state = QS_INCLUDED;
                if (new->q_alias == NULL || UseMSP ||
                    bitset(EF_UNSAFE, e->e_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        usrerrenh(new->q_status,
                                  "550 Cannot mail directly to :include:s");
                }
                else
                {
                        int ret;

                        message("including file %s", new->q_user);
                        ret = include(new->q_user, false, new,
                                      sendq, aliaslevel, e);
                        if (transienterror(ret))
                        {
                                if (LogLevel > 2)
                                        sm_syslog(LOG_ERR, e->e_id,
                                                  "include %s: transient error: %s",
                                                  shortenstring(new->q_user,
                                                                MAXSHORTSTR),
                                                                sm_errstring(ret));
                                new->q_state = QS_QUEUEUP;
                                usrerr("451 4.2.4 Cannot open %s: %s",
                                        shortenstring(new->q_user,
                                                      MAXSHORTSTR),
                                        sm_errstring(ret));
                        }
                        else if (ret != 0)
                        {
                                new->q_state = QS_BADADDR;
                                new->q_status = "5.2.4";
                                usrerrenh(new->q_status,
                                          "550 Cannot open %s: %s",
                                          shortenstring(new->q_user,
                                                        MAXSHORTSTR),
                                          sm_errstring(ret));
                        }
                }
        }
        else if (m == FileMailer)
        {
                /* check if allowed */
                if (new->q_alias == NULL || UseMSP ||
                    bitset(EF_UNSAFE, e->e_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        usrerrenh(new->q_status,
                                  "550 Cannot mail directly to files");
                }
                else if (bitset(QBOGUSSHELL, new->q_alias->q_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        if (new->q_alias->q_ruser == NULL)
                                usrerrenh(new->q_status,
                                          "550 UID %d is an unknown user: cannot mail to files",
                                          new->q_alias->q_uid);
                        else
                                usrerrenh(new->q_status,
                                          "550 User %s@%s doesn't have a valid shell for mailing to files",
                                          new->q_alias->q_ruser, MyHostName);
                }
                else if (bitset(QUNSAFEADDR, new->q_alias->q_flags))
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.7.1";
                        new->q_rstatus = "550 Unsafe for mailing to files";
                        usrerrenh(new->q_status,
                                  "550 Address %s is unsafe for mailing to files",
                                  new->q_alias->q_paddr);
                }
        }

        /* try aliasing */
        if (!quoted && QS_IS_OK(new->q_state) &&
            bitnset(M_ALIASABLE, m->m_flags))
                alias(new, sendq, aliaslevel, e);

#if USERDB
        /* if not aliased, look it up in the user database */
        if (!bitset(QNOTREMOTE, new->q_flags) &&
            QS_IS_SENDABLE(new->q_state) &&
            bitnset(M_CHECKUDB, m->m_flags))
        {
                if (udbexpand(new, sendq, aliaslevel, e) == EX_TEMPFAIL)
                {
                        new->q_state = QS_QUEUEUP;
                        if (e->e_message == NULL)
                                e->e_message = sm_rpool_strdup_x(e->e_rpool,
                                                "Deferred: user database error");
                        if (new->q_message == NULL)
                                new->q_message = "Deferred: user database error";
                        if (LogLevel > 8)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "deferred: udbexpand: %s",
                                          sm_errstring(errno));
                        message("queued (user database error): %s",
                                sm_errstring(errno));
                        e->e_nrcpts++;
                        goto testselfdestruct;
                }
        }
#endif /* USERDB */

        /*
        **  If we have a level two config file, then pass the name through
        **  Ruleset 5 before sending it off.  Ruleset 5 has the right
        **  to rewrite it to another mailer.  This gives us a hook
        **  after local aliasing has been done.
        */

        if (tTd(29, 5))
        {
                sm_dprintf("recipient: testing local?  cl=%d, rr5=%p\n\t",
                           ConfigLevel, RewriteRules[5]);
                printaddr(sm_debug_file(), new, false);
        }
        if (ConfigLevel >= 2 && RewriteRules[5] != NULL &&
            bitnset(M_TRYRULESET5, m->m_flags) &&
            !bitset(QNOTREMOTE, new->q_flags) &&
            QS_IS_OK(new->q_state))
        {
                maplocaluser(new, sendq, aliaslevel + 1, e);
        }

        /*
        **  If it didn't get rewritten to another mailer, go ahead
        **  and deliver it.
        */

        if (QS_IS_OK(new->q_state) &&
            bitnset(M_HASPWENT, m->m_flags))
        {
                auto bool fuzzy;
                SM_MBDB_T user;
                int status;

                /* warning -- finduser may trash buf */
                status = finduser(buf, &fuzzy, &user);
                switch (status)
                {
                  case EX_TEMPFAIL:
                        new->q_state = QS_QUEUEUP;
                        new->q_status = "4.5.2";
                        giveresponse(EX_TEMPFAIL, new->q_status, m, NULL,
                                     new->q_alias, (time_t) 0, e, new);
                        break;
                  default:
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.1.1";
                        new->q_rstatus = "550 5.1.1 User unknown";
                        giveresponse(EX_NOUSER, new->q_status, m, NULL,
                                     new->q_alias, (time_t) 0, e, new);
                        break;
                  case EX_OK:
                        if (fuzzy)
                        {
                                /* name was a fuzzy match */
                                new->q_user = sm_rpool_strdup_x(e->e_rpool,
                                                                user.mbdb_name);
                                if (findusercount++ > 3)
                                {
                                        new->q_state = QS_BADADDR;
                                        new->q_status = "5.4.6";
                                        usrerrenh(new->q_status,
                                                  "554 aliasing/forwarding loop for %s broken",
                                                  user.mbdb_name);
                                        goto done;
                                }

                                /* see if it aliases */
                                (void) sm_strlcpy(buf, user.mbdb_name, buflen);
                                goto trylocaluser;
                        }
                        if (*user.mbdb_homedir == '\0')
                                new->q_home = NULL;
                        else if (strcmp(user.mbdb_homedir, "/") == 0)
                                new->q_home = "";
                        else
                                new->q_home = sm_rpool_strdup_x(e->e_rpool,
                                                        user.mbdb_homedir);
                        if (user.mbdb_uid != SM_NO_UID)
                        {
                                new->q_uid = user.mbdb_uid;
                                new->q_gid = user.mbdb_gid;
                                new->q_flags |= QGOODUID;
                        }
                        new->q_ruser = sm_rpool_strdup_x(e->e_rpool,
                                                         user.mbdb_name);
                        if (user.mbdb_fullname[0] != '\0')
                                new->q_fullname = sm_rpool_strdup_x(e->e_rpool,
                                                        user.mbdb_fullname);
                        if (!usershellok(user.mbdb_name, user.mbdb_shell))
                        {
                                new->q_flags |= QBOGUSSHELL;
                        }
                        if (bitset(EF_VRFYONLY, e->e_flags))
                        {
                                /* don't do any more now */
                                new->q_state = QS_VERIFIED;
                        }
                        else if (!quoted)
                                forward(new, sendq, aliaslevel, e);
                }
        }
        if (!QS_IS_DEAD(new->q_state))
                e->e_nrcpts++;

  testselfdestruct:
        new->q_flags |= QTHISPASS;
        if (tTd(26, 8))
        {
                sm_dprintf("testselfdestruct: ");
                printaddr(sm_debug_file(), new, false);
                if (tTd(26, 10))
                {
                        sm_dprintf("SENDQ:\n");
                        printaddr(sm_debug_file(), *sendq, true);
                        sm_dprintf("----\n");
                }
        }
        if (new->q_alias == NULL && new != &e->e_from &&
            QS_IS_DEAD(new->q_state))
        {
                for (q = *sendq; q != NULL; q = q->q_next)
                {
                        if (!QS_IS_DEAD(q->q_state))
                                break;
                }
                if (q == NULL)
                {
                        new->q_state = QS_BADADDR;
                        new->q_status = "5.4.6";
                        usrerrenh(new->q_status,
                                  "554 aliasing/forwarding loop broken");
                }
        }

  done:
        new->q_flags |= QTHISPASS;
        if (buf != buf0)
                sm_free(buf); /* XXX leak if above code raises exception */

        /*
        **  If we are at the top level, check to see if this has
        **  expanded to exactly one address.  If so, it can inherit
        **  the primaryness of the address.
        **
        **  While we're at it, clear the QTHISPASS bits.
        */

        if (aliaslevel == 0)
        {
                int nrcpts = 0;
                ADDRESS *only = NULL;

                for (q = *sendq; q != NULL; q = q->q_next)
                {
                        if (bitset(QTHISPASS, q->q_flags) &&
                            QS_IS_SENDABLE(q->q_state))
                        {
                                nrcpts++;
                                only = q;
                        }
                        q->q_flags &= ~QTHISPASS;
                }
                if (nrcpts == 1)
                {
                        /* check to see if this actually got a new owner */
                        q = only;
                        while ((q = q->q_alias) != NULL)
                        {
                                if (q->q_owner != NULL)
                                        break;
                        }
                        if (q == NULL)
                                only->q_flags |= QPRIMARY;
                }
                else if (!initialdontsend && nrcpts > 0)
                {
                        /* arrange for return receipt */
                        e->e_flags |= EF_SENDRECEIPT;
                        new->q_flags |= QEXPANDED;
                        if (e->e_xfp != NULL &&
                            bitset(QPINGONSUCCESS, new->q_flags))
                                (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                                     "%s... expanded to multiple addresses\n",
                                                     new->q_paddr);
                }
        }
        new->q_flags |= QRCPTOK;
        (void) sm_snprintf(buf0, sizeof(buf0), "%d", e->e_nrcpts);
        macdefine(&e->e_macro, A_TEMP, macid("{nrcpts}"), buf0);
        return new;
}

/*
**  FINDUSER -- find the password entry for a user.
**
**      This looks a lot like getpwnam, except that it may want to
**      do some fancier pattern matching in /etc/passwd.
**
**      This routine contains most of the time of many sendmail runs.
**      It deserves to be optimized.
**
**      Parameters:
**              name -- the name to match against.
**              fuzzyp -- an outarg that is set to true if this entry
**                      was found using the fuzzy matching algorithm;
**                      set to false otherwise.
**              user -- structure to fill in if user is found
**
**      Returns:
**              On success, fill in *user, set *fuzzyp and return EX_OK.
**              If the user was not found, return EX_NOUSER.
**              On error, return EX_TEMPFAIL or EX_OSERR.
**
**      Side Effects:
**              may modify name.
*/

int
finduser(name, fuzzyp, user)
        char *name;
        bool *fuzzyp;
        SM_MBDB_T *user;
{
#if MATCHGECOS
        register struct passwd *pw;
#endif /* MATCHGECOS */
        register char *p;
        bool tryagain;
        int status;

        if (tTd(29, 4))
                sm_dprintf("finduser(%s): ", name);

        *fuzzyp = false;

#if HESIOD
        /* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
        for (p = name; *p != '\0'; p++)
                if (!isascii(*p) || !isdigit(*p))
                        break;
        if (*p == '\0')
        {
                if (tTd(29, 4))
                        sm_dprintf("failed (numeric input)\n");
                return EX_NOUSER;
        }
#endif /* HESIOD */

        /* look up this login name using fast path */
        status = sm_mbdb_lookup(name, user);
        if (status != EX_NOUSER)
        {
                if (tTd(29, 4))
                        sm_dprintf("%s (non-fuzzy)\n", sm_strexit(status));
                return status;
        }

        /* try mapping it to lower case */
        tryagain = false;
        for (p = name; *p != '\0'; p++)
        {
                if (isascii(*p) && isupper(*p))
                {
                        *p = tolower(*p);
                        tryagain = true;
                }
        }
        if (tryagain && (status = sm_mbdb_lookup(name, user)) != EX_NOUSER)
        {
                if (tTd(29, 4))
                        sm_dprintf("%s (lower case)\n", sm_strexit(status));
                *fuzzyp = true;
                return status;
        }

#if MATCHGECOS
        /* see if fuzzy matching allowed */
        if (!MatchGecos)
        {
                if (tTd(29, 4))
                        sm_dprintf("not found (fuzzy disabled)\n");
                return EX_NOUSER;
        }

        /* search for a matching full name instead */
        for (p = name; *p != '\0'; p++)
        {
                if (*p == (SpaceSub & 0177) || *p == '_')
                        *p = ' ';
        }
        (void) setpwent();
        while ((pw = getpwent()) != NULL)
        {
                char buf[MAXNAME + 1];

# if 0
                if (sm_strcasecmp(pw->pw_name, name) == 0)
                {
                        if (tTd(29, 4))
                                sm_dprintf("found (case wrapped)\n");
                        break;
                }
# endif /* 0 */

                sm_pwfullname(pw->pw_gecos, pw->pw_name, buf, sizeof(buf));
                if (strchr(buf, ' ') != NULL && sm_strcasecmp(buf, name) == 0)
                {
                        if (tTd(29, 4))
                                sm_dprintf("fuzzy matches %s\n", pw->pw_name);
                        message("sending to login name %s", pw->pw_name);
                        break;
                }
        }
        if (pw != NULL)
                *fuzzyp = true;
        else if (tTd(29, 4))
                sm_dprintf("no fuzzy match found\n");
# if DEC_OSF_BROKEN_GETPWENT    /* DEC OSF/1 3.2 or earlier */
        endpwent();
# endif /* DEC_OSF_BROKEN_GETPWENT */
        if (pw == NULL)
                return EX_NOUSER;
        sm_mbdb_frompw(user, pw);
        return EX_OK;
#else /* MATCHGECOS */
        if (tTd(29, 4))
                sm_dprintf("not found (fuzzy disabled)\n");
        return EX_NOUSER;
#endif /* MATCHGECOS */
}

/*
**  WRITABLE -- predicate returning if the file is writable.
**
**      This routine must duplicate the algorithm in sys/fio.c.
**      Unfortunately, we cannot use the access call since we
**      won't necessarily be the real uid when we try to
**      actually open the file.
**
**      Notice that ANY file with ANY execute bit is automatically
**      not writable.  This is also enforced by mailfile.
**
**      Parameters:
**              filename -- the file name to check.
**              ctladdr -- the controlling address for this file.
**              flags -- SFF_* flags to control the function.
**
**      Returns:
**              true -- if we will be able to write this file.
**              false -- if we cannot write this file.
**
**      Side Effects:
**              none.
*/

bool
writable(filename, ctladdr, flags)
        char *filename;
        ADDRESS *ctladdr;
        long flags;
{
        uid_t euid = 0;
        gid_t egid = 0;
        char *user = NULL;

        if (tTd(44, 5))
                sm_dprintf("writable(%s, 0x%lx)\n", filename, flags);

        /*
        **  File does exist -- check that it is writable.
        */

        if (geteuid() != 0)
        {
                euid = geteuid();
                egid = getegid();
                user = NULL;
        }
        else if (ctladdr != NULL)
        {
                euid = ctladdr->q_uid;
                egid = ctladdr->q_gid;
                user = ctladdr->q_user;
        }
        else if (bitset(SFF_RUNASREALUID, flags))
        {
                euid = RealUid;
                egid = RealGid;
                user = RealUserName;
        }
        else if (FileMailer != NULL && !bitset(SFF_ROOTOK, flags))
        {
                if (FileMailer->m_uid == NO_UID)
                {
                        euid = DefUid;
                        user = DefUser;
                }
                else
                {
                        euid = FileMailer->m_uid;
                        user = NULL;
                }
                if (FileMailer->m_gid == NO_GID)
                        egid = DefGid;
                else
                        egid = FileMailer->m_gid;
        }
        else
        {
                euid = egid = 0;
                user = NULL;
        }
        if (!bitset(SFF_ROOTOK, flags))
        {
                if (euid == 0)
                {
                        euid = DefUid;
                        user = DefUser;
                }
                if (egid == 0)
                        egid = DefGid;
        }
        if (geteuid() == 0 &&
            (ctladdr == NULL || !bitset(QGOODUID, ctladdr->q_flags)))
                flags |= SFF_SETUIDOK;

        if (!bitnset(DBS_FILEDELIVERYTOSYMLINK, DontBlameSendmail))
                flags |= SFF_NOSLINK;
        if (!bitnset(DBS_FILEDELIVERYTOHARDLINK, DontBlameSendmail))
                flags |= SFF_NOHLINK;

        errno = safefile(filename, euid, egid, user, flags, S_IWRITE, NULL);
        return errno == 0;
}

/*
**  INCLUDE -- handle :include: specification.
**
**      Parameters:
**              fname -- filename to include.
**              forwarding -- if true, we are reading a .forward file.
**                      if false, it's a :include: file.
**              ctladdr -- address template to use to fill in these
**                      addresses -- effective user/group id are
**                      the important things.
**              sendq -- a pointer to the head of the send queue
**                      to put these addresses in.
**              aliaslevel -- the alias nesting depth.
**              e -- the current envelope.
**
**      Returns:
**              open error status
**
**      Side Effects:
**              reads the :include: file and sends to everyone
**              listed in that file.
**
**      Security Note:
**              If you have restricted chown (that is, you can't
**              give a file away), it is reasonable to allow programs
**              and files called from this :include: file to be to be
**              run as the owner of the :include: file.  This is bogus
**              if there is any chance of someone giving away a file.
**              We assume that pre-POSIX systems can give away files.
**
**              There is an additional restriction that if you
**              forward to a :include: file, it will not take on
**              the ownership of the :include: file.  This may not
**              be necessary, but shouldn't hurt.
*/

static jmp_buf  CtxIncludeTimeout;

int
include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
        char *fname;
        bool forwarding;
        ADDRESS *ctladdr;
        ADDRESS **sendq;
        int aliaslevel;
        ENVELOPE *e;
{
        SM_FILE_T *volatile fp = NULL;
        char *oldto = e->e_to;
        char *oldfilename = FileName;
        int oldlinenumber = LineNumber;
        register SM_EVENT *ev = NULL;
        int nincludes;
        int mode;
        volatile bool maxreached = false;
        register ADDRESS *ca;
        volatile uid_t saveduid;
        volatile gid_t savedgid;
        volatile uid_t uid;
        volatile gid_t gid;
        char *volatile user;
        int rval = 0;
        volatile long sfflags = SFF_REGONLY;
        register char *p;
        bool safechown = false;
        volatile bool safedir = false;
        struct stat st;
        char buf[MAXLINE];

        if (tTd(27, 2))
                sm_dprintf("include(%s)\n", fname);
        if (tTd(27, 4))
                sm_dprintf("   ruid=%d euid=%d\n",
                        (int) getuid(), (int) geteuid());
        if (tTd(27, 14))
        {
                sm_dprintf("ctladdr ");
                printaddr(sm_debug_file(), ctladdr, false);
        }

        if (tTd(27, 9))
                sm_dprintf("include: old uid = %d/%d\n",
                           (int) getuid(), (int) geteuid());

        if (forwarding)
        {
                sfflags |= SFF_MUSTOWN|SFF_ROOTOK;
                if (!bitnset(DBS_GROUPWRITABLEFORWARDFILE, DontBlameSendmail))
                        sfflags |= SFF_NOGWFILES;
                if (!bitnset(DBS_WORLDWRITABLEFORWARDFILE, DontBlameSendmail))
                        sfflags |= SFF_NOWWFILES;
        }
        else
        {
                if (!bitnset(DBS_GROUPWRITABLEINCLUDEFILE, DontBlameSendmail))
                        sfflags |= SFF_NOGWFILES;
                if (!bitnset(DBS_WORLDWRITABLEINCLUDEFILE, DontBlameSendmail))
                        sfflags |= SFF_NOWWFILES;
        }

        /*
        **  If RunAsUser set, won't be able to run programs as user
        **  so mark them as unsafe unless the administrator knows better.
        */

        if ((geteuid() != 0 || RunAsUid != 0) &&
            !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail))
        {
                if (tTd(27, 4))
                        sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n",
                                   (int) geteuid(), (int) RunAsUid);
                ctladdr->q_flags |= QUNSAFEADDR;
        }

        ca = getctladdr(ctladdr);
        if (ca == NULL ||
            (ca->q_uid == DefUid && ca->q_gid == 0))
        {
                uid = DefUid;
                gid = DefGid;
                user = DefUser;
        }
        else
        {
                uid = ca->q_uid;
                gid = ca->q_gid;
                user = ca->q_user;
        }
#if MAILER_SETUID_METHOD != USE_SETUID
        saveduid = geteuid();
        savedgid = getegid();
        if (saveduid == 0)
        {
                if (!DontInitGroups)
                {
                        if (initgroups(user, gid) == -1)
                        {
                                rval = EAGAIN;
                                syserr("include: initgroups(%s, %d) failed",
                                        user, gid);
                                goto resetuid;
                        }
                }
                else
                {
                        GIDSET_T gidset[1];

                        gidset[0] = gid;
                        if (setgroups(1, gidset) == -1)
                        {
                                rval = EAGAIN;
                                syserr("include: setgroups() failed");
                                goto resetuid;
                        }
                }

                if (gid != 0 && setgid(gid) < -1)
                {
                        rval = EAGAIN;
                        syserr("setgid(%d) failure", gid);
                        goto resetuid;
                }
                if (uid != 0)
                {
# if MAILER_SETUID_METHOD == USE_SETEUID
                        if (seteuid(uid) < 0)
                        {
                                rval = EAGAIN;
                                syserr("seteuid(%d) failure (real=%d, eff=%d)",
                                        uid, (int) getuid(), (int) geteuid());
                                goto resetuid;
                        }
# endif /* MAILER_SETUID_METHOD == USE_SETEUID */
# if MAILER_SETUID_METHOD == USE_SETREUID
                        if (setreuid(0, uid) < 0)
                        {
                                rval = EAGAIN;
                                syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
                                        uid, (int) getuid(), (int) geteuid());
                                goto resetuid;
                        }
# endif /* MAILER_SETUID_METHOD == USE_SETREUID */
                }
        }
#endif /* MAILER_SETUID_METHOD != USE_SETUID */

        if (tTd(27, 9))
                sm_dprintf("include: new uid = %d/%d\n",
                           (int) getuid(), (int) geteuid());

        /*
        **  If home directory is remote mounted but server is down,
        **  this can hang or give errors; use a timeout to avoid this
        */

        if (setjmp(CtxIncludeTimeout) != 0)
        {
                ctladdr->q_state = QS_QUEUEUP;
                errno = 0;

                /* return pseudo-error code */
                rval = E_SM_OPENTIMEOUT;
                goto resetuid;
        }
        if (TimeOuts.to_fileopen > 0)
                ev = sm_setevent(TimeOuts.to_fileopen, includetimeout, 0);
        else
                ev = NULL;


        /* check for writable parent directory */
        p = strrchr(fname, '/');
        if (p != NULL)
        {
                int ret;

                *p = '\0';
                ret = safedirpath(fname, uid, gid, user,
                                  sfflags|SFF_SAFEDIRPATH, 0, 0);
                if (ret == 0)
                {
                        /* in safe directory: relax chown & link rules */
                        safedir = true;
                        sfflags |= SFF_NOPATHCHECK;
                }
                else
                {
                        if (bitnset((forwarding ?
                                     DBS_FORWARDFILEINUNSAFEDIRPATH :
                                     DBS_INCLUDEFILEINUNSAFEDIRPATH),
                                    DontBlameSendmail))
                                sfflags |= SFF_NOPATHCHECK;
                        else if (bitnset((forwarding ?
                                          DBS_FORWARDFILEINGROUPWRITABLEDIRPATH :
                                          DBS_INCLUDEFILEINGROUPWRITABLEDIRPATH),
                                         DontBlameSendmail) &&
                                 ret == E_SM_GWDIR)
                        {
                                setbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
                                        DontBlameSendmail);
                                ret = safedirpath(fname, uid, gid, user,
                                                  sfflags|SFF_SAFEDIRPATH,
                                                  0, 0);
                                clrbitn(DBS_GROUPWRITABLEDIRPATHSAFE,
                                        DontBlameSendmail);
                                if (ret == 0)
                                        sfflags |= SFF_NOPATHCHECK;
                                else
                                        sfflags |= SFF_SAFEDIRPATH;
                        }
                        else
                                sfflags |= SFF_SAFEDIRPATH;
                        if (ret > E_PSEUDOBASE &&
                            !bitnset((forwarding ?
                                      DBS_FORWARDFILEINUNSAFEDIRPATHSAFE :
                                      DBS_INCLUDEFILEINUNSAFEDIRPATHSAFE),
                                     DontBlameSendmail))
                        {
                                if (LogLevel > 11)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: unsafe directory path, marked unsafe",
                                                  shortenstring(fname, MAXSHORTSTR));
                                ctladdr->q_flags |= QUNSAFEADDR;
                        }
                }
                *p = '/';
        }

        /* allow links only in unwritable directories */
        if (!safedir &&
            !bitnset((forwarding ?
                      DBS_LINKEDFORWARDFILEINWRITABLEDIR :
                      DBS_LINKEDINCLUDEFILEINWRITABLEDIR),
                     DontBlameSendmail))
                sfflags |= SFF_NOLINK;

        rval = safefile(fname, uid, gid, user, sfflags, S_IREAD, &st);
        if (rval != 0)
        {
                /* don't use this :include: file */
                if (tTd(27, 4))
                        sm_dprintf("include: not safe (uid=%d): %s\n",
                                   (int) uid, sm_errstring(rval));
        }
        else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname,
                                  SM_IO_RDONLY, NULL)) == NULL)
        {
                rval = errno;
                if (tTd(27, 4))
                        sm_dprintf("include: open: %s\n", sm_errstring(rval));
        }
        else if (filechanged(fname, sm_io_getinfo(fp,SM_IO_WHAT_FD, NULL), &st))
        {
                rval = E_SM_FILECHANGE;
                if (tTd(27, 4))
                        sm_dprintf("include: file changed after open\n");
        }
        if (ev != NULL)
                sm_clrevent(ev);

resetuid:

#if HASSETREUID || USESETEUID
        if (saveduid == 0)
        {
                if (uid != 0)
                {
# if USESETEUID
                        if (seteuid(0) < 0)
                                syserr("!seteuid(0) failure (real=%d, eff=%d)",
                                       (int) getuid(), (int) geteuid());
# else /* USESETEUID */
                        if (setreuid(-1, 0) < 0)
                                syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)",
                                       (int) getuid(), (int) geteuid());
                        if (setreuid(RealUid, 0) < 0)
                                syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)",
                                       (int) RealUid, (int) getuid(),
                                       (int) geteuid());
# endif /* USESETEUID */
                }
                if (setgid(savedgid) < 0)
                        syserr("!setgid(%d) failure (real=%d eff=%d)",
                               (int) savedgid, (int) getgid(),
                               (int) getegid());
        }
#endif /* HASSETREUID || USESETEUID */

        if (tTd(27, 9))
                sm_dprintf("include: reset uid = %d/%d\n",
                           (int) getuid(), (int) geteuid());

        if (rval == E_SM_OPENTIMEOUT)
                usrerr("451 4.4.1 open timeout on %s", fname);

        if (fp == NULL)
                return rval;

        if (fstat(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), &st) < 0)
        {
                rval = errno;
                syserr("Cannot fstat %s!", fname);
                (void) sm_io_close(fp, SM_TIME_DEFAULT);
                return rval;
        }

        /* if path was writable, check to avoid file giveaway tricks */
        safechown = chownsafe(sm_io_getinfo(fp, SM_IO_WHAT_FD, NULL), safedir);
        if (tTd(27, 6))
                sm_dprintf("include: parent of %s is %s, chown is %ssafe\n",
                           fname, safedir ? "safe" : "dangerous",
                           safechown ? "" : "un");

        /* if no controlling user or coming from an alias delivery */
        if (safechown &&
            (ca == NULL ||
             (ca->q_uid == DefUid && ca->q_gid == 0)))
        {
                ctladdr->q_uid = st.st_uid;
                ctladdr->q_gid = st.st_gid;
                ctladdr->q_flags |= QGOODUID;
        }
        if (ca != NULL && ca->q_uid == st.st_uid)
        {
                /* optimization -- avoid getpwuid if we already have info */
                ctladdr->q_flags |= ca->q_flags & QBOGUSSHELL;
                ctladdr->q_ruser = ca->q_ruser;
        }
        else if (!forwarding)
        {
                register struct passwd *pw;

                pw = sm_getpwuid(st.st_uid);
                if (pw == NULL)
                {
                        ctladdr->q_uid = st.st_uid;
                        ctladdr->q_flags |= QBOGUSSHELL;
                }
                else
                {
                        char *sh;

                        ctladdr->q_ruser = sm_rpool_strdup_x(e->e_rpool,
                                                             pw->pw_name);
                        if (safechown)
                                sh = pw->pw_shell;
                        else
                                sh = "/SENDMAIL/ANY/SHELL/";
                        if (!usershellok(pw->pw_name, sh))
                        {
                                if (LogLevel > 11)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: user %s has bad shell %s, marked %s",
                                                  shortenstring(fname,
                                                                MAXSHORTSTR),
                                                  pw->pw_name, sh,
                                                  safechown ? "bogus" : "unsafe");
                                if (safechown)
                                        ctladdr->q_flags |= QBOGUSSHELL;
                                else
                                        ctladdr->q_flags |= QUNSAFEADDR;
                        }
                }
        }

        if (bitset(EF_VRFYONLY, e->e_flags))
        {
                /* don't do any more now */
                ctladdr->q_state = QS_VERIFIED;
                e->e_nrcpts++;
                (void) sm_io_close(fp, SM_TIME_DEFAULT);
                return rval;
        }

        /*
        **  Check to see if some bad guy can write this file
        **
        **      Group write checking could be more clever, e.g.,
        **      guessing as to which groups are actually safe ("sys"
        **      may be; "user" probably is not).
        */

        mode = S_IWOTH;
        if (!bitnset((forwarding ?
                      DBS_GROUPWRITABLEFORWARDFILESAFE :
                      DBS_GROUPWRITABLEINCLUDEFILESAFE),
                     DontBlameSendmail))
                mode |= S_IWGRP;

        if (bitset(mode, st.st_mode))
        {
                if (tTd(27, 6))
                        sm_dprintf("include: %s is %s writable, marked unsafe\n",
                                   shortenstring(fname, MAXSHORTSTR),
                                   bitset(S_IWOTH, st.st_mode) ? "world"
                                                               : "group");
                if (LogLevel > 11)
                        sm_syslog(LOG_INFO, e->e_id,
                                  "%s: %s writable %s file, marked unsafe",
                                  shortenstring(fname, MAXSHORTSTR),
                                  bitset(S_IWOTH, st.st_mode) ? "world" : "group",
                                  forwarding ? "forward" : ":include:");
                ctladdr->q_flags |= QUNSAFEADDR;
        }

        /* read the file -- each line is a comma-separated list. */
        FileName = fname;
        LineNumber = 0;
        ctladdr->q_flags &= ~QSELFREF;
        nincludes = 0;
        while (sm_io_fgets(fp, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL &&
               !maxreached)
        {
                fixcrlf(buf, true);
                LineNumber++;
                if (buf[0] == '#' || buf[0] == '\0')
                        continue;

                /* <sp>#@# introduces a comment anywhere */
                /* for Japanese character sets */
                for (p = buf; (p = strchr(++p, '#')) != NULL; )
                {
                        if (p[1] == '@' && p[2] == '#' &&
                            isascii(p[-1]) && isspace(p[-1]) &&
                            (p[3] == '\0' || (isascii(p[3]) && isspace(p[3]))))
                        {
                                --p;
                                while (p > buf && isascii(p[-1]) &&
                                       isspace(p[-1]))
                                        --p;
                                p[0] = '\0';
                                break;
                        }
                }
                if (buf[0] == '\0')
                        continue;

                e->e_to = NULL;
                message("%s to %s",
                        forwarding ? "forwarding" : "sending", buf);
                if (forwarding && LogLevel > 10)
                        sm_syslog(LOG_INFO, e->e_id,
                                  "forward %.200s => %s",
                                  oldto, shortenstring(buf, MAXSHORTSTR));

                nincludes += sendtolist(buf, ctladdr, sendq, aliaslevel + 1, e);

                if (forwarding &&
                    MaxForwardEntries > 0 &&
                    nincludes >= MaxForwardEntries)
                {
                        /* just stop reading and processing further entries */
#if 0
                        /* additional: (?) */
                        ctladdr->q_state = QS_DONTSEND;
#endif /* 0 */

                        syserr("Attempt to forward to more than %d addresses (in %s)!",
                                MaxForwardEntries, fname);
                        maxreached = true;
                }
        }

        if (sm_io_error(fp) && tTd(27, 3))
                sm_dprintf("include: read error: %s\n", sm_errstring(errno));
        if (nincludes > 0 && !bitset(QSELFREF, ctladdr->q_flags))
        {
                if (aliaslevel <= MaxAliasRecursion ||
                    ctladdr->q_state != QS_BADADDR)
                {
                        ctladdr->q_state = QS_DONTSEND;
                        if (tTd(27, 5))
                        {
                                sm_dprintf("include: QS_DONTSEND ");
                                printaddr(sm_debug_file(), ctladdr, false);
                        }
                }
        }

        (void) sm_io_close(fp, SM_TIME_DEFAULT);
        FileName = oldfilename;
        LineNumber = oldlinenumber;
        e->e_to = oldto;
        return rval;
}

static void
includetimeout(ignore)
        int ignore;
{
        /*
        **  NOTE: THIS CAN BE CALLED FROM A SIGNAL HANDLER.  DO NOT ADD
        **      ANYTHING TO THIS ROUTINE UNLESS YOU KNOW WHAT YOU ARE
        **      DOING.
        */

        errno = ETIMEDOUT;
        longjmp(CtxIncludeTimeout, 1);
}

/*
**  SENDTOARGV -- send to an argument vector.
**
**      Parameters:
**              argv -- argument vector to send to.
**              e -- the current envelope.
**
**      Returns:
**              none.
**
**      Side Effects:
**              puts all addresses on the argument vector onto the
**                      send queue.
*/

void
sendtoargv(argv, e)
        register char **argv;
        register ENVELOPE *e;
{
        register char *p;

        while ((p = *argv++) != NULL)
                (void) sendtolist(p, NULLADDR, &e->e_sendqueue, 0, e);
}

/*
**  GETCTLADDR -- get controlling address from an address header.
**
**      If none, get one corresponding to the effective userid.
**
**      Parameters:
**              a -- the address to find the controller of.
**
**      Returns:
**              the controlling address.
*/

ADDRESS *
getctladdr(a)
        register ADDRESS *a;
{
        while (a != NULL && !bitset(QGOODUID, a->q_flags))
                a = a->q_alias;
        return a;
}

/*
**  SELF_REFERENCE -- check to see if an address references itself
**
**      The check is done through a chain of aliases.  If it is part of
**      a loop, break the loop at the "best" address, that is, the one
**      that exists as a real user.
**
**      This is to handle the case of:
**              awc:            Andrew.Chang
**              Andrew.Chang:   awc@mail.server
**      which is a problem only on mail.server.
**
**      Parameters:
**              a -- the address to check.
**
**      Returns:
**              The address that should be retained.
*/

static ADDRESS *
self_reference(a)
        ADDRESS *a;
{
        ADDRESS *b;             /* top entry in self ref loop */
        ADDRESS *c;             /* entry that point to a real mail box */

        if (tTd(27, 1))
                sm_dprintf("self_reference(%s)\n", a->q_paddr);

        for (b = a->q_alias; b != NULL; b = b->q_alias)
        {
                if (sameaddr(a, b))
                        break;
        }

        if (b == NULL)
        {
                if (tTd(27, 1))
                        sm_dprintf("\t... no self ref\n");
                return NULL;
        }

        /*
        **  Pick the first address that resolved to a real mail box
        **  i.e has a mbdb entry.  The returned value will be marked
        **  QSELFREF in recipient(), which in turn will disable alias()
        **  from marking it as QS_IS_DEAD(), which mean it will be used
        **  as a deliverable address.
        **
        **  The 2 key thing to note here are:
        **      1) we are in a recursive call sequence:
        **              alias->sendtolist->recipient->alias
        **      2) normally, when we return back to alias(), the address
        **         will be marked QS_EXPANDED, since alias() assumes the
        **         expanded form will be used instead of the current address.
        **         This behaviour is turned off if the address is marked
        **         QSELFREF.  We set QSELFREF when we return to recipient().
        */

        c = a;
        while (c != NULL)
        {
                if (tTd(27, 10))
                        sm_dprintf("  %s", c->q_user);
                if (bitnset(M_HASPWENT, c->q_mailer->m_flags))
                {
                        SM_MBDB_T user;

                        if (tTd(27, 2))
                                sm_dprintf("\t... getpwnam(%s)... ", c->q_user);
                        if (sm_mbdb_lookup(c->q_user, &user) == EX_OK)
                        {
                                if (tTd(27, 2))
                                        sm_dprintf("found\n");

                                /* ought to cache results here */
                                if (sameaddr(b, c))
                                        return b;
                                else
                                        return c;
                        }
                        if (tTd(27, 2))
                                sm_dprintf("failed\n");
                }
                else
                {
                        /* if local delivery, compare usernames */
                        if (bitnset(M_LOCALMAILER, c->q_mailer->m_flags) &&
                            b->q_mailer == c->q_mailer)
                        {
                                if (tTd(27, 2))
                                        sm_dprintf("\t... local match (%s)\n",
                                                c->q_user);
                                if (sameaddr(b, c))
                                        return b;
                                else
                                        return c;
                        }
                }
                if (tTd(27, 10))
                        sm_dprintf("\n");
                c = c->q_alias;
        }

        if (tTd(27, 1))
                sm_dprintf("\t... cannot break loop for \"%s\"\n", a->q_paddr);

        return NULL;
}
Illumos
