mbox_open.c

[詳解]

/*++
/* NAME
/*  mbox_open 3
/* SUMMARY
/*  mailbox access
/* SYNOPSIS
/*  #include <mbox_open.h>
/*
/*  typedef struct {
/* .in +4
/*      /* public members... */
/*      VSTREAM *fp;
/* .in -4
/*  } MBOX;
/*
/*  MBOX    *mbox_open(path, flags, mode, st, user, group, lock_style,
/*              def_dsn, why)
/*  const char *path;
/*  int flags;
/*  mode_t  mode;
/*  struct stat *st;
/*  uid_t   user;
/*  gid_t   group;
/*  int lock_style;
/*  const char *def_dsn;
/*  DSN_BUF *why;
/*
/*  void    mbox_release(mbox)
/*  MBOX    *mbox;
/*
/*  const char *mbox_dsn(err, def_dsn)
/*  int err;
/*  const char *def_dsn;
/* DESCRIPTION
/*  This module manages access to UNIX mailbox-style files.
/*
/*  mbox_open() acquires exclusive access to the named file.
/*  The \fBpath, flags, mode, st, user, group, why\fR arguments
/*  are passed to the \fBsafe_open\fR() routine. Attempts to change
/*  file ownership will succeed only if the process runs with
/*  adequate effective privileges.
/*  The \fBlock_style\fR argument specifies a lock style from
/*  mbox_lock_mask(). Locks are applied to regular files only.
/*  The result is a handle that must be destroyed by mbox_release().
/*  The \fBdef_dsn\fR argument is given to mbox_dsn().
/*
/*  mbox_release() releases the named mailbox. It is up to the
/*  application to close the stream.
/*
/*  mbox_dsn() translates an errno value to a mailbox related
/*  enhanced status code.
/* .IP "EAGAIN, ESTALE"
/*  These result in a 4.2.0 soft error (mailbox problem).
/* .IP ENOSPC
/*  This results in a 4.3.0 soft error (mail system full).
/* .IP "EDQUOT, EFBIG"
/*  These result in a 5.2.2 hard error (mailbox full).
/* .PP
/*  All other errors are assigned the specified default error
/*  code. Typically, one would specify 4.2.0 or 5.2.0.
/* DIAGNOSTICS
/*  mbox_open() returns a null pointer in case of problems, and
/*  sets errno to EAGAIN if someone else has exclusive access.
/*  Other errors are likely to have a more permanent nature.
/* LICENSE
/* .ad
/* .fi
/*  The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/*  Wietse Venema
/*  IBM T.J. Watson Research
/*  P.O. Box 704
/*  Yorktown Heights, NY 10598, USA
/*--*/

/* System library. */

#include <sys_defs.h>
#include <sys/stat.h>
#include <errno.h>

#ifndef EDQUOT
#define EDQUOT EFBIG
#endif

/* Utility library. */

#include <msg.h>
#include <vstream.h>
#include <vstring.h>
#include <safe_open.h>
#include <iostuff.h>
#include <mymalloc.h>
#include <warn_stat.h>

/* Global library. */

#include <dot_lockfile.h>
#include <deliver_flock.h>
#include <mbox_conf.h>
#include <mbox_open.h>

/* mbox_open - open mailbox-style file for exclusive access */

MBOX   *mbox_open(const char *path, int flags, mode_t mode, struct stat * st,
                  uid_t chown_uid, gid_t chown_gid,
                  int lock_style, const char *def_dsn,
                  DSN_BUF *why)
{
    struct stat local_statbuf;
    MBOX   *mp;
    int     locked = 0;
    VSTREAM *fp;

    if (st == 0)
    st = &local_statbuf;

    /*
     * If this is a regular file, create a dotlock file. This locking method
     * does not work well over NFS, but it is better than some alternatives.
     * With NFS, creating files atomically is a problem, and a successful
     * operation can fail with EEXIST.
     * 
     * If filename.lock can't be created for reasons other than "file exists",
     * issue only a warning if the application says it is non-fatal. This is
     * for bass-awkward compatibility with existing installations that
     * deliver to files in non-writable directories.
     * 
     * We dot-lock the file before opening, so we must avoid doing silly things
     * like dot-locking /dev/null. Fortunately, deliveries to non-mailbox
     * files execute with recipient privileges, so we don't have to worry
     * about creating dotlock files in places where the recipient would not
     * be able to write.
     * 
     * Note: we use stat() to follow symlinks, because safe_open() allows the
     * target to be a root-owned symlink, and we don't want to create dotlock
     * files for /dev/null or other non-file objects.
     */
    if ((lock_style & MBOX_DOT_LOCK)
    && (stat(path, st) < 0 || S_ISREG(st->st_mode))) {
    if (dot_lockfile(path, why->reason) == 0) {
        locked |= MBOX_DOT_LOCK;
    } else if (errno == EEXIST) {
        dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
        return (0);
    } else if (lock_style & MBOX_DOT_LOCK_MAY_FAIL) {
        msg_warn("%s", vstring_str(why->reason));
    } else {
        dsb_status(why, mbox_dsn(errno, def_dsn));
        return (0);
    }
    }

    /*
     * Open or create the target file. In case of a privileged open, the
     * privileged user may be attacked with hard/soft link tricks in an
     * unsafe parent directory. In case of an unprivileged open, the mail
     * system may be attacked by a malicious user-specified path, or the
     * unprivileged user may be attacked with hard/soft link tricks in an
     * unsafe parent directory. Open non-blocking to fend off attacks
     * involving non-file targets.
     */
    if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st,
            chown_uid, chown_gid, why->reason)) == 0) {
    dsb_status(why, mbox_dsn(errno, def_dsn));
    if (locked & MBOX_DOT_LOCK)
        dot_unlockfile(path);
    return (0);
    }
    close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);

    /*
     * If this is a regular file, acquire kernel locks. flock() locks are not
     * intended to work across a network; fcntl() locks are supposed to work
     * over NFS, but in the real world, NFS lock daemons often have serious
     * problems.
     */
#define HUNKY_DORY(lock_mask, myflock_style) ((lock_style & (lock_mask)) == 0 \
         || deliver_flock(vstream_fileno(fp), (myflock_style), why->reason) == 0)

    if (S_ISREG(st->st_mode)) {
    if (HUNKY_DORY(MBOX_FLOCK_LOCK, MYFLOCK_STYLE_FLOCK)
        && HUNKY_DORY(MBOX_FCNTL_LOCK, MYFLOCK_STYLE_FCNTL)) {
        locked |= lock_style;
    } else {
        dsb_status(why, mbox_dsn(errno, def_dsn));
        if (locked & MBOX_DOT_LOCK)
        dot_unlockfile(path);
        vstream_fclose(fp);
        return (0);
    }
    }

    /*
     * Sanity check: reportedly, GNU POP3D creates a new mailbox file and
     * deletes the old one. This does not play well with software that opens
     * the mailbox first and then locks it, such as software that uses FCNTL
     * or FLOCK locks on open file descriptors (some UNIX systems don't use
     * dotlock files).
     * 
     * To detect that GNU POP3D deletes the mailbox file we look at the target
     * file hard-link count. Note that safe_open() guarantees a hard-link
     * count of 1, so any change in this count is a sign of trouble.
     */
    if (S_ISREG(st->st_mode)
    && (fstat(vstream_fileno(fp), st) < 0 || st->st_nlink != 1)) {
    vstring_sprintf(why->reason, "target file status changed unexpectedly");
    dsb_status(why, mbox_dsn(EAGAIN, def_dsn));
    msg_warn("%s: file status changed unexpectedly", path);
    if (locked & MBOX_DOT_LOCK)
        dot_unlockfile(path);
    vstream_fclose(fp);
    return (0);
    }
    mp = (MBOX *) mymalloc(sizeof(*mp));
    mp->path = mystrdup(path);
    mp->fp = fp;
    mp->locked = locked;
    return (mp);
}

/* mbox_release - release mailbox exclusive access */

void    mbox_release(MBOX *mp)
{

    /*
     * Unfortunately we can't close the stream, because on some file systems
     * (AFS), the only way to find out if a file was written successfully is
     * to close it, and therefore the close() operation is in the mail_copy()
     * routine. If we really insist on owning the vstream member, then we
     * should export appropriate methods that mail_copy() can use in order to
     * manipulate a message stream.
     */
    if (mp->locked & MBOX_DOT_LOCK)
    dot_unlockfile(mp->path);
    myfree(mp->path);
    myfree((void *) mp);
}

/* mbox_dsn - map errno value to mailbox-related DSN detail */

const char *mbox_dsn(int err, const char *def_dsn)
{
#define TRY_AGAIN_ERROR(e) \
    (e == EAGAIN || e == ESTALE)
#define SYSTEM_FULL_ERROR(e) \
    (e == ENOSPC)
#define MBOX_FULL_ERROR(e) \
    (e == EDQUOT || e == EFBIG)

    return (TRY_AGAIN_ERROR(err) ? "4.2.0" :
        SYSTEM_FULL_ERROR(err) ? "4.3.0" :
        MBOX_FULL_ERROR(err) ? "5.2.2" :
        def_dsn);
}