void *
dbmdb_open(uschar *filename, uschar **errmsg)
{
EXIM_DB *yield;
EXIM_DBOPEN(filename, O_RDONLY, 0, &yield);
if (yield == NULL)
{
int save_errno = errno;
*errmsg = string_open_failed(errno, "%s as a %s file", filename, EXIM_DBTYPE);
errno = save_errno;
}
return yield;
}
void *
lsearch_open(uschar *filename, uschar **errmsg)
{
FILE *f = Ufopen(filename, "rb");
if (f == NULL)
{
int save_errno = errno;
*errmsg = string_open_failed(errno, "%s for linear search", filename);
errno = save_errno;
return NULL;
}
return f;
}
static void *
json_open(uschar *filename, uschar **errmsg)
{
FILE * f;
json_set_alloc_funcs(json_malloc, json_free);
if (!(f = Ufopen(filename, "rb")))
{
int save_errno = errno;
*errmsg = string_open_failed(errno, "%s for json search", filename);
errno = save_errno;
return NULL;
}
return f;
}
open_db *
dbfn_open(uschar *name, int flags, open_db *dbblock, BOOL lof)
{
int rc, save_errno;
BOOL read_only = flags == O_RDONLY;
BOOL created = FALSE;
flock_t lock_data;
uschar buffer[256];
/* The first thing to do is to open a separate file on which to lock. This
ensures that Exim has exclusive use of the database before it even tries to
open it. Early versions tried to lock on the open database itself, but that
gave rise to mysterious problems from time to time - it was suspected that some
DB libraries "do things" on their open() calls which break the interlocking.
The lock file is never written to, but we open it for writing so we can get a
write lock if required. If it does not exist, we create it. This is done
separately so we know when we have done it, because when running as root we
need to change the ownership - see the bottom of this function. We also try to
make the directory as well, just in case. We won't be doing this many times
unnecessarily, because usually the lock file will be there. If the directory
exists, there is no error. */
sprintf(CS buffer, "%s/db/%s.lockfile", spool_directory, name);
if ((dbblock->lockfd = Uopen(buffer, O_RDWR, EXIMDB_LOCKFILE_MODE)) < 0)
{
created = TRUE;
(void)directory_make(spool_directory, US"db", EXIMDB_DIRECTORY_MODE, TRUE);
dbblock->lockfd = Uopen(buffer, O_RDWR|O_CREAT, EXIMDB_LOCKFILE_MODE);
}
if (dbblock->lockfd < 0)
{
log_write(0, LOG_MAIN, "%s",
string_open_failed(errno, "database lock file %s", buffer));
errno = 0; /* Indicates locking failure */
return NULL;
}
/* Now we must get a lock on the opened lock file; do this with a blocking
lock that times out. */
lock_data.l_type = read_only? F_RDLCK : F_WRLCK;
lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
DEBUG(D_hints_lookup|D_retry|D_route|D_deliver)
debug_printf("locking %s\n", buffer);
sigalrm_seen = FALSE;
alarm(EXIMDB_LOCK_TIMEOUT);
rc = fcntl(dbblock->lockfd, F_SETLKW, &lock_data);
alarm(0);
if (sigalrm_seen) errno = ETIMEDOUT;
if (rc < 0)
{
log_write(0, LOG_MAIN|LOG_PANIC, "Failed to get %s lock for %s: %s",
read_only? "read" : "write", buffer,
(errno == ETIMEDOUT)? "timed out" : strerror(errno));
(void)close(dbblock->lockfd);
errno = 0; /* Indicates locking failure */
return NULL;
}
DEBUG(D_hints_lookup) debug_printf("locked %s\n", buffer);
/* At this point we have an opened and locked separate lock file, that is,
exclusive access to the database, so we can go ahead and open it. If we are
expected to create it, don't do so at first, again so that we can detect
whether we need to change its ownership (see comments about the lock file
above.) There have been regular reports of crashes while opening hints
databases - often this is caused by non-matching db.h and the library. To make
it easy to pin this down, there are now debug statements on either side of the
open call. */
sprintf(CS buffer, "%s/db/%s", spool_directory, name);
DEBUG(D_hints_lookup) debug_printf("EXIM_DBOPEN(%s)\n", buffer);
EXIM_DBOPEN(buffer, flags, EXIMDB_MODE, &(dbblock->dbptr));
DEBUG(D_hints_lookup) debug_printf("returned from EXIM_DBOPEN\n");
if (dbblock->dbptr == NULL && errno == ENOENT && flags == O_RDWR)
{
DEBUG(D_hints_lookup)
debug_printf("%s appears not to exist: trying to create\n", buffer);
created = TRUE;
EXIM_DBOPEN(buffer, flags|O_CREAT, EXIMDB_MODE, &(dbblock->dbptr));
DEBUG(D_hints_lookup) debug_printf("returned from EXIM_DBOPEN\n");
}
save_errno = errno;
/* If we are running as root and this is the first access to the database, its
files will be owned by root. We want them to be owned by exim. We detect this
situation by noting above when we had to create the lock file or the database
itself. Because the different dbm libraries use different extensions for their
files, I don't know of any easier way of arranging this than scanning the
directory for files with the appropriate base name. At least this deals with
the lock file at the same time. Also, the directory will typically have only
half a dozen files, so the scan will be quick.
This code is placed here, before the test for successful opening, because there
was a case when a file was created, but the DBM library still returned NULL
because of some problem. It also sorts out the lock file if that was created
but creation of the database file failed. */
if (created && geteuid() == root_uid)
{
DIR *dd;
struct dirent *ent;
uschar *lastname = Ustrrchr(buffer, '/') + 1;
int namelen = Ustrlen(name);
*lastname = 0;
dd = opendir(CS buffer);
while ((ent = readdir(dd)) != NULL)
{
if (Ustrncmp(ent->d_name, name, namelen) == 0)
{
struct stat statbuf;
Ustrcpy(lastname, ent->d_name);
if (Ustat(buffer, &statbuf) >= 0 && statbuf.st_uid != exim_uid)
{
DEBUG(D_hints_lookup) debug_printf("ensuring %s is owned by exim\n", buffer);
(void)Uchown(buffer, exim_uid, exim_gid);
}
}
}
closedir(dd);
}
/* If the open has failed, return NULL, leaving errno set. If lof is TRUE,
log the event - also for debugging - but not if the file just doesn't exist. */
if (dbblock->dbptr == NULL)
{
if (save_errno != ENOENT)
{
if (lof)
log_write(0, LOG_MAIN, "%s", string_open_failed(save_errno, "DB file %s",
buffer));
else
DEBUG(D_hints_lookup)
debug_printf("%s", CS string_open_failed(save_errno, "DB file %s\n",
buffer));
}
(void)close(dbblock->lockfd);
errno = save_errno;
return NULL;
}
DEBUG(D_hints_lookup)
debug_printf("opened hints database %s: flags=%s\n", buffer,
(flags == O_RDONLY)? "O_RDONLY" : (flags == O_RDWR)? "O_RDWR" :
(flags == (O_RDWR|O_CREAT))? "O_RDWR|O_CREAT" : "??");
/* Pass back the block containing the opened database handle and the open fd
for the lock. */
return dbblock;
}
static uschar *
rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
int *yield)
{
FILE *fwd;
uschar *filebuf;
uschar *filename = rdata->string;
BOOL uid_ok = !rdata->check_owner;
BOOL gid_ok = !rdata->check_group;
struct stat statbuf;
/* Attempt to open the file. If it appears not to exist, check up on the
containing directory by statting it. If the directory does not exist, we treat
this situation as an error (which will cause delivery to defer); otherwise we
pass back FF_NONEXIST, which causes the redirect router to decline.
However, if the ignore_enotdir option is set (to ignore "something on the
path is not a directory" errors), the right behaviour seems to be not to do the
directory test. */
fwd = Ufopen(filename, "rb");
if (fwd == NULL)
{
switch(errno)
{
case ENOENT: /* File does not exist */
DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
filename,
((options & RDO_ENOTDIR) != 0)? "ignore_enotdir set => skip " : "");
*yield = (((options & RDO_ENOTDIR) != 0) ||
rda_exists(filename, error) == FILE_NOT_EXIST)?
FF_NONEXIST : FF_ERROR;
return NULL;
case ENOTDIR: /* Something on the path isn't a directory */
if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
"exist\n", filename);
*yield = FF_NONEXIST;
return NULL;
case EACCES: /* Permission denied */
if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
"exist\n", filename);
*yield = FF_NONEXIST;
return NULL;
DEFAULT_ERROR:
default:
*error = string_open_failed(errno, "%s", filename);
*yield = FF_ERROR;
return NULL;
}
}
/* Check that we have a regular file. */
if (fstat(fileno(fwd), &statbuf) != 0)
{
*error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
goto ERROR_RETURN;
}
if ((statbuf.st_mode & S_IFMT) != S_IFREG)
{
*error = string_sprintf("%s is not a regular file", filename);
goto ERROR_RETURN;
}
/* Check for unwanted mode bits */
if ((statbuf.st_mode & rdata->modemask) != 0)
{
*error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
goto ERROR_RETURN;
}
/* Check the file owner and file group if required to do so. */
if (!uid_ok)
{
if (rdata->pw != NULL && statbuf.st_uid == rdata->pw->pw_uid)
uid_ok = TRUE;
else if (rdata->owners != NULL)
{
int i;
for (i = 1; i <= (int)(rdata->owners[0]); i++)
if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
}
}
if (!gid_ok)
{
if (rdata->pw != NULL && statbuf.st_gid == rdata->pw->pw_gid)
gid_ok = TRUE;
else if (rdata->owngroups != NULL)
{
int i;
for (i = 1; i <= (int)(rdata->owngroups[0]); i++)
if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
}
}
if (!uid_ok || !gid_ok)
{
*error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
goto ERROR_RETURN;
}
/* Put an upper limit on the size of the file, just to stop silly people
feeding in ridiculously large files, which can easily be created by making
files that have holes in them. */
if (statbuf.st_size > MAX_FILTER_SIZE)
{
*error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
goto ERROR_RETURN;
}
/* Read the file in one go in order to minimize the time we have it open. */
filebuf = store_get(statbuf.st_size + 1);
if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
{
*error = string_sprintf("error while reading %s: %s",
filename, strerror(errno));
goto ERROR_RETURN;
}
filebuf[statbuf.st_size] = 0;
DEBUG(D_route)
debug_printf(OFF_T_FMT " bytes read from %s\n", statbuf.st_size, filename);
(void)fclose(fwd);
return filebuf;
/* Return an error: the string is already set up. */
ERROR_RETURN:
*yield = FF_ERROR;
(void)fclose(fwd);
return NULL;
}
static int
init_dh(host_item *host)
{
int fd;
int ret;
gnutls_datum m;
uschar filename[200];
/* Initialize the data structures for holding the parameters */
ret = gnutls_dh_params_init(&dh_params);
if (ret < 0) return tls_error(US"init dh_params", host, gnutls_strerror(ret));
/* Set up the name of the cache file */
if (!string_format(filename, sizeof(filename), "%s/gnutls-params",
spool_directory))
return tls_error(US"overlong filename", host, NULL);
/* Open the cache file for reading and if successful, read it and set up the
parameters. */
fd = Uopen(filename, O_RDONLY, 0);
if (fd >= 0)
{
struct stat statbuf;
if (fstat(fd, &statbuf) < 0)
{
(void)close(fd);
return tls_error(US"TLS cache stat failed", host, strerror(errno));
}
m.size = statbuf.st_size;
m.data = malloc(m.size);
if (m.data == NULL)
return tls_error(US"memory allocation failed", host, strerror(errno));
errno = 0;
if (read(fd, m.data, m.size) != m.size)
return tls_error(US"TLS cache read failed", host, strerror(errno));
(void)close(fd);
ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
if (ret < 0)
return tls_error(US"DH params import", host, gnutls_strerror(ret));
DEBUG(D_tls) debug_printf("read D-H parameters from file\n");
free(m.data);
}
/* If the file does not exist, fall through to compute new data and cache it.
If there was any other opening error, it is serious. */
else if (errno == ENOENT)
{
ret = -1;
DEBUG(D_tls)
debug_printf("parameter cache file %s does not exist\n", filename);
}
else
return tls_error(string_open_failed(errno, "%s for reading", filename),
host, NULL);
/* If ret < 0, either the cache file does not exist, or the data it contains
is not useful. One particular case of this is when upgrading from an older
release of Exim in which the data was stored in a different format. We don't
try to be clever and support both formats; we just regenerate new data in this
case. */
if (ret < 0)
{
uschar tempfilename[sizeof(filename) + 10];
DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
DH_BITS);
ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
if (ret < 0) return tls_error(US"D-H key generation", host, gnutls_strerror(ret));
/* Write the parameters to a file in the spool directory so that we
can use them from other Exim processes. */
sprintf(CS tempfilename, "%s-%d", filename, (int)getpid());
fd = Uopen(tempfilename, O_WRONLY|O_CREAT, 0400);
if (fd < 0)
return tls_error(string_open_failed(errno, "%s for writing", filename),
host, NULL);
(void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
/* export the parameters in a format that can be generated using GNUTLS'
* certtool or other programs.
*
* The commands for certtool are:
* $ certtool --generate-dh-params --bits 1024 > params
*/
m.size = PARAM_SIZE;
m.data = malloc(m.size);
if (m.data == NULL)
return tls_error(US"memory allocation failed", host, strerror(errno));
m.size = PARAM_SIZE;
ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
&m.size);
if (ret < 0)
return tls_error(US"DH params export", host, gnutls_strerror(ret));
m.size = Ustrlen(m.data);
errno = 0;
if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
return tls_error(US"TLS cache write failed", host, strerror(errno));
free(m.data);
(void)close(fd);
if (rename(CS tempfilename, CS filename) < 0)
return tls_error(string_sprintf("failed to rename %s as %s",
tempfilename, filename), host, strerror(errno));
DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);
}
DEBUG(D_tls) debug_printf("initialized D-H parameters\n");
return OK;
}
