diff --git a/postfix/HISTORY b/postfix/HISTORY
index 54be1cf01..53af27405 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -5795,8 +5795,22 @@ Apologies for any names omitted.
when the next line starts with whitespace; a comment that
is preceded by whitespace does not break multi-line input.
+20011217
+
+ Compatibility: Sendmail now has a -L option to set the
+ syslogging label. Postfix sendmail uses syslog_name instead,
+ and ignores the -L option.
+
+ Security: subtle hardening of the Postfix chroot jail,
+ Postfix queue file permissions and access methods, in case
+ someone compromises the postfix account. Michael Tokarev
+ claims he got the insights from Solar Designer. Files:
+ master/master_wakeup.c, util/fifo_trigger.c, postfix-script.
+
Open problems:
+ Low: warn about undomained hostnames instead of aborting.
+
Low: after reorganizing configuration parameters, add flags
to all parameters whose value can be read from file.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index c932a32cb..a00487700 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,16 +1,18 @@
-Incompatible changes with snapshot-20011216
+Incompatible changes with snapshot-20011217
===========================================
-Postfix configuration file comments no longer span multiple lines
-when the next line starts with whitespace. This may cause unexpected
-behavior with existing, improperly formatted, configuration files.
+Postfix configuration file comments no longer continue on the next
+line when that next line starts with whitespace. This change avoids
+surprises, but it may cause unexpected behavior with existing,
+poorly formatted, configuration files. Caveat user.
-Major changes with snapshot-20011216
+Major changes with snapshot-20011217
====================================
Postfix configuration files now support whitespace before comments.
This allows you to comment out just one line in the middle of a
-block of multi-line input.
+block of multi-line input. A comment that starts at the beginning
+of a line always terminates previous data.
Incompatible changes with snapshot-20011210
===========================================
diff --git a/postfix/conf/postfix-script-nosgid b/postfix/conf/postfix-script-nosgid
index d7c02ea8e..62e57b759 100755
--- a/postfix/conf/postfix-script-nosgid
+++ b/postfix/conf/postfix-script-nosgid
@@ -184,7 +184,6 @@ check)
$WARN creating missing Postfix pid directory
mkdir pid || exit 1
chmod 755 pid
- chown $mail_owner pid
}
for dir in incoming active bounce defer deferred flush saved corrupt; do
test -d $dir || {
diff --git a/postfix/conf/postfix-script-sgid b/postfix/conf/postfix-script-sgid
index f5df28ca1..a2da2c6e0 100644
--- a/postfix/conf/postfix-script-sgid
+++ b/postfix/conf/postfix-script-sgid
@@ -185,7 +185,6 @@ check)
$WARN creating missing Postfix pid directory
mkdir pid || exit 1
chmod 755 pid
- chown $mail_owner pid
}
for dir in incoming active bounce defer deferred flush saved corrupt; do
test -d $dir || {
diff --git a/postfix/html/sendmail.1.html b/postfix/html/sendmail.1.html
index 8918f9858..7a1eda7fb 100644
--- a/postfix/html/sendmail.1.html
+++ b/postfix/html/sendmail.1.html
@@ -79,64 +79,68 @@ SENDMAIL(1) SENDMAIL(1)
-I Initialize alias database. See the newaliases com-
mand above.
+ -L label (ignored)
+ The logging label. Use the syslog_name configura-
+ tion parameter instead.
+
-N dsn (ignored)
- Delivery status notification control. Currently,
+ Delivery status notification control. Currently,
Postfix does not implement DSN.
-R return_limit (ignored)
- Limit the size of bounced mail. Use the
- bounce_size_limit configuration parameter instead.
+ Limit the size of bounced mail. Use the
+ bounce_size_limit configuration parameter instead.
-X log_file (ignored)
- Log mailer traffic. Use the debug_peer_list and
- debug_peer_level configuration parameters instead.
+ Log mailer traffic. Use the debug_peer_list and
+ debug_peer_level configuration parameters instead.
-U (ignored)
Initial user submission.
- -V Variable Envelope Return Path. Given an envelope
- sender address of the form owner-listname@origin,
- each recipient user@domain receives mail with a
+ -V Variable Envelope Return Path. Given an envelope
+ sender address of the form owner-listname@origin,
+ each recipient user@domain receives mail with a
personalized envelope sender address.
- By default, the personalized envelope sender
- address is owner-listname+user=domain@origin. The
- default + and = characters are configurable with
- the default_verp_delimiters configuration parame-
- ter.
-
- -Vxy As -V, but uses x and y as the VERP delimiter char-
- acters, instead of the characters specified with
+ By default, the personalized envelope sender
+ address is owner-listname+user=domain@origin. The
+ default + and = characters are configurable with
the default_verp_delimiters configuration parame-
ter.
- -bd Go into daemon mode. This mode of operation is
+ -Vxy As -V, but uses x and y as the VERP delimiter char-
+ acters, instead of the characters specified with
+ the default_verp_delimiters configuration parame-
+ ter.
+
+ -bd Go into daemon mode. This mode of operation is
implemented by executing the postfix start command.
- -bi Initialize alias database. See the newaliases com-
+ -bi Initialize alias database. See the newaliases com-
mand above.
- -bm Read mail from standard input and arrange for
+ -bm Read mail from standard input and arrange for
delivery. This is the default mode of operation.
-bp List the mail queue. See the mailq command above.
- -bs Stand-alone SMTP server mode. Read SMTP commands
- from standard input, and write responses to stan-
+ -bs Stand-alone SMTP server mode. Read SMTP commands
+ from standard input, and write responses to stan-
dard output. This mode of operation is implemented
by running the smtpd(8) daemon.
-f sender
Set the envelope sender address. This is the
address where delivery problems are sent to, unless
- the message contains an Errors-To: message header.
+ the message contains an Errors-To: message header.
-h hop_count (ignored)
- Hop count limit. Use the hopcount_limit configura-
+ Hop count limit. Use the hopcount_limit configura-
tion parameter instead.
- -i When reading a message from standard input, don't
- treat a line with only a . character as the end of
+ -i When reading a message from standard input, don't
+ treat a line with only a . character as the end of
input.
-m (ignored)
@@ -146,67 +150,67 @@ SENDMAIL(1) SENDMAIL(1)
Backwards compatibility.
-oAalias_database
- Non-default alias database. Specify pathname or
+ Non-default alias database. Specify pathname or
type:pathname. See postalias(1) for details.
-o7 (ignored)
-o8 (ignored)
- The message body type. Currently, Postfix imple-
+ The message body type. Currently, Postfix imple-
ments just-send-eight.
- -oi When reading a message from standard input, don't
- treat a line with only a . character as the end of
+ -oi When reading a message from standard input, don't
+ treat a line with only a . character as the end of
input.
-om (ignored)
- The sender is never eliminated from alias etc.
+ The sender is never eliminated from alias etc.
expansions.
-o x value (ignored)
- Set option x to value. Use the equivalent configu-
+ Set option x to value. Use the equivalent configu-
ration parameter in main.cf instead.
-r sender
Set the envelope sender address. This is the
address where delivery problems are sent to, unless
- the message contains an Errors-To: message header.
+ the message contains an Errors-To: message header.
- -q Attempt to deliver all queued mail. This is imple-
+ -q Attempt to deliver all queued mail. This is imple-
mented by kicking the qmgr(8) daemon.
-qinterval (ignored)
- The interval between queue runs. Use the
+ The interval between queue runs. Use the
queue_run_delay configuration parameter instead.
-qRsite
- Schedule immediate delivery of all mail that is
+ Schedule immediate delivery of all mail that is
queued for the named site. This option accepts only
- site names that are eligible for the "fast flush"
- service, and is implemented by connecting to the
+ site names that are eligible for the "fast flush"
+ service, and is implemented by connecting to the
local SMTP server at $myhostname. See flush(8) for
more information about the "fast flush" service.
-qSsite
- This command is not implemented. Use the slower
+ This command is not implemented. Use the slower
sendmail -q command instead.
- -t Extract recipients from message headers. This
- requires that no recipients be specified on the
+ -t Extract recipients from message headers. This
+ requires that no recipients be specified on the
command line.
-v Enable verbose logging for debugging purposes. Mul-
- tiple -v options make the software increasingly
+ tiple -v options make the software increasingly
verbose.
SECURITY
- By design, this program is not set-user (or group) id.
- However, it must handle data from untrusted users or
- untrusted machines. Thus, the usual precautions need to
+ By design, this program is not set-user (or group) id.
+ However, it must handle data from untrusted users or
+ untrusted machines. Thus, the usual precautions need to
be taken against malicious inputs.
DIAGNOSTICS
- Problems are logged to syslogd(8) and to the standard
+ Problems are logged to syslogd(8) and to the standard
error stream.
ENVIRONMENT
@@ -218,7 +222,7 @@ SENDMAIL(1) SENDMAIL(1)
MAIL_DEBUG
Enable debugging with an external command, as spec-
- ified with the debugger_command configuration
+ ified with the debugger_command configuration
parameter.
FILES
@@ -226,13 +230,13 @@ SENDMAIL(1) SENDMAIL(1)
/etc/postfix, configuration files
CONFIGURATION PARAMETERS
- See the Postfix main.cf file for syntax details and for
- default values. Use the postfix reload command after a
+ See the Postfix main.cf file for syntax details and for
+ default values. Use the postfix reload command after a
configuration change.
alias_database
- Default alias database(s) for newaliases. The
- default value for this parameter is system-spe-
+ Default alias database(s) for newaliases. The
+ default value for this parameter is system-spe-
cific.
bounce_size_limit
@@ -248,64 +252,64 @@ SENDMAIL(1) SENDMAIL(1)
initialized.
debug_peer_level
- Increment in verbose logging level when a remote
+ Increment in verbose logging level when a remote
host matches a pattern in the debug_peer_list
parameter.
debug_peer_list
- List of domain or network patterns. When a remote
- host matches a pattern, increase the verbose log-
- ging level by the amount specified in the
+ List of domain or network patterns. When a remote
+ host matches a pattern, increase the verbose log-
+ ging level by the amount specified in the
debug_peer_level parameter.
default_verp_delimiters
- The VERP delimiter characters that are used when
- the -V command line option is specified without
+ The VERP delimiter characters that are used when
+ the -V command line option is specified without
delimiter characters.
fast_flush_domains
List of domains that will receive "fast flush" ser-
- vice (default: all domains that this system is
- willing to relay mail to). This greatly improves
- the performance of the SMTP ETRN request, and of
- the sendmail -qR command. For domains not in the
+ vice (default: all domains that this system is
+ willing to relay mail to). This greatly improves
+ the performance of the SMTP ETRN request, and of
+ the sendmail -qR command. For domains not in the
list, Postfix simply attempts to deliver all queued
mail.
fork_attempts
- Number of attempts to fork() a process before giv-
+ Number of attempts to fork() a process before giv-
ing up.
fork_delay
- Delay in seconds between successive fork()
+ Delay in seconds between successive fork()
attempts.
hopcount_limit
Limit the number of Received: message headers.
mail_owner
- The owner of the mail queue and of most Postfix
+ The owner of the mail queue and of most Postfix
processes.
command_directory
- Directory with Postfix support commands (default:
+ Directory with Postfix support commands (default:
$program_directory).
daemon_directory
- Directory with Postfix daemon programs (default:
+ Directory with Postfix daemon programs (default:
$program_directory).
queue_directory
- Top-level directory of the Postfix queue. This is
+ Top-level directory of the Postfix queue. This is
also the root directory of Postfix daemons that run
chrooted.
queue_run_delay
- The time between successive scans of the deferred
+ The time between successive scans of the deferred
queue.
verp_delimiter_filter
- The characters that Postfix accepts as VERP delim-
+ The characters that Postfix accepts as VERP delim-
iter characters.
SEE ALSO
@@ -321,7 +325,7 @@ SENDMAIL(1) SENDMAIL(1)
syslogd(8) system logging
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
AUTHOR(S)
diff --git a/postfix/man/man1/sendmail.1 b/postfix/man/man1/sendmail.1
index 16b6d43c7..76ecab0db 100644
--- a/postfix/man/man1/sendmail.1
+++ b/postfix/man/man1/sendmail.1
@@ -71,6 +71,9 @@ Gateway (relay) submission, as opposed to initial user submission.
.IP \fB-I\fR
Initialize alias database. See the \fBnewaliases\fR
command above.
+.IP "\fB-L \fIlabel\fR (ignored)"
+The logging label. Use the \fBsyslog_name\fR configuration
+parameter instead.
.IP "\fB-N \fIdsn\fR (ignored)"
Delivery status notification control. Currently, Postfix does
not implement \fBDSN\fR.
diff --git a/postfix/proto/Makefile b/postfix/proto/Makefile
deleted file mode 100644
index e69de29bb..000000000
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 1fc8ab211..d69188498 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -15,7 +15,7 @@
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
-#define DEF_MAIL_VERSION "Snapshot-20011216"
+#define DEF_MAIL_VERSION "Snapshot-20011217"
extern char *var_mail_version;
/* LICENSE
diff --git a/postfix/src/master/Makefile.in b/postfix/src/master/Makefile.in
index 93a10e380..6f73ef3f1 100644
--- a/postfix/src/master/Makefile.in
+++ b/postfix/src/master/Makefile.in
@@ -203,11 +203,14 @@ master_wakeup.o: ../../include/sys_defs.h
master_wakeup.o: ../../include/msg.h
master_wakeup.o: ../../include/trigger.h
master_wakeup.o: ../../include/events.h
+master_wakeup.o: ../../include/set_eugid.h
+master_wakeup.o: ../../include/set_ugid.h
master_wakeup.o: ../../include/mail_proto.h
master_wakeup.o: ../../include/vstream.h
master_wakeup.o: ../../include/vbuf.h
master_wakeup.o: ../../include/iostuff.h
master_wakeup.o: ../../include/attr.h
+master_wakeup.o: ../../include/mail_params.h
master_wakeup.o: mail_server.h
master_wakeup.o: master.h
multi_server.o: multi_server.c
diff --git a/postfix/src/master/master_wakeup.c b/postfix/src/master/master_wakeup.c
index 16cc7be5b..e5aa9d1e5 100644
--- a/postfix/src/master/master_wakeup.c
+++ b/postfix/src/master/master_wakeup.c
@@ -58,10 +58,13 @@
#include
#include
#include
+#include
+#include
/* Global library. */
#include /* triggers */
+#include
/* Application-specific. */
@@ -101,8 +104,29 @@ static void master_wakeup_timer_event(int unused_event, char *context)
case MASTER_SERV_TYPE_UNIX:
status = LOCAL_TRIGGER(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
break;
+
+ /*
+ * If someone compromises the postfix account then this must not
+ * overwrite files outside the chroot jail. Countermeasures:
+ *
+ * - Limit the damage by accessing the FIFO as postfix not root.
+ *
+ * - Have fifo_trigger() call safe_open() so we won't follow
+ * arbitrary hard/symlinks to files in/outside the chroot jail.
+ *
+ * - All non-chroot postfix-related files must be root owned (or
+ * postfix check complains).
+ *
+ * - The postfix user and group ID must not be shared with other
+ * applications (says the INSTALL documentation).
+ *
+ * Result of a discussion with Michael Tokarev who claims het got
+ * his insights from Solar Designer.
+ */
case MASTER_SERV_TYPE_FIFO:
+ set_eugid(var_owner_uid, var_owner_gid);
status = fifo_trigger(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
+ set_ugid(getuid(), getgid());
break;
default:
msg_panic("%s: unknown service type: %d", myname, serv->type);
diff --git a/postfix/src/postalias/Makefile.in b/postfix/src/postalias/Makefile.in
index f5449495f..b18759656 100644
--- a/postfix/src/postalias/Makefile.in
+++ b/postfix/src/postalias/Makefile.in
@@ -21,10 +21,36 @@ $(PROG): $(OBJS) $(LIBS)
Makefile: Makefile.in
(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
-test: $(TESTPROG)
-
update: ../../bin/$(PROG)
+test: test1 test2
+
+test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
+ ./$(PROG) map.in
+ for key in abc ghi; \
+ do \
+ ./$(PROG) -q $${key} map.in | diff map-$${key}1.ref -; \
+ done
+ ./$(PROG) -f map.in
+ for key in ABC; \
+ do \
+ ./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
+ done
+ rm -f map.in.db
+
+test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
+ ./$(PROG) map.in
+ for key in abc ghi; \
+ do \
+ echo $${key} | ./$(PROG) -q - map.in | diff map-$${key}2.ref -; \
+ done
+ ./$(PROG) -f map.in
+ for key in ABC; \
+ do \
+ echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
+ done
+ rm -f map.in.db
+
../../bin/$(PROG): $(PROG)
cp $(PROG) ../../bin
diff --git a/postfix/src/postalias/map-ABC1.ref b/postfix/src/postalias/map-ABC1.ref
new file mode 100644
index 000000000..142195f36
--- /dev/null
+++ b/postfix/src/postalias/map-ABC1.ref
@@ -0,0 +1 @@
+DEF
diff --git a/postfix/src/postalias/map-ABC2.ref b/postfix/src/postalias/map-ABC2.ref
new file mode 100644
index 000000000..929916bcb
--- /dev/null
+++ b/postfix/src/postalias/map-ABC2.ref
@@ -0,0 +1 @@
+ABC: DEF
diff --git a/postfix/src/postalias/map-abc1.ref b/postfix/src/postalias/map-abc1.ref
new file mode 100644
index 000000000..142195f36
--- /dev/null
+++ b/postfix/src/postalias/map-abc1.ref
@@ -0,0 +1 @@
+DEF
diff --git a/postfix/src/postalias/map-abc2.ref b/postfix/src/postalias/map-abc2.ref
new file mode 100644
index 000000000..dfbdab6f1
--- /dev/null
+++ b/postfix/src/postalias/map-abc2.ref
@@ -0,0 +1 @@
+abc: DEF
diff --git a/postfix/src/postalias/map-ghi1.ref b/postfix/src/postalias/map-ghi1.ref
new file mode 100644
index 000000000..7beb1db20
--- /dev/null
+++ b/postfix/src/postalias/map-ghi1.ref
@@ -0,0 +1 @@
+jkl
diff --git a/postfix/src/postalias/map-ghi2.ref b/postfix/src/postalias/map-ghi2.ref
new file mode 100644
index 000000000..e2ca310ca
--- /dev/null
+++ b/postfix/src/postalias/map-ghi2.ref
@@ -0,0 +1 @@
+ghi: jkl
diff --git a/postfix/src/postalias/map.in b/postfix/src/postalias/map.in
new file mode 100644
index 000000000..203fa0cd3
--- /dev/null
+++ b/postfix/src/postalias/map.in
@@ -0,0 +1,2 @@
+ABC: DEF
+ghi: jkl
diff --git a/postfix/src/postmap/Makefile.in b/postfix/src/postmap/Makefile.in
index bcc098a6b..a96270e30 100644
--- a/postfix/src/postmap/Makefile.in
+++ b/postfix/src/postmap/Makefile.in
@@ -21,13 +21,39 @@ $(PROG): $(OBJS) $(LIBS)
Makefile: Makefile.in
(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
-test: $(TESTPROG)
-
update: ../../bin/$(PROG)
../../bin/$(PROG): $(PROG)
cp $(PROG) ../../bin
+test: test1 test2
+
+test1: $(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
+ ./$(PROG) map.in
+ for key in abc ghi; \
+ do \
+ ./$(PROG) -q $${key} map.in | diff map-$${key}1.ref -; \
+ done
+ ./$(PROG) -f map.in
+ for key in ABC; \
+ do \
+ ./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
+ done
+ rm -f map.in.db
+
+test2: $(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
+ ./$(PROG) map.in
+ for key in abc ghi; \
+ do \
+ echo $${key} | ./$(PROG) -q - map.in | diff map-$${key}2.ref -; \
+ done
+ ./$(PROG) -f map.in
+ for key in ABC; \
+ do \
+ echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
+ done
+ rm -f map.in.db
+
printfck: $(OBJS) $(PROG)
rm -rf printfck
mkdir printfck
@@ -39,7 +65,7 @@ lint:
lint $(DEFS) $(SRCS) $(LINTFIX)
clean:
- rm -f *.o *core $(PROG) $(TESTPROG) junk
+ rm -f *.o *core $(PROG) $(TESTPROG) junk map.in.db
rm -rf printfck
tidy: clean
diff --git a/postfix/src/postmap/map-ABC1.ref b/postfix/src/postmap/map-ABC1.ref
new file mode 100644
index 000000000..142195f36
--- /dev/null
+++ b/postfix/src/postmap/map-ABC1.ref
@@ -0,0 +1 @@
+DEF
diff --git a/postfix/src/postmap/map-ABC2.ref b/postfix/src/postmap/map-ABC2.ref
new file mode 100644
index 000000000..cc3ea4e3c
--- /dev/null
+++ b/postfix/src/postmap/map-ABC2.ref
@@ -0,0 +1 @@
+ABC DEF
diff --git a/postfix/src/postmap/map-abc1.ref b/postfix/src/postmap/map-abc1.ref
new file mode 100644
index 000000000..142195f36
--- /dev/null
+++ b/postfix/src/postmap/map-abc1.ref
@@ -0,0 +1 @@
+DEF
diff --git a/postfix/src/postmap/map-abc2.ref b/postfix/src/postmap/map-abc2.ref
new file mode 100644
index 000000000..2ee5fab43
--- /dev/null
+++ b/postfix/src/postmap/map-abc2.ref
@@ -0,0 +1 @@
+abc DEF
diff --git a/postfix/src/postmap/map-ghi1.ref b/postfix/src/postmap/map-ghi1.ref
new file mode 100644
index 000000000..7beb1db20
--- /dev/null
+++ b/postfix/src/postmap/map-ghi1.ref
@@ -0,0 +1 @@
+jkl
diff --git a/postfix/src/postmap/map-ghi2.ref b/postfix/src/postmap/map-ghi2.ref
new file mode 100644
index 000000000..5926a187f
--- /dev/null
+++ b/postfix/src/postmap/map-ghi2.ref
@@ -0,0 +1 @@
+ghi jkl
diff --git a/postfix/src/postmap/map.in b/postfix/src/postmap/map.in
new file mode 100644
index 000000000..f1805549e
--- /dev/null
+++ b/postfix/src/postmap/map.in
@@ -0,0 +1,2 @@
+ABC DEF
+ghi jkl
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index c18c9e679..f25988749 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -65,6 +65,9 @@
/* .IP \fB-I\fR
/* Initialize alias database. See the \fBnewaliases\fR
/* command above.
+/* .IP "\fB-L \fIlabel\fR (ignored)"
+/* The logging label. Use the \fBsyslog_name\fR configuration
+/* parameter instead.
/* .IP "\fB-N \fIdsn\fR (ignored)"
/* Delivery status notification control. Currently, Postfix does
/* not implement \fBDSN\fR.
@@ -860,7 +863,7 @@ int main(int argc, char **argv)
optind++;
continue;
}
- if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
+ if ((c = GETOPT(argc, argv, "B:C:F:GIL:N:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
break;
switch (c) {
default:
@@ -869,20 +872,12 @@ int main(int argc, char **argv)
break;
case 'n':
fatal_error(EX_USAGE, "-%c option not supported", c);
- case 'B': /* body type */
- break;
case 'F': /* full name */
full_name = optarg;
break;
- case 'G': /* gateway submission */
- break;
case 'I': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
- case 'N': /* DSN */
- break;
- case 'R': /* DSN */
- break;
case 'V': /* VERP */
if (verp_delims_verify(optarg) != 0)
fatal_error(EX_USAGE, "-V requires two characters from %s",
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index 74b10ed0e..f345644cc 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -690,6 +690,10 @@ fifo_trigger.o: fifo_trigger.c
fifo_trigger.o: sys_defs.h
fifo_trigger.o: msg.h
fifo_trigger.o: iostuff.h
+fifo_trigger.o: safe_open.h
+fifo_trigger.o: vstream.h
+fifo_trigger.o: vbuf.h
+fifo_trigger.o: vstring.h
fifo_trigger.o: trigger.h
file_limit.o: file_limit.c
file_limit.o: sys_defs.h
diff --git a/postfix/src/util/fifo_trigger.c b/postfix/src/util/fifo_trigger.c
index b28011436..feff2e421 100644
--- a/postfix/src/util/fifo_trigger.c
+++ b/postfix/src/util/fifo_trigger.c
@@ -49,6 +49,7 @@
#include
#include
+#include
#include
/* fifo_trigger - wakeup fifo server */
@@ -56,18 +57,23 @@
int fifo_trigger(const char *service, const char *buf, int len, int timeout)
{
char *myname = "fifo_trigger";
+ VSTREAM *fp;
int fd;
/*
* Write the request to the service fifo. According to POSIX, the open
* shall always return immediately, and shall return an error when no
* process is reading from the FIFO.
+ *
+ * Use safe_open() so that we don't follow arbitrary symlinks.
*/
- if ((fd = open(service, O_WRONLY | O_NONBLOCK, 0)) < 0) {
+ if ((fp = safe_open(service, O_WRONLY | O_NONBLOCK, 0,
+ (struct stat *) 0, -1, -1, (VSTRING *) 0)) == 0) {
if (msg_verbose)
msg_info("%s: open %s: %m", myname, service);
return (-1);
}
+ fd = vstream_fileno(fp);
/*
* Write the request...
@@ -80,7 +86,7 @@ int fifo_trigger(const char *service, const char *buf, int len, int timeout)
/*
* Disconnect.
*/
- if (close(fd))
+ if (vstream_fclose(fp))
if (msg_verbose)
msg_warn("%s: close %s: %m", myname, service);
return (0);