1 files changed, 556 insertions, 0 deletions
diff --git a/src/child.c b/src/child.c
new file mode 100644
index 0000000..1f38b58
--- /dev/null
+++ b/src/child.c
@@ -0,0 +1,556 @@
+/*************************************************
+*     Exim - an Internet mail transport agent    *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* See the file NOTICE for conditions of use and distribution. */
+
+
+#include "exim.h"
+
+static void (*oldsignal)(int);
+
+
+/*************************************************
+*          Ensure an fd has a given value        *
+*************************************************/
+
+/* This function is called when we want to ensure that a certain fd has a
+specific value (one of 0, 1, 2). If it hasn't got it already, close the value
+we want, duplicate the fd, then close the old one.
+
+Arguments:
+  oldfd        original fd
+  newfd        the fd we want
+
+Returns:       nothing
+*/
+
+void
+force_fd(int oldfd, int newfd)
+{
+if (oldfd == newfd) return;
+(void)close(newfd);
+(void)dup2(oldfd, newfd);
+(void)close(oldfd);
+}
+
+
+#ifndef STAND_ALONE
+/*************************************************
+*   Build argv list and optionally re-exec Exim  *
+*************************************************/
+
+/* This function is called when Exim wants to re-exec (overlay) itself in the
+current process. This is different to child_open_exim(), which runs another
+Exim process in parallel (but it then calls this function). The function's
+basic job is to build the argv list according to the values of current options
+settings. There is a basic list that all calls require, and an additional list
+that some do not require. Further additions can be given as additional
+arguments. An option specifies whether the exec() is actually to happen, and if
+so, what is to be done if it fails.
+
+Arguments:
+  exec_type      CEE_RETURN_ARGV => don't exec; return the argv list
+                 CEE_EXEC_EXIT   => just exit() on exec failure
+                 CEE_EXEC_PANIC  => panic-die on exec failure
+  kill_v         if TRUE, don't pass on the D_v flag
+  pcount         if not NULL, points to extra size of argv required, and if
+                   CEE_RETURN_ARGV is specified, it is updated to give the
+                   number of slots used
+  minimal        TRUE if only minimal argv is required
+  acount         number of additional arguments
+  ...            further values to add to argv
+
+Returns:         if CEE_RETURN_ARGV is given, returns a pointer to argv;
+                 otherwise, does not return
+*/
+
+uschar **
+child_exec_exim(int exec_type, BOOL kill_v, int *pcount, BOOL minimal,
+  int acount, ...)
+{
+int first_special = -1;
+int n = 0;
+int extra = pcount ? *pcount : 0;
+uschar **argv;
+
+argv = store_get((extra + acount + MAX_CLMACROS + 24) * sizeof(char *), GET_UNTAINTED);
+
+/* In all case, the list starts out with the path, any macros, and a changed
+config file. */
+
+argv[n++] = exim_path;		/* assume untainted */
+if (clmacro_count > 0)
+  {
+  memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
+  n += clmacro_count;
+  }
+if (f.config_changed)
+  { argv[n++] = US"-C"; argv[n++] = config_main_filename; }
+
+/* These values are added only for non-minimal cases. If debug_selector is
+precisely D_v, we have to assume this was started by a non-admin user, and
+we suppress the flag when requested. (This happens when passing on an SMTP
+connection, and after ETRN.) If there's more debugging going on, an admin user
+was involved, so we do pass it on. */
+
+if (!minimal)
+  {
+  if (debug_selector == D_v)
+    {
+    if (!kill_v) argv[n++] = US"-v";
+    }
+  else
+    {
+    if (debug_selector != 0)
+      {
+      argv[n++] = string_sprintf("-d=0x%x", debug_selector);
+      if (debug_fd > 2)
+	{
+	int flags = fcntl(debug_fd, F_GETFD);
+	if (flags != -1) (void)fcntl(debug_fd, F_SETFD, flags & ~FD_CLOEXEC);
+	close(2);
+	dup2(debug_fd, 2);
+	close(debug_fd);
+	}
+      }
+    }
+  if (debug_pretrigger_buf)
+    { argv[n++] = US"-dp"; argv[n++] = string_sprintf("0x%x", debug_pretrigger_bsize); }
+  if (dtrigger_selector != 0)
+    argv[n++] = string_sprintf("-dt=0x%x", dtrigger_selector);
+  DEBUG(D_any)
+    {
+    argv[n++] = US"-MCd";
+    argv[n++] = US process_purpose;
+    }
+  if (!f.testsuite_delays)	argv[n++] = US"-odd";
+  if (f.dont_deliver)		argv[n++] = US"-N";
+  if (f.queue_smtp)		argv[n++] = US"-odqs";
+  if (f.synchronous_delivery)	argv[n++] = US"-odi";
+  if (connection_max_messages >= 0)
+    argv[n++] = string_sprintf("-oB%d", connection_max_messages);
+  if (*queue_name)
+    { argv[n++] = US"-MCG"; argv[n++] = queue_name; }
+  }
+
+/* Now add in any others that are in the call. Remember which they were,
+for more helpful diagnosis on failure. */
+
+if (acount > 0)
+  {
+  va_list ap;
+  va_start(ap, acount);
+  first_special = n;
+  while (acount-- > 0)
+    argv[n++] = va_arg(ap, uschar *);
+  va_end(ap);
+  }
+
+/* Terminate the list, and return it, if that is what is wanted. */
+
+argv[n] = NULL;
+if (exec_type == CEE_RETURN_ARGV)
+  {
+  if (pcount) *pcount = n;
+  return argv;
+  }
+
+/* Otherwise, do the exec() here, and handle the consequences of an unexpected
+failure. We know that there will always be at least one extra option in the
+call when exec() is done here, so it can be used to add to the panic data. */
+
+DEBUG(D_exec) debug_print_argv(CUSS argv);
+exim_nullstd();                            /* Make sure std{in,out,err} exist */
+execv(CS argv[0], (char *const *)argv);
+
+log_write(0,
+  LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
+  "re-exec of exim (%s) with %s failed: %s", exim_path, argv[first_special],
+  strerror(errno));
+
+/* Get here if exec_type == CEE_EXEC_EXIT.
+Note: this must be _exit(), not exit(). */
+
+_exit(EX_EXECFAILED);
+
+return NULL;   /* To keep compilers happy */
+}
+
+
+
+
+/*************************************************
+*          Create a child Exim process           *
+*************************************************/
+
+/* This function is called when Exim wants to run a parallel instance of itself
+in order to inject a message via the standard input. The function creates a
+child process and runs Exim in it. It sets up a pipe to the standard input of
+the new process, and returns that to the caller via fdptr. The function returns
+the pid of the new process, or -1 if things go wrong. If debug_fd is
+non-negative, it is passed as stderr.
+
+This interface is now a just wrapper for the more complicated function
+child_open_exim2(), which has additional arguments. The wrapper must continue
+to exist, even if all calls from within Exim are changed, because it is
+documented for use from local_scan().
+
+Argument: fdptr   pointer to int for the stdin fd
+	  purpose of the child process, for debug
+Returns:          pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_exim_function(int * fdptr, const uschar * purpose)
+{
+return child_open_exim2_function(fdptr, US"<>", bounce_sender_authentication,
+  purpose);
+}
+
+
+/* This is a more complicated function for creating a child Exim process, with
+more arguments.
+
+Arguments:
+  fdptr                   pointer to int for the stdin fd
+  sender                  for a sender address (data for -f)
+  sender_authentication   authenticated sender address or NULL
+  purpose		  of the child process, for debug
+
+Returns:          pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_exim2_function(int * fdptr, uschar * sender,
+  uschar * sender_authentication, const uschar * purpose)
+{
+int pfd[2];
+int save_errno;
+pid_t pid;
+
+/* Create the pipe and fork the process. Ensure that SIGCHLD is set to
+SIG_DFL before forking, so that the child process can be waited for. We
+sometimes get here with it set otherwise. Save the old state for resetting
+on the wait. */
+
+if (pipe(pfd) != 0) return (pid_t)(-1);
+oldsignal = signal(SIGCHLD, SIG_DFL);
+pid = exim_fork(purpose);
+
+/* Child process: make the reading end of the pipe into the standard input and
+close the writing end. If debugging, pass debug_fd as stderr. Then re-exec
+Exim with appropriate options. In the test harness, use -odi unless queue_only
+is set, so that the bounce is fully delivered before returning. Failure is
+signalled with EX_EXECFAILED (specified by CEE_EXEC_EXIT), but this shouldn't
+occur. */
+
+if (pid == 0)
+  {
+  force_fd(pfd[pipe_read], 0);
+  (void)close(pfd[pipe_write]);
+  if (debug_fd > 0) force_fd(debug_fd, 2);
+  if (f.running_in_test_harness && !queue_only)
+    {
+    if (sender_authentication)
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 9,
+        US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+        sender_authentication, message_id_option);
+    else
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 7,
+        US "-odi", US"-t", US"-oem", US"-oi", US"-f", sender,
+        message_id_option);
+    /* Control does not return here. */
+    }
+  else   /* Not test harness */
+    {
+    if (sender_authentication)
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
+        US"-t", US"-oem", US"-oi", US"-f", sender, US"-oMas",
+        sender_authentication, message_id_option);
+    else
+      child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
+        US"-t", US"-oem", US"-oi", US"-f", sender, message_id_option);
+    /* Control does not return here. */
+    }
+  }
+
+testharness_pause_ms(100); /* let child work even longer, for exec */
+
+/* Parent process. Save fork() errno and close the reading end of the stdin
+pipe. */
+
+save_errno = errno;
+(void)close(pfd[pipe_read]);
+
+/* Fork succeeded */
+
+if (pid > 0)
+  {
+  *fdptr = pfd[pipe_write];   /* return writing end of stdin pipe */
+  return pid;                 /* and pid of new process */
+  }
+
+/* Fork failed */
+
+(void)close(pfd[pipe_write]);
+errno = save_errno;
+return (pid_t)(-1);
+}
+#endif   /* STAND_ALONE */
+
+
+
+/*************************************************
+*         Create a non-Exim child process        *
+*************************************************/
+
+/* This function creates a child process and runs the given command in it. It
+sets up pipes to the standard input and output of the new process, and returns
+them to the caller. The standard error is cloned to the output. If there are
+any file descriptors "in the way" in the new process, they are closed. A new
+umask is supplied for the process, and an optional new uid and gid are also
+available. These are used by the queryprogram router to set an unprivileged id.
+SIGUSR1 is always disabled in the new process, as it is not going to be running
+Exim (the function child_open_exim() is provided for that). This function
+returns the pid of the new process, or -1 if things go wrong.
+
+Arguments:
+  argv        the argv for exec in the new process
+  envp        the envp for exec in the new process
+  newumask    umask to set in the new process
+  newuid      point to uid for the new process or NULL for no change
+  newgid      point to gid for the new process or NULL for no change
+  infdptr     pointer to int into which the fd of the stdin of the new process
+                is placed
+  outfdptr    pointer to int into which the fd of the stdout/stderr of the new
+                process is placed
+  wd          if not NULL, a path to be handed to chdir() in the new process
+  make_leader if TRUE, make the new process a process group leader
+  purpose     for debug: reason for running the task
+
+Returns:      the pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_uid(const uschar **argv, const uschar **envp, int newumask,
+  uid_t *newuid, gid_t *newgid, int *infdptr, int *outfdptr, uschar *wd,
+  BOOL make_leader, const uschar * purpose)
+{
+int save_errno;
+int inpfd[2], outpfd[2];
+pid_t pid;
+
+if (is_tainted(argv[0]))
+  {
+  log_write(0, LOG_MAIN | LOG_PANIC, "Attempt to exec tainted path: '%s'", argv[0]);
+  errno = EPERM;
+  return (pid_t)(-1);
+  }
+
+/* Create the pipes. */
+
+if (pipe(inpfd) != 0) return (pid_t)(-1);
+if (pipe(outpfd) != 0)
+  {
+  (void)close(inpfd[pipe_read]);
+  (void)close(inpfd[pipe_write]);
+  return (pid_t)(-1);
+  }
+
+/* Fork the process. Ensure that SIGCHLD is set to SIG_DFL before forking, so
+that the child process can be waited for. We sometimes get here with it set
+otherwise. Save the old state for resetting on the wait. */
+
+oldsignal = signal(SIGCHLD, SIG_DFL);
+pid = exim_fork(purpose);
+
+/* Handle the child process. First, set the required environment. We must do
+this before messing with the pipes, in order to be able to write debugging
+output when things go wrong. */
+
+if (pid == 0)
+  {
+  signal(SIGUSR1, SIG_IGN);
+  signal(SIGPIPE, SIG_DFL);
+
+  if (newgid && setgid(*newgid) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set gid=%ld in subprocess: %s\n",
+      (long int)(*newgid), strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  if (newuid && setuid(*newuid) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set uid=%ld in subprocess: %s\n",
+      (long int)(*newuid), strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  (void)umask(newumask);
+
+  if (wd && Uchdir(wd) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to chdir to %s: %s\n", wd,
+      strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  /* Becomes a process group leader if requested, and then organize the pipes.
+  Any unexpected failure is signalled with EX_EXECFAILED; these are all "should
+  never occur" failures, except for exec failing because the command doesn't
+  exist. */
+
+  if (make_leader && setpgid(0,0) < 0)
+    {
+    DEBUG(D_any) debug_printf("failed to set group leader in subprocess: %s\n",
+      strerror(errno));
+    goto CHILD_FAILED;
+    }
+
+  (void)close(inpfd[pipe_write]);
+  force_fd(inpfd[pipe_read], 0);
+
+  (void)close(outpfd[pipe_read]);
+  force_fd(outpfd[pipe_write], 1);
+
+  (void)close(2);
+  (void)dup2(1, 2);
+
+  /* Now do the exec */
+
+  if (envp) execve(CS argv[0], (char *const *)argv, (char *const *)envp);
+  else execv(CS argv[0], (char *const *)argv);
+
+  /* Failed to execv. Signal this failure using EX_EXECFAILED. We are
+  losing the actual errno we got back, because there is no way to return
+  this information. */
+
+  CHILD_FAILED:
+  _exit(EX_EXECFAILED);      /* Note: must be _exit(), NOT exit() */
+  }
+
+/* Parent process. Save any fork failure code, and close the reading end of the
+stdin pipe, and the writing end of the stdout pipe. */
+
+save_errno = errno;
+(void)close(inpfd[pipe_read]);
+(void)close(outpfd[pipe_write]);
+
+/* Fork succeeded; return the input/output pipes and the pid */
+
+if (pid > 0)
+  {
+  *infdptr = inpfd[pipe_write];
+  *outfdptr = outpfd[pipe_read];
+  return pid;
+  }
+
+/* Fork failed; reset fork errno before returning */
+
+(void)close(inpfd[pipe_write]);
+(void)close(outpfd[pipe_read]);
+errno = save_errno;
+return (pid_t)(-1);
+}
+
+
+
+
+/*************************************************
+*    Create child process without uid change     *
+*************************************************/
+
+/* This function is a wrapper for child_open_uid() that doesn't have the uid,
+gid and working directory changing arguments. The function is provided so as to
+have a clean interface for use from local_scan(), but also saves writing NULL
+arguments several calls that would otherwise use child_open_uid().
+
+Arguments:
+  argv        the argv for exec in the new process
+  envp        the envp for exec in the new process
+  newumask    umask to set in the new process
+  infdptr     pointer to int into which the fd of the stdin of the new process
+                is placed
+  outfdptr    pointer to int into which the fd of the stdout/stderr of the new
+                process is placed
+  make_leader if TRUE, make the new process a process group leader
+  purpose     for debug: reason for running the task
+
+Returns:      the pid of the created process or -1 if anything has gone wrong
+*/
+
+pid_t
+child_open_function(uschar **argv, uschar **envp, int newumask, int *infdptr,
+  int *outfdptr, BOOL make_leader, const uschar * purpose)
+{
+return child_open_uid(CUSS argv, CUSS envp, newumask, NULL, NULL,
+  infdptr, outfdptr, NULL, make_leader, purpose);
+}
+
+
+
+
+/*************************************************
+*           Close down child process             *
+*************************************************/
+
+/* Wait for the given process to finish, with optional timeout.
+
+Arguments
+  pid:      the pid to wait for
+  timeout:  maximum time to wait; 0 means for as long as it takes
+
+Returns:    >= 0          process terminated by exiting; value is process
+                            ending status; if an execve() failed, the value
+                            is typically 127 (defined as EX_EXECFAILED)
+            < 0 & > -256  process was terminated by a signal; value is the
+                            negation of the signal number
+            -256          timed out
+            -257          other error in wait(); errno still set
+*/
+
+int
+child_close(pid_t pid, int timeout)
+{
+int yield;
+
+if (timeout > 0)
+  {
+  sigalrm_seen = FALSE;
+  ALARM(timeout);
+  }
+
+for(;;)
+  {
+  int status;
+  pid_t rc = waitpid(pid, &status, 0);
+  if (rc == pid)
+    {
+    int lowbyte = status & 255;
+    yield = lowbyte == 0 ? (status >> 8) & 255 : -lowbyte;
+    break;
+    }
+  if (rc < 0)
+    {
+    /* This "shouldn't happen" test does happen on MacOS: for some reason
+    I do not understand we seems to get an alarm signal despite not having
+    an active alarm set. There seems to be only one, so just go round again. */
+
+    if (errno == EINTR && sigalrm_seen && timeout <= 0) continue;
+
+    yield = (errno == EINTR && sigalrm_seen) ? -256 : -257;
+    break;
+    }
+  }
+
+if (timeout > 0) ALARM_CLR(0);
+
+signal(SIGCHLD, oldsignal);   /* restore */
+return yield;
+}
+
+/* End of child.c */