Last diff of the series: This introduces the same logic as forward-file for executing commands.
Executing commands from aliases should be discouraged as you can always achieve the same through a forward file and benefit from the privilege separation of running a command as a separate user rather than as the smtpd user... but historically commands have been ran from aliases so the aliases expansion supports running custom commands. With this diff, an admin must explicitly allow commands to be ran from aliases: action "local_users" maildir alias <aliases> allow-exec otherwise sessions resolving to an alias that's a command temporarily fail. Because aliases and virtual uses the same expansion loop, this applies to both: action "local_users" maildir virtual <valiases> allow-exec diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c index aea0780017e..7a817d868ee 100644 --- a/usr.sbin/smtpd/lka_session.c +++ b/usr.sbin/smtpd/lka_session.c @@ -489,6 +489,12 @@ lka_expand(struct lka_session *lks, struct rule *rule, struct expandnode *xn) lks->error = LKA_TEMPFAIL; break; } + } else { + if (! dsp->u.local.allow_expand_exec) { + log_trace(TRACE_EXPAND, "expand: matched expand with no allow-exec"); + lks->error = LKA_TEMPFAIL; + break; + } } log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s " diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 908c189c93d..3a42487acc7 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -608,7 +608,7 @@ USER STRING { dispatcher->u.local.user = $2; } -| ALIAS tables { +| ALIAS tables allow_exec { struct table *t = $2; if (dispatcher->u.local.table_alias) { @@ -628,8 +628,9 @@ USER STRING { } dispatcher->u.local.table_alias = strdup(t->t_name); + dispatcher->u.local.allow_expand_exec = $3; } -| VIRTUAL tables { +| VIRTUAL tables allow_exec { struct table *t = $2; if (dispatcher->u.local.table_virtual) { @@ -649,6 +650,7 @@ USER STRING { } dispatcher->u.local.table_virtual = strdup(t->t_name); + dispatcher->u.local.allow_expand_exec = $3; } | USERBASE tables { struct table *t = $2; diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index c2ef5f568ca..15623b58d86 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -167,12 +167,16 @@ Relay the message to another SMTP server. .Pp The local delivery methods support additional options: .Bl -tag -width Ds -.It Cm alias Pf < Ar table Ns > +.It Cm alias Pf < Ar table Ns > Op Cm allow-exec Use the mapping .Ar table for .Xr aliases 5 expansion. +.Pp +If +.Cm allow-exec +is specified, aliases are allowed to execute a custom command. .It Cm forward-file Op Cm allow-exec Allow the use of a .forward file in user home directory . .Pp @@ -211,12 +215,16 @@ The does not apply for the .Cm user option. -.It Cm virtual Pf < Ar table Ns > +.It Cm virtual Pf < Ar table Ns > Op Cm allow-exec Use the mapping .Ar table for virtual expansion. The aliasing table format is described in .Xr table 5 . +.Pp +If +.Cm allow-exec +is specified, virtuals are allowed to execute a custom command. .It Cm wrapper Ar name Use the wrapper specified in .Cm mda wrapper . diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 57a8bebec79..7a0695ac5da 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1161,6 +1161,7 @@ struct dispatcher_local { uint8_t forward_only; uint8_t forward_file; + uint8_t allow_expand_exec; uint8_t allow_forward_exec; char *mda_wrapper;