Last diff of the series:
This introduces the same logic as forward-file for executing commands.
Executing commands from aliases should be discouraged as you can always achieve
the same
through a forward file and benefit from the privilege separation of running a
command as
a separate user rather than as the smtpd user... but historically commands have
been ran
from aliases so the aliases expansion supports running custom commands.
With this diff, an admin must explicitly allow commands to be ran from aliases:
action "local_users" maildir alias <aliases> allow-exec
otherwise sessions resolving to an alias that's a command temporarily fail.
Because aliases and virtual uses the same expansion loop, this applies to both:
action "local_users" maildir virtual <valiases> allow-exec
diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c
index aea0780017e..7a817d868ee 100644
--- a/usr.sbin/smtpd/lka_session.c
+++ b/usr.sbin/smtpd/lka_session.c
@@ -489,6 +489,12 @@ lka_expand(struct lka_session *lks, struct rule *rule,
struct expandnode *xn)
lks->error = LKA_TEMPFAIL;
break;
}
+ } else {
+ if (! dsp->u.local.allow_expand_exec) {
+ log_trace(TRACE_EXPAND, "expand: matched expand
with no allow-exec");
+ lks->error = LKA_TEMPFAIL;
+ break;
+ }
}
log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s "
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 908c189c93d..3a42487acc7 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -608,7 +608,7 @@ USER STRING {
dispatcher->u.local.user = $2;
}
-| ALIAS tables {
+| ALIAS tables allow_exec {
struct table *t = $2;
if (dispatcher->u.local.table_alias) {
@@ -628,8 +628,9 @@ USER STRING {
}
dispatcher->u.local.table_alias = strdup(t->t_name);
+ dispatcher->u.local.allow_expand_exec = $3;
}
-| VIRTUAL tables {
+| VIRTUAL tables allow_exec {
struct table *t = $2;
if (dispatcher->u.local.table_virtual) {
@@ -649,6 +650,7 @@ USER STRING {
}
dispatcher->u.local.table_virtual = strdup(t->t_name);
+ dispatcher->u.local.allow_expand_exec = $3;
}
| USERBASE tables {
struct table *t = $2;
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index c2ef5f568ca..15623b58d86 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -167,12 +167,16 @@ Relay the message to another SMTP server.
.Pp
The local delivery methods support additional options:
.Bl -tag -width Ds
-.It Cm alias Pf < Ar table Ns >
+.It Cm alias Pf < Ar table Ns > Op Cm allow-exec
Use the mapping
.Ar table
for
.Xr aliases 5
expansion.
+.Pp
+If
+.Cm allow-exec
+is specified, aliases are allowed to execute a custom command.
.It Cm forward-file Op Cm allow-exec
Allow the use of a .forward file in user home directory .
.Pp
@@ -211,12 +215,16 @@ The
does not apply for the
.Cm user
option.
-.It Cm virtual Pf < Ar table Ns >
+.It Cm virtual Pf < Ar table Ns > Op Cm allow-exec
Use the mapping
.Ar table
for virtual expansion.
The aliasing table format is described in
.Xr table 5 .
+.Pp
+If
+.Cm allow-exec
+is specified, virtuals are allowed to execute a custom command.
.It Cm wrapper Ar name
Use the wrapper specified in
.Cm mda wrapper .
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 57a8bebec79..7a0695ac5da 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1161,6 +1161,7 @@ struct dispatcher_local {
uint8_t forward_only;
uint8_t forward_file;
+ uint8_t allow_expand_exec;
uint8_t allow_forward_exec;
char *mda_wrapper;
