1 /* movemail foo bar -- move file foo to file bar,
2 locking file foo the way /bin/mail respects.
4 Copyright (C) 1986, 1992-1994, 1996, 1999, 2001-2012
5 Free Software Foundation, Inc.
7 This file is part of GNU Emacs.
9 GNU Emacs is free software: you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation, either version 3 of the License, or
12 (at your option) any later version.
14 GNU Emacs is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
23 /* Important notice: defining MAIL_USE_FLOCK or MAIL_USE_LOCKF *will
24 cause loss of mail* if you do it on a system that does not normally
25 use flock as its way of interlocking access to inbox files. The
26 setting of MAIL_USE_FLOCK and MAIL_USE_LOCKF *must agree* with the
27 system's own conventions. It is not a choice that is up to you.
29 So, if your system uses lock files rather than flock, then the only way
30 you can get proper operation is to enable movemail to write lockfiles there.
31 This means you must either give that directory access modes
32 that permit everyone to write lockfiles in it, or you must make movemail
33 a setuid or setgid program. */
36 * Modified January, 1986 by Michael R. Gretzinger (Project Athena)
38 * Added POP (Post Office Protocol) service. When compiled -DMAIL_USE_POP
39 * movemail will accept input filename arguments of the form
40 * "po:username". This will cause movemail to open a connection to
41 * a pop server running on $MAILHOST (environment variable). Movemail
42 * must be setuid to root in order to work with POP.
44 * New module: popmail.c
46 * main - added code within #ifdef MAIL_USE_POP; added setuid (getuid ())
48 * New routines in movemail.c:
49 * get_errmsg - return pointer to system error message
51 * Modified August, 1993 by Jonathan Kamens (OpenVision Technologies)
53 * Move all of the POP code into a separate file, "pop.c".
54 * Use strerror instead of get_errmsg.
59 #include <sys/types.h>
86 #define wait(var) (*(var) = 0)
87 /* Unfortunately, Samba doesn't seem to properly lock Unix files even
88 though the locking call succeeds (and indeed blocks local access from
89 other NT programs). If you have direct file access using an NFS
90 client or something other than Samba, the locking call might work
91 properly - make sure it does before you enable this!
93 [18-Feb-97 andrewi] I now believe my comment above to be incorrect,
94 since it was based on a misunderstanding of how locking calls are
95 implemented and used on Unix. */
96 //#define DISABLE_DIRECT_ACCESS
99 #endif /* WINDOWSNT */
109 #include <sys/locking.h>
112 #ifdef MAIL_USE_LOCKF
113 #define MAIL_USE_SYSTEM_LOCK
116 #ifdef MAIL_USE_FLOCK
117 #define MAIL_USE_SYSTEM_LOCK
121 extern int lk_open (), lk_close ();
124 #if !defined (MAIL_USE_SYSTEM_LOCK) && !defined (MAIL_USE_MMDF) && \
125 (defined (HAVE_LIBMAIL) || defined (HAVE_LIBLOCKFILE)) && \
126 defined (HAVE_MAILLOCK_H)
127 #include <maillock.h>
128 /* We can't use maillock unless we know what directory system mail
131 #define MAIL_USE_MAILLOCK
132 static char *mail_spool_name (char *);
136 static _Noreturn
void fatal (const char *s1
, const char *s2
, const char *s3
);
137 static void error (const char *s1
, const char *s2
, const char *s3
);
138 static _Noreturn
void pfatal_with_name (char *name
);
139 static _Noreturn
void pfatal_and_delete (char *name
);
140 #ifdef MAIL_USE_MAILLOCK
141 static void *xmalloc (size_t size
);
144 static int popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
);
145 static int pop_retr (popserver server
, int msgno
, FILE *arg
);
146 static int mbx_write (char *line
, int len
, FILE *mbf
);
147 static int mbx_delimit_begin (FILE *mbf
);
148 static int mbx_delimit_end (FILE *mbf
);
151 /* Nonzero means this is name of a lock file to delete on fatal error. */
152 static char *delete_lockname
;
155 main (int argc
, char **argv
)
157 char *inname
, *outname
;
161 int c
, preserve_mail
= 0;
163 #ifndef MAIL_USE_SYSTEM_LOCK
168 size_t inname_dirlen
;
170 #endif /* not MAIL_USE_SYSTEM_LOCK */
172 #ifdef MAIL_USE_MAILLOCK
177 int pop_reverse_order
= 0;
179 #else /* ! MAIL_USE_POP */
181 #endif /* MAIL_USE_POP */
183 uid_t real_gid
= getgid ();
184 uid_t priv_gid
= getegid ();
187 /* Ensure all file i/o is in binary mode. */
193 while ((c
= getopt (argc
, argv
, ARGSTR
)) != EOF
)
198 pop_reverse_order
= 1;
211 (argc
- optind
< 2) || (argc
- optind
> 3)
218 fprintf (stderr
, "Usage: movemail [-p] [-r] inbox destfile%s\n",
221 fprintf (stderr
, "Usage: movemail [-p] inbox destfile%s\n", "");
226 inname
= argv
[optind
];
227 outname
= argv
[optind
+1];
234 fatal ("Destination file name is empty", 0, 0);
237 if (!strncmp (inname
, "po:", 3))
241 status
= popmail (inname
+ 3, outname
, preserve_mail
,
242 (argc
- optind
== 3) ? argv
[optind
+2] : NULL
,
247 if (setuid (getuid ()) < 0)
248 fatal ("Failed to drop privileges", 0, 0);
250 #endif /* MAIL_USE_POP */
252 #ifndef DISABLE_DIRECT_ACCESS
253 #ifndef MAIL_USE_MMDF
254 #ifndef MAIL_USE_SYSTEM_LOCK
255 #ifdef MAIL_USE_MAILLOCK
256 spool_name
= mail_spool_name (inname
);
266 #ifndef DIRECTORY_SEP
267 #define DIRECTORY_SEP '/'
269 #ifndef IS_DIRECTORY_SEP
270 #define IS_DIRECTORY_SEP(_c_) ((_c_) == DIRECTORY_SEP)
273 /* Use a lock file named after our first argument with .lock appended:
274 If it exists, the mail file is locked. */
275 /* Note: this locking mechanism is *required* by the mailer
276 (on systems which use it) to prevent loss of mail.
278 On systems that use a lock file, extracting the mail without locking
279 WILL occasionally cause loss of mail due to timing errors!
281 So, if creation of the lock file fails
282 due to access permission on the mail spool directory,
283 you simply MUST change the permission
284 and/or make movemail a setgid program
285 so it can create lock files properly.
287 You might also wish to verify that your system is one
288 which uses lock files for this purpose. Some systems use other methods.
290 If your system uses the `flock' system call for mail locking,
291 define MAIL_USE_SYSTEM_LOCK in config.h or the s-*.h file
292 and recompile movemail. If the s- file for your system
293 should define MAIL_USE_SYSTEM_LOCK but does not, send a bug report
294 to bug-gnu-emacs@prep.ai.mit.edu so we can fix it. */
296 lockname
= concat (inname
, ".lock", "");
297 for (inname_dirlen
= strlen (inname
);
298 inname_dirlen
&& !IS_DIRECTORY_SEP (inname
[inname_dirlen
- 1]);
301 tempname
= xmalloc (inname_dirlen
+ sizeof "EXXXXXX");
305 /* Create the lock file, but not under the lock file name. */
306 /* Give up if cannot do that. */
308 memcpy (tempname
, inname
, inname_dirlen
);
309 strcpy (tempname
+ inname_dirlen
, "EXXXXXX");
311 desc
= mkstemp (tempname
);
319 desc
= open (tempname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0600);
324 int mkstemp_errno
= errno
;
325 error ("error while creating what would become the lock file",
327 errno
= mkstemp_errno
;
328 pfatal_with_name (tempname
);
332 tem
= link (tempname
, lockname
);
335 if (tem
< 0 && errno
== EPERM
)
336 fatal ("Unable to create hard link between %s and %s",
345 /* If lock file is five minutes old, unlock it.
346 Five minutes should be good enough to cope with crashes
347 and wedgitude, and long enough to avoid being fooled
348 by time differences between machines. */
349 if (stat (lockname
, &st
) >= 0)
351 time_t now
= time (0);
352 if (st
.st_ctime
< now
- 300)
357 delete_lockname
= lockname
;
359 #endif /* not MAIL_USE_SYSTEM_LOCK */
360 #endif /* not MAIL_USE_MMDF */
366 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
373 if (setuid (getuid ()) < 0 || setregid (-1, real_gid
) < 0)
374 fatal ("Failed to drop privileges", 0, 0);
376 #ifndef MAIL_USE_MMDF
377 #ifdef MAIL_USE_SYSTEM_LOCK
378 indesc
= open (inname
, O_RDWR
);
379 #else /* if not MAIL_USE_SYSTEM_LOCK */
380 indesc
= open (inname
, O_RDONLY
);
381 #endif /* not MAIL_USE_SYSTEM_LOCK */
382 #else /* MAIL_USE_MMDF */
383 indesc
= lk_open (inname
, O_RDONLY
, 0, 0, 10);
384 #endif /* MAIL_USE_MMDF */
387 pfatal_with_name (inname
);
390 /* In case movemail is setuid to root, make sure the user can
391 read the output file. */
392 /* This is desirable for all systems
393 but I don't want to assume all have the umask system call */
394 umask (umask (0) & 0333);
395 #endif /* BSD_SYSTEM */
396 outdesc
= open (outname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
398 pfatal_with_name (outname
);
400 if (setregid (-1, priv_gid
) < 0)
401 fatal ("Failed to regain privileges", 0, 0);
403 /* This label exists so we can retry locking
404 after a delay, if it got EAGAIN or EBUSY. */
407 /* Try to lock it. */
408 #ifdef MAIL_USE_MAILLOCK
411 /* The "0 - " is to make it a negative number if maillock returns
413 status
= 0 - maillock (spool_name
, 1);
414 #ifdef HAVE_TOUCHLOCK
415 touched_lock
= time (0);
420 #endif /* MAIL_USE_MAILLOCK */
422 #ifdef MAIL_USE_SYSTEM_LOCK
423 #ifdef MAIL_USE_LOCKF
424 status
= lockf (indesc
, F_LOCK
, 0);
425 #else /* not MAIL_USE_LOCKF */
427 status
= locking (indesc
, LK_RLCK
, -1L);
429 status
= flock (indesc
, LOCK_EX
);
431 #endif /* not MAIL_USE_LOCKF */
432 #endif /* MAIL_USE_SYSTEM_LOCK */
435 /* If it fails, retry up to 5 times
436 for certain failure codes. */
439 if (++lockcount
<= 5)
457 pfatal_with_name (inname
);
465 nread
= read (indesc
, buf
, sizeof buf
);
467 pfatal_with_name (inname
);
468 if (nread
!= write (outdesc
, buf
, nread
))
470 int saved_errno
= errno
;
473 pfatal_with_name (outname
);
475 if (nread
< sizeof buf
)
477 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
480 time_t now
= time (0);
481 if (now
- touched_lock
> 60)
487 #endif /* MAIL_USE_MAILLOCK */
492 if (fsync (outdesc
) < 0)
493 pfatal_and_delete (outname
);
496 /* Prevent symlink attacks truncating other users' mailboxes */
497 if (setregid (-1, real_gid
) < 0)
498 fatal ("Failed to drop privileges", 0, 0);
500 /* Check to make sure no errors before we zap the inbox. */
501 if (close (outdesc
) != 0)
502 pfatal_and_delete (outname
);
504 #ifdef MAIL_USE_SYSTEM_LOCK
507 if (ftruncate (indesc
, 0L) != 0)
508 pfatal_with_name (inname
);
510 #endif /* MAIL_USE_SYSTEM_LOCK */
513 lk_close (indesc
, 0, 0, 0);
518 #ifndef MAIL_USE_SYSTEM_LOCK
521 /* Delete the input file; if we can't, at least get rid of its
523 #ifdef MAIL_UNLINK_SPOOL
524 /* This is generally bad to do, because it destroys the permissions
525 that were set on the file. Better to just empty the file. */
526 if (unlink (inname
) < 0 && errno
!= ENOENT
)
527 #endif /* MAIL_UNLINK_SPOOL */
528 creat (inname
, 0600);
530 #endif /* not MAIL_USE_SYSTEM_LOCK */
532 /* End of mailbox truncation */
533 if (setregid (-1, priv_gid
) < 0)
534 fatal ("Failed to regain privileges", 0, 0);
536 #ifdef MAIL_USE_MAILLOCK
537 /* This has to occur in the child, i.e., in the process that
538 acquired the lock! */
546 if (!WIFEXITED (wait_status
))
548 else if (WRETCODE (wait_status
) != 0)
549 exit (WRETCODE (wait_status
));
551 #if !defined (MAIL_USE_MMDF) && !defined (MAIL_USE_SYSTEM_LOCK)
552 #ifdef MAIL_USE_MAILLOCK
554 #endif /* MAIL_USE_MAILLOCK */
556 #endif /* not MAIL_USE_MMDF and not MAIL_USE_SYSTEM_LOCK */
558 #endif /* ! DISABLE_DIRECT_ACCESS */
563 #ifdef MAIL_USE_MAILLOCK
564 /* This function uses stat to confirm that the mail directory is
565 identical to the directory of the input file, rather than just
566 string-comparing the two paths, because one or both of them might
567 be symbolic links pointing to some other directory. */
569 mail_spool_name (char *inname
)
571 struct stat stat1
, stat2
;
575 if (! (fname
= strrchr (inname
, '/')))
580 if (stat (MAILDIR
, &stat1
) < 0)
583 indir
= xmalloc (fname
- inname
+ 1);
584 memcpy (indir
, inname
, fname
- inname
);
585 indir
[fname
-inname
] = '\0';
588 status
= stat (indir
, &stat2
);
595 if (stat1
.st_dev
== stat2
.st_dev
596 && stat1
.st_ino
== stat2
.st_ino
)
601 #endif /* MAIL_USE_MAILLOCK */
603 /* Print error message and exit. */
606 fatal (const char *s1
, const char *s2
, const char *s3
)
609 unlink (delete_lockname
);
614 /* Print error message. `s1' is printf control string, `s2' and `s3'
615 are args for it or null. */
618 error (const char *s1
, const char *s2
, const char *s3
)
620 fprintf (stderr
, "movemail: ");
622 fprintf (stderr
, s1
, s2
, s3
);
624 fprintf (stderr
, s1
, s2
);
626 fprintf (stderr
, "%s", s1
);
627 fprintf (stderr
, "\n");
631 pfatal_with_name (char *name
)
633 fatal ("%s for %s", strerror (errno
), name
);
637 pfatal_and_delete (char *name
)
639 char *s
= strerror (errno
);
641 fatal ("%s for %s", s
, name
);
644 #ifdef MAIL_USE_MAILLOCK
645 /* Like malloc but get fatal error if memory is exhausted. */
648 xmalloc (size_t size
)
650 void *result
= malloc (size
);
652 fatal ("virtual memory exhausted", 0, 0);
657 /* This is the guts of the interface to the Post Office Protocol. */
662 #include <sys/socket.h>
663 #include <netinet/in.h>
675 static char Errmsg
[200]; /* POP errors, at least, can exceed
676 the original length of 80. */
679 * The full valid syntax for a POP mailbox specification for movemail
680 * is "po:username:hostname". The ":hostname" is optional; if it is
681 * omitted, the MAILHOST environment variable will be consulted. Note
682 * that by the time popmail() is called the "po:" has been stripped
683 * off of the front of the mailbox name.
685 * If the mailbox is in the form "po:username:hostname", then it is
686 * modified by this function -- the second colon is replaced by a
689 * Return a value suitable for passing to `exit'.
693 popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
)
699 char *getenv (const char *);
701 int start
, end
, increment
;
702 char *user
, *hostname
;
705 if ((hostname
= strchr (mailbox
, ':')))
708 server
= pop_open (hostname
, user
, password
, POP_NO_GETPASS
);
711 error ("Error connecting to POP server: %s", pop_error
, 0);
715 if (pop_stat (server
, &nmsgs
, &nbytes
))
717 error ("Error getting message count from POP server: %s", pop_error
, 0);
727 mbfi
= open (outfile
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
731 error ("Error in open: %s, %s", strerror (errno
), outfile
);
735 if (fchown (mbfi
, getuid (), -1) != 0)
737 int fchown_errno
= errno
;
739 if (fstat (mbfi
, &st
) != 0 || st
.st_uid
!= getuid ())
742 error ("Error in fchown: %s, %s", strerror (fchown_errno
), outfile
);
747 if ((mbf
= fdopen (mbfi
, "wb")) == NULL
)
750 error ("Error in fdopen: %s", strerror (errno
), 0);
769 for (i
= start
; i
* increment
<= end
* increment
; i
+= increment
)
771 mbx_delimit_begin (mbf
);
772 if (pop_retr (server
, i
, mbf
) != OK
)
774 error ("%s", Errmsg
, 0);
778 mbx_delimit_end (mbf
);
782 error ("Error in fflush: %s", strerror (errno
), 0);
789 /* On AFS, a call to write only modifies the file in the local
790 * workstation's AFS cache. The changes are not written to the server
791 * until a call to fsync or close is made. Users with AFS home
792 * directories have lost mail when over quota because these checks were
793 * not made in previous versions of movemail. */
796 if (fsync (mbfi
) < 0)
798 error ("Error in fsync: %s", strerror (errno
), 0);
803 if (close (mbfi
) == -1)
805 error ("Error in close: %s", strerror (errno
), 0);
810 for (i
= 1; i
<= nmsgs
; i
++)
812 if (pop_delete (server
, i
))
814 error ("Error from POP server: %s", pop_error
, 0);
820 if (pop_quit (server
))
822 error ("Error from POP server: %s", pop_error
, 0);
830 pop_retr (popserver server
, int msgno
, FILE *arg
)
835 if (pop_retrieve_first (server
, msgno
, &line
))
837 snprintf (Errmsg
, sizeof Errmsg
, "Error from POP server: %s", pop_error
);
841 while ((ret
= pop_retrieve_next (server
, &line
)) >= 0)
846 if (mbx_write (line
, ret
, arg
) != OK
)
848 strcpy (Errmsg
, strerror (errno
));
856 snprintf (Errmsg
, sizeof Errmsg
, "Error from POP server: %s", pop_error
);
864 mbx_write (char *line
, int len
, FILE *mbf
)
866 #ifdef MOVEMAIL_QUOTE_POP_FROM_LINES
867 /* Do this as a macro instead of using strcmp to save on execution time. */
868 # define IS_FROM_LINE(a) ((a[0] == 'F') \
873 if (IS_FROM_LINE (line
))
875 if (fputc ('>', mbf
) == EOF
)
879 if (line
[0] == '\037')
881 if (fputs ("^_", mbf
) == EOF
)
886 if (fwrite (line
, 1, len
, mbf
) != len
)
888 if (fputc (0x0a, mbf
) == EOF
)
894 mbx_delimit_begin (FILE *mbf
)
898 char fromline
[40] = "From movemail ";
901 ltime
= localtime (&now
);
903 strcat (fromline
, asctime (ltime
));
905 if (fputs (fromline
, mbf
) == EOF
)
911 mbx_delimit_end (FILE *mbf
)
913 if (putc ('\n', mbf
) == EOF
)
918 #endif /* MAIL_USE_POP */