1 /* movemail foo bar -- move file foo to file bar,
2 locking file foo the way /bin/mail respects.
4 Copyright (C) 1986, 1992-1994, 1996, 1999, 2001-2012
5 Free Software Foundation, Inc.
7 This file is part of GNU Emacs.
9 GNU Emacs is free software: you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation, either version 3 of the License, or
12 (at your option) any later version.
14 GNU Emacs is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
23 /* Important notice: defining MAIL_USE_FLOCK or MAIL_USE_LOCKF *will
24 cause loss of mail* if you do it on a system that does not normally
25 use flock as its way of interlocking access to inbox files. The
26 setting of MAIL_USE_FLOCK and MAIL_USE_LOCKF *must agree* with the
27 system's own conventions. It is not a choice that is up to you.
29 So, if your system uses lock files rather than flock, then the only way
30 you can get proper operation is to enable movemail to write lockfiles there.
31 This means you must either give that directory access modes
32 that permit everyone to write lockfiles in it, or you must make movemail
33 a setuid or setgid program. */
36 * Modified January, 1986 by Michael R. Gretzinger (Project Athena)
38 * Added POP (Post Office Protocol) service. When compiled -DMAIL_USE_POP
39 * movemail will accept input filename arguments of the form
40 * "po:username". This will cause movemail to open a connection to
41 * a pop server running on $MAILHOST (environment variable). Movemail
42 * must be setuid to root in order to work with POP.
44 * New module: popmail.c
46 * main - added code within #ifdef MAIL_USE_POP; added setuid (getuid ())
48 * New routines in movemail.c:
49 * get_errmsg - return pointer to system error message
51 * Modified August, 1993 by Jonathan Kamens (OpenVision Technologies)
53 * Move all of the POP code into a separate file, "pop.c".
54 * Use strerror instead of get_errmsg.
59 #include <sys/types.h>
86 #define wait(var) (*(var) = 0)
87 /* Unfortunately, Samba doesn't seem to properly lock Unix files even
88 though the locking call succeeds (and indeed blocks local access from
89 other NT programs). If you have direct file access using an NFS
90 client or something other than Samba, the locking call might work
91 properly - make sure it does before you enable this!
93 [18-Feb-97 andrewi] I now believe my comment above to be incorrect,
94 since it was based on a misunderstanding of how locking calls are
95 implemented and used on Unix. */
96 //#define DISABLE_DIRECT_ACCESS
99 #endif /* WINDOWSNT */
109 #include <sys/locking.h>
112 #ifdef MAIL_USE_LOCKF
113 #define MAIL_USE_SYSTEM_LOCK
116 #ifdef MAIL_USE_FLOCK
117 #define MAIL_USE_SYSTEM_LOCK
121 extern int lk_open (), lk_close ();
124 #if !defined (MAIL_USE_SYSTEM_LOCK) && !defined (MAIL_USE_MMDF) && \
125 (defined (HAVE_LIBMAIL) || defined (HAVE_LIBLOCKFILE)) && \
126 defined (HAVE_MAILLOCK_H)
127 #include <maillock.h>
128 /* We can't use maillock unless we know what directory system mail
131 #define MAIL_USE_MAILLOCK
132 static char *mail_spool_name (char *);
136 static _Noreturn
void fatal (const char *s1
, const char *s2
, const char *s3
);
137 static void error (const char *s1
, const char *s2
, const char *s3
);
138 static _Noreturn
void pfatal_with_name (char *name
);
139 static _Noreturn
void pfatal_and_delete (char *name
);
141 static int popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
);
142 static int pop_retr (popserver server
, int msgno
, FILE *arg
);
143 static int mbx_write (char *line
, int len
, FILE *mbf
);
144 static int mbx_delimit_begin (FILE *mbf
);
145 static int mbx_delimit_end (FILE *mbf
);
148 #if (defined MAIL_USE_MAILLOCK \
149 || (!defined DISABLE_DIRECT_ACCESS && !defined MAIL_USE_MMDF \
150 && !defined MAIL_USE_SYSTEM_LOCK))
151 /* Like malloc but get fatal error if memory is exhausted. */
154 xmalloc (size_t size
)
156 void *result
= malloc (size
);
158 fatal ("virtual memory exhausted", 0, 0);
163 /* Nonzero means this is name of a lock file to delete on fatal error. */
164 static char *delete_lockname
;
167 main (int argc
, char **argv
)
169 char *inname
, *outname
;
173 int c
, preserve_mail
= 0;
175 #ifndef MAIL_USE_SYSTEM_LOCK
180 size_t inname_len
, inname_dirlen
;
182 #endif /* not MAIL_USE_SYSTEM_LOCK */
184 #ifdef MAIL_USE_MAILLOCK
189 int pop_reverse_order
= 0;
191 #else /* ! MAIL_USE_POP */
193 #endif /* MAIL_USE_POP */
195 uid_t real_gid
= getgid ();
196 uid_t priv_gid
= getegid ();
199 /* Ensure all file i/o is in binary mode. */
205 while ((c
= getopt (argc
, argv
, ARGSTR
)) != EOF
)
210 pop_reverse_order
= 1;
223 (argc
- optind
< 2) || (argc
- optind
> 3)
230 fprintf (stderr
, "Usage: movemail [-p] [-r] inbox destfile%s\n",
233 fprintf (stderr
, "Usage: movemail [-p] inbox destfile%s\n", "");
238 inname
= argv
[optind
];
239 outname
= argv
[optind
+1];
246 fatal ("Destination file name is empty", 0, 0);
249 if (!strncmp (inname
, "po:", 3))
253 status
= popmail (inname
+ 3, outname
, preserve_mail
,
254 (argc
- optind
== 3) ? argv
[optind
+2] : NULL
,
259 if (setuid (getuid ()) < 0)
260 fatal ("Failed to drop privileges", 0, 0);
262 #endif /* MAIL_USE_POP */
264 #ifndef DISABLE_DIRECT_ACCESS
265 #ifndef MAIL_USE_MMDF
266 #ifndef MAIL_USE_SYSTEM_LOCK
267 #ifdef MAIL_USE_MAILLOCK
268 spool_name
= mail_spool_name (inname
);
278 #ifndef DIRECTORY_SEP
279 #define DIRECTORY_SEP '/'
281 #ifndef IS_DIRECTORY_SEP
282 #define IS_DIRECTORY_SEP(_c_) ((_c_) == DIRECTORY_SEP)
285 /* Use a lock file named after our first argument with .lock appended:
286 If it exists, the mail file is locked. */
287 /* Note: this locking mechanism is *required* by the mailer
288 (on systems which use it) to prevent loss of mail.
290 On systems that use a lock file, extracting the mail without locking
291 WILL occasionally cause loss of mail due to timing errors!
293 So, if creation of the lock file fails due to access
294 permission on the mail spool directory, you simply MUST
295 change the permission and/or make movemail a setgid program
296 so it can create lock files properly.
298 You might also wish to verify that your system is one which
299 uses lock files for this purpose. Some systems use other methods.
301 If your system uses the `flock' system call for mail locking,
302 define MAIL_USE_SYSTEM_LOCK in config.h and recompile movemail.
303 If your system type should always define MAIL_USE_SYSTEM_LOCK
304 but does not, send a bug report to bug-gnu-emacs@gnu.org so we
305 can change the default in configure. */
307 inname_len
= strlen (inname
);
308 lockname
= xmalloc (inname_len
+ sizeof ".lock");
309 strcpy (lockname
, inname
);
310 strcpy (lockname
+ inname_len
, ".lock");
311 for (inname_dirlen
= inname_len
;
312 inname_dirlen
&& !IS_DIRECTORY_SEP (inname
[inname_dirlen
- 1]);
315 tempname
= xmalloc (inname_dirlen
+ sizeof "EXXXXXX");
319 /* Create the lock file, but not under the lock file name. */
320 /* Give up if cannot do that. */
322 memcpy (tempname
, inname
, inname_dirlen
);
323 strcpy (tempname
+ inname_dirlen
, "EXXXXXX");
325 desc
= mkstemp (tempname
);
333 desc
= open (tempname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0600);
338 int mkstemp_errno
= errno
;
339 error ("error while creating what would become the lock file",
341 errno
= mkstemp_errno
;
342 pfatal_with_name (tempname
);
346 tem
= link (tempname
, lockname
);
349 if (tem
< 0 && errno
== EPERM
)
350 fatal ("Unable to create hard link between %s and %s",
359 /* If lock file is five minutes old, unlock it.
360 Five minutes should be good enough to cope with crashes
361 and wedgitude, and long enough to avoid being fooled
362 by time differences between machines. */
363 if (stat (lockname
, &st
) >= 0)
365 time_t now
= time (0);
366 if (st
.st_ctime
< now
- 300)
371 delete_lockname
= lockname
;
373 #endif /* not MAIL_USE_SYSTEM_LOCK */
374 #endif /* not MAIL_USE_MMDF */
380 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
387 if (setuid (getuid ()) < 0 || setregid (-1, real_gid
) < 0)
388 fatal ("Failed to drop privileges", 0, 0);
390 #ifndef MAIL_USE_MMDF
391 #ifdef MAIL_USE_SYSTEM_LOCK
392 indesc
= open (inname
, O_RDWR
);
393 #else /* if not MAIL_USE_SYSTEM_LOCK */
394 indesc
= open (inname
, O_RDONLY
);
395 #endif /* not MAIL_USE_SYSTEM_LOCK */
396 #else /* MAIL_USE_MMDF */
397 indesc
= lk_open (inname
, O_RDONLY
, 0, 0, 10);
398 #endif /* MAIL_USE_MMDF */
401 pfatal_with_name (inname
);
404 /* In case movemail is setuid to root, make sure the user can
405 read the output file. */
406 /* This is desirable for all systems
407 but I don't want to assume all have the umask system call */
408 umask (umask (0) & 0333);
409 #endif /* BSD_SYSTEM */
410 outdesc
= open (outname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
412 pfatal_with_name (outname
);
414 if (setregid (-1, priv_gid
) < 0)
415 fatal ("Failed to regain privileges", 0, 0);
417 /* This label exists so we can retry locking
418 after a delay, if it got EAGAIN or EBUSY. */
421 /* Try to lock it. */
422 #ifdef MAIL_USE_MAILLOCK
425 /* The "0 - " is to make it a negative number if maillock returns
427 status
= 0 - maillock (spool_name
, 1);
428 #ifdef HAVE_TOUCHLOCK
429 touched_lock
= time (0);
434 #endif /* MAIL_USE_MAILLOCK */
436 #ifdef MAIL_USE_SYSTEM_LOCK
437 #ifdef MAIL_USE_LOCKF
438 status
= lockf (indesc
, F_LOCK
, 0);
439 #else /* not MAIL_USE_LOCKF */
441 status
= locking (indesc
, LK_RLCK
, -1L);
443 status
= flock (indesc
, LOCK_EX
);
445 #endif /* not MAIL_USE_LOCKF */
446 #endif /* MAIL_USE_SYSTEM_LOCK */
449 /* If it fails, retry up to 5 times
450 for certain failure codes. */
453 if (++lockcount
<= 5)
471 pfatal_with_name (inname
);
479 nread
= read (indesc
, buf
, sizeof buf
);
481 pfatal_with_name (inname
);
482 if (nread
!= write (outdesc
, buf
, nread
))
484 int saved_errno
= errno
;
487 pfatal_with_name (outname
);
489 if (nread
< sizeof buf
)
491 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
494 time_t now
= time (0);
495 if (now
- touched_lock
> 60)
501 #endif /* MAIL_USE_MAILLOCK */
506 if (fsync (outdesc
) < 0)
507 pfatal_and_delete (outname
);
510 /* Prevent symlink attacks truncating other users' mailboxes */
511 if (setregid (-1, real_gid
) < 0)
512 fatal ("Failed to drop privileges", 0, 0);
514 /* Check to make sure no errors before we zap the inbox. */
515 if (close (outdesc
) != 0)
516 pfatal_and_delete (outname
);
518 #ifdef MAIL_USE_SYSTEM_LOCK
521 if (ftruncate (indesc
, 0L) != 0)
522 pfatal_with_name (inname
);
524 #endif /* MAIL_USE_SYSTEM_LOCK */
527 lk_close (indesc
, 0, 0, 0);
532 #ifndef MAIL_USE_SYSTEM_LOCK
535 /* Delete the input file; if we can't, at least get rid of its
537 #ifdef MAIL_UNLINK_SPOOL
538 /* This is generally bad to do, because it destroys the permissions
539 that were set on the file. Better to just empty the file. */
540 if (unlink (inname
) < 0 && errno
!= ENOENT
)
541 #endif /* MAIL_UNLINK_SPOOL */
542 creat (inname
, 0600);
544 #endif /* not MAIL_USE_SYSTEM_LOCK */
546 /* End of mailbox truncation */
547 if (setregid (-1, priv_gid
) < 0)
548 fatal ("Failed to regain privileges", 0, 0);
550 #ifdef MAIL_USE_MAILLOCK
551 /* This has to occur in the child, i.e., in the process that
552 acquired the lock! */
560 if (!WIFEXITED (wait_status
))
562 else if (WEXITSTATUS (wait_status
) != 0)
563 exit (WEXITSTATUS (wait_status
));
565 #if !defined (MAIL_USE_MMDF) && !defined (MAIL_USE_SYSTEM_LOCK)
566 #ifdef MAIL_USE_MAILLOCK
568 #endif /* MAIL_USE_MAILLOCK */
570 #endif /* not MAIL_USE_MMDF and not MAIL_USE_SYSTEM_LOCK */
572 #endif /* ! DISABLE_DIRECT_ACCESS */
577 #ifdef MAIL_USE_MAILLOCK
578 /* This function uses stat to confirm that the mail directory is
579 identical to the directory of the input file, rather than just
580 string-comparing the two paths, because one or both of them might
581 be symbolic links pointing to some other directory. */
583 mail_spool_name (char *inname
)
585 struct stat stat1
, stat2
;
589 if (! (fname
= strrchr (inname
, '/')))
594 if (stat (MAILDIR
, &stat1
) < 0)
597 indir
= xmalloc (fname
- inname
+ 1);
598 memcpy (indir
, inname
, fname
- inname
);
599 indir
[fname
-inname
] = '\0';
602 status
= stat (indir
, &stat2
);
609 if (stat1
.st_dev
== stat2
.st_dev
610 && stat1
.st_ino
== stat2
.st_ino
)
615 #endif /* MAIL_USE_MAILLOCK */
617 /* Print error message and exit. */
620 fatal (const char *s1
, const char *s2
, const char *s3
)
623 unlink (delete_lockname
);
628 /* Print error message. `s1' is printf control string, `s2' and `s3'
629 are args for it or null. */
632 error (const char *s1
, const char *s2
, const char *s3
)
634 fprintf (stderr
, "movemail: ");
636 fprintf (stderr
, s1
, s2
, s3
);
638 fprintf (stderr
, s1
, s2
);
640 fprintf (stderr
, "%s", s1
);
641 fprintf (stderr
, "\n");
645 pfatal_with_name (char *name
)
647 fatal ("%s for %s", strerror (errno
), name
);
651 pfatal_and_delete (char *name
)
653 char *s
= strerror (errno
);
655 fatal ("%s for %s", s
, name
);
658 /* This is the guts of the interface to the Post Office Protocol. */
663 #include <sys/socket.h>
664 #include <netinet/in.h>
676 static char Errmsg
[200]; /* POP errors, at least, can exceed
677 the original length of 80. */
680 * The full valid syntax for a POP mailbox specification for movemail
681 * is "po:username:hostname". The ":hostname" is optional; if it is
682 * omitted, the MAILHOST environment variable will be consulted. Note
683 * that by the time popmail() is called the "po:" has been stripped
684 * off of the front of the mailbox name.
686 * If the mailbox is in the form "po:username:hostname", then it is
687 * modified by this function -- the second colon is replaced by a
690 * Return a value suitable for passing to `exit'.
694 popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
)
700 char *getenv (const char *);
702 int start
, end
, increment
;
703 char *user
, *hostname
;
706 if ((hostname
= strchr (mailbox
, ':')))
709 server
= pop_open (hostname
, user
, password
, POP_NO_GETPASS
);
712 error ("Error connecting to POP server: %s", pop_error
, 0);
716 if (pop_stat (server
, &nmsgs
, &nbytes
))
718 error ("Error getting message count from POP server: %s", pop_error
, 0);
728 mbfi
= open (outfile
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
732 error ("Error in open: %s, %s", strerror (errno
), outfile
);
736 if (fchown (mbfi
, getuid (), -1) != 0)
738 int fchown_errno
= errno
;
740 if (fstat (mbfi
, &st
) != 0 || st
.st_uid
!= getuid ())
743 error ("Error in fchown: %s, %s", strerror (fchown_errno
), outfile
);
748 if ((mbf
= fdopen (mbfi
, "wb")) == NULL
)
751 error ("Error in fdopen: %s", strerror (errno
), 0);
770 for (i
= start
; i
* increment
<= end
* increment
; i
+= increment
)
772 mbx_delimit_begin (mbf
);
773 if (pop_retr (server
, i
, mbf
) != OK
)
775 error ("%s", Errmsg
, 0);
779 mbx_delimit_end (mbf
);
783 error ("Error in fflush: %s", strerror (errno
), 0);
790 /* On AFS, a call to write only modifies the file in the local
791 * workstation's AFS cache. The changes are not written to the server
792 * until a call to fsync or close is made. Users with AFS home
793 * directories have lost mail when over quota because these checks were
794 * not made in previous versions of movemail. */
797 if (fsync (mbfi
) < 0)
799 error ("Error in fsync: %s", strerror (errno
), 0);
804 if (close (mbfi
) == -1)
806 error ("Error in close: %s", strerror (errno
), 0);
811 for (i
= 1; i
<= nmsgs
; i
++)
813 if (pop_delete (server
, i
))
815 error ("Error from POP server: %s", pop_error
, 0);
821 if (pop_quit (server
))
823 error ("Error from POP server: %s", pop_error
, 0);
831 pop_retr (popserver server
, int msgno
, FILE *arg
)
836 if (pop_retrieve_first (server
, msgno
, &line
))
838 snprintf (Errmsg
, sizeof Errmsg
, "Error from POP server: %s", pop_error
);
842 while ((ret
= pop_retrieve_next (server
, &line
)) >= 0)
847 if (mbx_write (line
, ret
, arg
) != OK
)
849 strcpy (Errmsg
, strerror (errno
));
857 snprintf (Errmsg
, sizeof Errmsg
, "Error from POP server: %s", pop_error
);
865 mbx_write (char *line
, int len
, FILE *mbf
)
867 #ifdef MOVEMAIL_QUOTE_POP_FROM_LINES
868 /* Do this as a macro instead of using strcmp to save on execution time. */
869 # define IS_FROM_LINE(a) ((a[0] == 'F') \
874 if (IS_FROM_LINE (line
))
876 if (fputc ('>', mbf
) == EOF
)
880 if (line
[0] == '\037')
882 if (fputs ("^_", mbf
) == EOF
)
887 if (fwrite (line
, 1, len
, mbf
) != len
)
889 if (fputc (0x0a, mbf
) == EOF
)
895 mbx_delimit_begin (FILE *mbf
)
899 char fromline
[40] = "From movemail ";
902 ltime
= localtime (&now
);
904 strcat (fromline
, asctime (ltime
));
906 if (fputs (fromline
, mbf
) == EOF
)
912 mbx_delimit_end (FILE *mbf
)
914 if (putc ('\n', mbf
) == EOF
)
919 #endif /* MAIL_USE_POP */