1 /* movemail foo bar -- move file foo to file bar,
2 locking file foo the way /bin/mail respects.
3 Copyright (C) 1986, 1992, 1993, 1994, 1996, 1999, 2001, 2002, 2003, 2004,
4 2005, 2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
6 This file is part of GNU Emacs.
8 GNU Emacs is free software: you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation, either version 3 of the License, or
11 (at your option) any later version.
13 GNU Emacs is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>. */
22 /* Important notice: defining MAIL_USE_FLOCK or MAIL_USE_LOCKF *will
23 cause loss of mail* if you do it on a system that does not normally
24 use flock as its way of interlocking access to inbox files. The
25 setting of MAIL_USE_FLOCK and MAIL_USE_LOCKF *must agree* with the
26 system's own conventions. It is not a choice that is up to you.
28 So, if your system uses lock files rather than flock, then the only way
29 you can get proper operation is to enable movemail to write lockfiles there.
30 This means you must either give that directory access modes
31 that permit everyone to write lockfiles in it, or you must make movemail
32 a setuid or setgid program. */
35 * Modified January, 1986 by Michael R. Gretzinger (Project Athena)
37 * Added POP (Post Office Protocol) service. When compiled -DMAIL_USE_POP
38 * movemail will accept input filename arguments of the form
39 * "po:username". This will cause movemail to open a connection to
40 * a pop server running on $MAILHOST (environment variable). Movemail
41 * must be setuid to root in order to work with POP.
43 * New module: popmail.c
45 * main - added code within #ifdef MAIL_USE_POP; added setuid (getuid ())
47 * New routines in movemail.c:
48 * get_errmsg - return pointer to system error message
50 * Modified August, 1993 by Jonathan Kamens (OpenVision Technologies)
52 * Move all of the POP code into a separate file, "pop.c".
53 * Use strerror instead of get_errmsg.
58 #include <sys/types.h>
85 #define DIRECTORY_SEP '/'
87 #ifndef IS_DIRECTORY_SEP
88 #define IS_DIRECTORY_SEP(_c_) ((_c_) == DIRECTORY_SEP)
96 #define wait(var) (*(var) = 0)
97 /* Unfortunately, Samba doesn't seem to properly lock Unix files even
98 though the locking call succeeds (and indeed blocks local access from
99 other NT programs). If you have direct file access using an NFS
100 client or something other than Samba, the locking call might work
101 properly - make sure it does before you enable this!
103 [18-Feb-97 andrewi] I now believe my comment above to be incorrect,
104 since it was based on a misunderstanding of how locking calls are
105 implemented and used on Unix. */
106 //#define DISABLE_DIRECT_ACCESS
109 #endif /* WINDOWSNT */
119 #include <sys/locking.h>
122 #ifdef MAIL_USE_LOCKF
123 #define MAIL_USE_SYSTEM_LOCK
126 #ifdef MAIL_USE_FLOCK
127 #define MAIL_USE_SYSTEM_LOCK
131 extern int lk_open (), lk_close ();
134 #if !defined (MAIL_USE_SYSTEM_LOCK) && !defined (MAIL_USE_MMDF) && \
135 (defined (HAVE_LIBMAIL) || defined (HAVE_LIBLOCKFILE)) && \
136 defined (HAVE_MAILLOCK_H)
137 #include <maillock.h>
138 /* We can't use maillock unless we know what directory system mail
141 #define MAIL_USE_MAILLOCK
142 static char *mail_spool_name ();
146 #ifndef HAVE_STRERROR
147 char *strerror (int);
150 static void fatal (const char *s1
, const char *s2
, const char *s3
) NO_RETURN
;
151 static void error (const char *s1
, const char *s2
, const char *s3
);
152 static void pfatal_with_name (char *name
) NO_RETURN
;
153 static void pfatal_and_delete (char *name
) NO_RETURN
;
154 static char *concat (const char *s1
, const char *s2
, const char *s3
);
155 static long *xmalloc (unsigned int size
);
157 static int popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
);
158 static int pop_retr (popserver server
, int msgno
, FILE *arg
);
159 static int mbx_write (char *line
, int len
, FILE *mbf
);
160 static int mbx_delimit_begin (FILE *mbf
);
161 static int mbx_delimit_end (FILE *mbf
);
164 /* Nonzero means this is name of a lock file to delete on fatal error. */
165 char *delete_lockname
;
168 main (int argc
, char **argv
)
170 char *inname
, *outname
;
174 int c
, preserve_mail
= 0;
176 #ifndef MAIL_USE_SYSTEM_LOCK
183 #endif /* not MAIL_USE_SYSTEM_LOCK */
185 #ifdef MAIL_USE_MAILLOCK
190 int pop_reverse_order
= 0;
192 #else /* ! MAIL_USE_POP */
194 #endif /* MAIL_USE_POP */
196 uid_t real_gid
= getgid();
197 uid_t priv_gid
= getegid();
200 /* Ensure all file i/o is in binary mode. */
206 while ((c
= getopt (argc
, argv
, ARGSTR
)) != EOF
)
211 pop_reverse_order
= 1;
224 (argc
- optind
< 2) || (argc
- optind
> 3)
231 fprintf (stderr
, "Usage: movemail [-p] [-r] inbox destfile%s\n",
234 fprintf (stderr
, "Usage: movemail [-p] inbox destfile%s\n", "");
239 inname
= argv
[optind
];
240 outname
= argv
[optind
+1];
247 fatal ("Destination file name is empty", 0, 0);
250 if (!strncmp (inname
, "po:", 3))
254 status
= popmail (inname
+ 3, outname
, preserve_mail
,
255 (argc
- optind
== 3) ? argv
[optind
+2] : NULL
,
260 if (setuid (getuid ()) < 0)
261 fatal ("Failed to drop privileges", 0, 0);
263 #endif /* MAIL_USE_POP */
265 #ifndef DISABLE_DIRECT_ACCESS
266 #ifndef MAIL_USE_MMDF
267 #ifndef MAIL_USE_SYSTEM_LOCK
268 #ifdef MAIL_USE_MAILLOCK
269 spool_name
= mail_spool_name (inname
);
273 /* Use a lock file named after our first argument with .lock appended:
274 If it exists, the mail file is locked. */
275 /* Note: this locking mechanism is *required* by the mailer
276 (on systems which use it) to prevent loss of mail.
278 On systems that use a lock file, extracting the mail without locking
279 WILL occasionally cause loss of mail due to timing errors!
281 So, if creation of the lock file fails
282 due to access permission on the mail spool directory,
283 you simply MUST change the permission
284 and/or make movemail a setgid program
285 so it can create lock files properly.
287 You might also wish to verify that your system is one
288 which uses lock files for this purpose. Some systems use other methods.
290 If your system uses the `flock' system call for mail locking,
291 define MAIL_USE_SYSTEM_LOCK in config.h or the s-*.h file
292 and recompile movemail. If the s- file for your system
293 should define MAIL_USE_SYSTEM_LOCK but does not, send a bug report
294 to bug-gnu-emacs@prep.ai.mit.edu so we can fix it. */
296 lockname
= concat (inname
, ".lock", "");
297 tempname
= (char *) xmalloc (strlen (inname
) + strlen ("EXXXXXX") + 1);
298 strcpy (tempname
, inname
);
299 p
= tempname
+ strlen (tempname
);
300 while (p
!= tempname
&& !IS_DIRECTORY_SEP (p
[-1]))
303 strcpy (p
, "EXXXXXX");
309 /* Create the lock file, but not under the lock file name. */
310 /* Give up if cannot do that. */
311 desc
= open (tempname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
314 char *message
= (char *) xmalloc (strlen (tempname
) + 50);
315 sprintf (message
, "creating %s, which would become the lock file",
317 pfatal_with_name (message
);
321 tem
= link (tempname
, lockname
);
324 if (tem
< 0 && errno
== EPERM
)
325 fatal ("Unable to create hard link between %s and %s",
334 /* If lock file is five minutes old, unlock it.
335 Five minutes should be good enough to cope with crashes
336 and wedgitude, and long enough to avoid being fooled
337 by time differences between machines. */
338 if (stat (lockname
, &st
) >= 0)
341 if (st
.st_ctime
< now
- 300)
346 delete_lockname
= lockname
;
348 #endif /* not MAIL_USE_SYSTEM_LOCK */
349 #endif /* not MAIL_USE_MMDF */
355 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
356 time_t touched_lock
, now
;
359 if (setuid (getuid ()) < 0 || setegid (real_gid
) < 0)
360 fatal ("Failed to drop privileges", 0, 0);
362 #ifndef MAIL_USE_MMDF
363 #ifdef MAIL_USE_SYSTEM_LOCK
364 indesc
= open (inname
, O_RDWR
);
365 #else /* if not MAIL_USE_SYSTEM_LOCK */
366 indesc
= open (inname
, O_RDONLY
);
367 #endif /* not MAIL_USE_SYSTEM_LOCK */
368 #else /* MAIL_USE_MMDF */
369 indesc
= lk_open (inname
, O_RDONLY
, 0, 0, 10);
370 #endif /* MAIL_USE_MMDF */
373 pfatal_with_name (inname
);
376 /* In case movemail is setuid to root, make sure the user can
377 read the output file. */
378 /* This is desirable for all systems
379 but I don't want to assume all have the umask system call */
380 umask (umask (0) & 0333);
381 #endif /* BSD_SYSTEM */
382 outdesc
= open (outname
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
384 pfatal_with_name (outname
);
386 if (setegid (priv_gid
) < 0)
387 fatal ("Failed to regain privileges", 0, 0);
389 /* This label exists so we can retry locking
390 after a delay, if it got EAGAIN or EBUSY. */
393 /* Try to lock it. */
394 #ifdef MAIL_USE_MAILLOCK
397 /* The "0 - " is to make it a negative number if maillock returns
399 status
= 0 - maillock (spool_name
, 1);
400 #ifdef HAVE_TOUCHLOCK
401 touched_lock
= time (0);
406 #endif /* MAIL_USE_MAILLOCK */
408 #ifdef MAIL_USE_SYSTEM_LOCK
409 #ifdef MAIL_USE_LOCKF
410 status
= lockf (indesc
, F_LOCK
, 0);
411 #else /* not MAIL_USE_LOCKF */
413 status
= locking (indesc
, LK_RLCK
, -1L);
415 status
= flock (indesc
, LOCK_EX
);
417 #endif /* not MAIL_USE_LOCKF */
418 #endif /* MAIL_USE_SYSTEM_LOCK */
421 /* If it fails, retry up to 5 times
422 for certain failure codes. */
425 if (++lockcount
<= 5)
443 pfatal_with_name (inname
);
451 nread
= read (indesc
, buf
, sizeof buf
);
453 pfatal_with_name (inname
);
454 if (nread
!= write (outdesc
, buf
, nread
))
456 int saved_errno
= errno
;
459 pfatal_with_name (outname
);
461 if (nread
< sizeof buf
)
463 #if defined (MAIL_USE_MAILLOCK) && defined (HAVE_TOUCHLOCK)
467 if (now
- touched_lock
> 60)
473 #endif /* MAIL_USE_MAILLOCK */
478 if (fsync (outdesc
) < 0)
479 pfatal_and_delete (outname
);
482 /* Prevent symlink attacks truncating other users' mailboxes */
483 if (setegid (real_gid
) < 0)
484 fatal ("Failed to drop privileges", 0, 0);
486 /* Check to make sure no errors before we zap the inbox. */
487 if (close (outdesc
) != 0)
488 pfatal_and_delete (outname
);
490 #ifdef MAIL_USE_SYSTEM_LOCK
493 ftruncate (indesc
, 0L);
495 #endif /* MAIL_USE_SYSTEM_LOCK */
498 lk_close (indesc
, 0, 0, 0);
503 #ifndef MAIL_USE_SYSTEM_LOCK
506 /* Delete the input file; if we can't, at least get rid of its
508 #ifdef MAIL_UNLINK_SPOOL
509 /* This is generally bad to do, because it destroys the permissions
510 that were set on the file. Better to just empty the file. */
511 if (unlink (inname
) < 0 && errno
!= ENOENT
)
512 #endif /* MAIL_UNLINK_SPOOL */
513 creat (inname
, 0600);
515 #endif /* not MAIL_USE_SYSTEM_LOCK */
517 /* End of mailbox truncation */
518 if (setegid (priv_gid
) < 0)
519 fatal ("Failed to regain privileges", 0, 0);
521 #ifdef MAIL_USE_MAILLOCK
522 /* This has to occur in the child, i.e., in the process that
523 acquired the lock! */
531 if (!WIFEXITED (status
))
533 else if (WRETCODE (status
) != 0)
534 exit (WRETCODE (status
));
536 #if !defined (MAIL_USE_MMDF) && !defined (MAIL_USE_SYSTEM_LOCK)
537 #ifdef MAIL_USE_MAILLOCK
539 #endif /* MAIL_USE_MAILLOCK */
541 #endif /* not MAIL_USE_MMDF and not MAIL_USE_SYSTEM_LOCK */
543 #endif /* ! DISABLE_DIRECT_ACCESS */
548 #ifdef MAIL_USE_MAILLOCK
549 /* This function uses stat to confirm that the mail directory is
550 identical to the directory of the input file, rather than just
551 string-comparing the two paths, because one or both of them might
552 be symbolic links pointing to some other directory. */
554 mail_spool_name (char *inname
)
556 struct stat stat1
, stat2
;
560 if (! (fname
= strrchr (inname
, '/')))
565 if (stat (MAILDIR
, &stat1
) < 0)
568 indir
= (char *) xmalloc (fname
- inname
+ 1);
569 strncpy (indir
, inname
, fname
- inname
);
570 indir
[fname
-inname
] = '\0';
573 status
= stat (indir
, &stat2
);
580 if (stat1
.st_dev
== stat2
.st_dev
581 && stat1
.st_ino
== stat2
.st_ino
)
586 #endif /* MAIL_USE_MAILLOCK */
588 /* Print error message and exit. */
591 fatal (const char *s1
, const char *s2
, const char *s3
)
594 unlink (delete_lockname
);
599 /* Print error message. `s1' is printf control string, `s2' and `s3'
600 are args for it or null. */
603 error (const char *s1
, const char *s2
, const char *s3
)
605 fprintf (stderr
, "movemail: ");
607 fprintf (stderr
, s1
, s2
, s3
);
609 fprintf (stderr
, s1
, s2
);
611 fprintf (stderr
, "%s", s1
);
612 fprintf (stderr
, "\n");
616 pfatal_with_name (char *name
)
618 fatal ("%s for %s", strerror (errno
), name
);
622 pfatal_and_delete (char *name
)
624 char *s
= strerror (errno
);
626 fatal ("%s for %s", s
, name
);
629 /* Return a newly-allocated string whose contents concatenate those of s1, s2, s3. */
632 concat (const char *s1
, const char *s2
, const char *s3
)
634 size_t len1
= strlen (s1
), len2
= strlen (s2
), len3
= strlen (s3
);
635 char *result
= (char *) xmalloc (len1
+ len2
+ len3
+ 1);
638 strcpy (result
+ len1
, s2
);
639 strcpy (result
+ len1
+ len2
, s3
);
640 *(result
+ len1
+ len2
+ len3
) = 0;
645 /* Like malloc but get fatal error if memory is exhausted. */
648 xmalloc (unsigned int size
)
650 long *result
= (long *) malloc (size
);
652 fatal ("virtual memory exhausted", 0, 0);
656 /* This is the guts of the interface to the Post Office Protocol. */
661 #include <sys/socket.h>
662 #include <netinet/in.h>
678 char ibuffer
[BUFSIZ
];
679 char obuffer
[BUFSIZ
];
680 char Errmsg
[200]; /* POP errors, at least, can exceed
681 the original length of 80. */
684 * The full valid syntax for a POP mailbox specification for movemail
685 * is "po:username:hostname". The ":hostname" is optional; if it is
686 * omitted, the MAILHOST environment variable will be consulted. Note
687 * that by the time popmail() is called the "po:" has been stripped
688 * off of the front of the mailbox name.
690 * If the mailbox is in the form "po:username:hostname", then it is
691 * modified by this function -- the second colon is replaced by a
694 * Return a value suitable for passing to `exit'.
698 popmail (char *mailbox
, char *outfile
, int preserve
, char *password
, int reverse_order
)
704 char *getenv (const char *);
706 int start
, end
, increment
;
707 char *user
, *hostname
;
710 if ((hostname
= strchr (mailbox
, ':')))
713 server
= pop_open (hostname
, user
, password
, POP_NO_GETPASS
);
716 error ("Error connecting to POP server: %s", pop_error
, 0);
720 if (pop_stat (server
, &nmsgs
, &nbytes
))
722 error ("Error getting message count from POP server: %s", pop_error
, 0);
732 mbfi
= open (outfile
, O_WRONLY
| O_CREAT
| O_EXCL
, 0666);
736 error ("Error in open: %s, %s", strerror (errno
), outfile
);
739 fchown (mbfi
, getuid (), -1);
741 if ((mbf
= fdopen (mbfi
, "wb")) == NULL
)
744 error ("Error in fdopen: %s", strerror (errno
), 0);
763 for (i
= start
; i
* increment
<= end
* increment
; i
+= increment
)
765 mbx_delimit_begin (mbf
);
766 if (pop_retr (server
, i
, mbf
) != OK
)
768 error ("%s", Errmsg
, 0);
772 mbx_delimit_end (mbf
);
776 error ("Error in fflush: %s", strerror (errno
), 0);
783 /* On AFS, a call to write only modifies the file in the local
784 * workstation's AFS cache. The changes are not written to the server
785 * until a call to fsync or close is made. Users with AFS home
786 * directories have lost mail when over quota because these checks were
787 * not made in previous versions of movemail. */
790 if (fsync (mbfi
) < 0)
792 error ("Error in fsync: %s", strerror (errno
), 0);
797 if (close (mbfi
) == -1)
799 error ("Error in close: %s", strerror (errno
), 0);
804 for (i
= 1; i
<= nmsgs
; i
++)
806 if (pop_delete (server
, i
))
808 error ("Error from POP server: %s", pop_error
, 0);
814 if (pop_quit (server
))
816 error ("Error from POP server: %s", pop_error
, 0);
824 pop_retr (popserver server
, int msgno
, FILE *arg
)
829 if (pop_retrieve_first (server
, msgno
, &line
))
831 char *error
= concat ("Error from POP server: ", pop_error
, "");
832 strncpy (Errmsg
, error
, sizeof (Errmsg
));
833 Errmsg
[sizeof (Errmsg
)-1] = '\0';
838 while ((ret
= pop_retrieve_next (server
, &line
)) >= 0)
843 if (mbx_write (line
, ret
, arg
) != OK
)
845 strcpy (Errmsg
, strerror (errno
));
853 char *error
= concat ("Error from POP server: ", pop_error
, "");
854 strncpy (Errmsg
, error
, sizeof (Errmsg
));
855 Errmsg
[sizeof (Errmsg
)-1] = '\0';
863 /* Do this as a macro instead of using strcmp to save on execution time. */
864 #define IS_FROM_LINE(a) ((a[0] == 'F') \
871 mbx_write (char *line
, int len
, FILE *mbf
)
873 #ifdef MOVEMAIL_QUOTE_POP_FROM_LINES
874 if (IS_FROM_LINE (line
))
876 if (fputc ('>', mbf
) == EOF
)
880 if (line
[0] == '\037')
882 if (fputs ("^_", mbf
) == EOF
)
887 if (fwrite (line
, 1, len
, mbf
) != len
)
889 if (fputc (0x0a, mbf
) == EOF
)
895 mbx_delimit_begin (FILE *mbf
)
899 char fromline
[40] = "From movemail ";
902 ltime
= localtime (&now
);
904 strcat (fromline
, asctime (ltime
));
906 if (fputs (fromline
, mbf
) == EOF
)
912 mbx_delimit_end (FILE *mbf
)
914 if (putc ('\n', mbf
) == EOF
)
919 #endif /* MAIL_USE_POP */
921 #ifndef HAVE_STRERROR
926 extern char *sys_errlist
[];
929 if (errnum
>= 0 && errnum
< sys_nerr
)
930 return sys_errlist
[errnum
];
931 return (char *) "Unknown error";
934 #endif /* ! HAVE_STRERROR */
936 /* arch-tag: 1c323112-41fe-4fe5-8de9-494de631f73f
937 (do not change this comment) */
939 /* movemail.c ends here */