[diff] src/usr.sbin/smtpd: add allow-exec to explicitly allow commands from aliases

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[diff] src/usr.sbin/smtpd: add allow-exec to explicitly allow commands from aliases

Gilles Chehade-7
Last diff of the series:

This introduces the same logic as forward-file for executing commands.

Executing commands from aliases should be discouraged as you can always achieve the same
through a forward file and benefit from the privilege separation of running a command as
a separate user rather than as the smtpd user... but historically commands have been ran
from aliases so the aliases expansion supports running custom commands.

With this diff, an admin must explicitly allow commands to be ran from aliases:

    action "local_users" maildir alias <aliases> allow-exec

otherwise sessions resolving to an alias that's a command temporarily fail.

Because aliases and virtual uses the same expansion loop, this applies to both:

    action "local_users" maildir virtual <valiases> allow-exec




diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c
index aea0780017e..7a817d868ee 100644
--- a/usr.sbin/smtpd/lka_session.c
+++ b/usr.sbin/smtpd/lka_session.c
@@ -489,6 +489,12 @@ lka_expand(struct lka_session *lks, struct rule *rule, struct expandnode *xn)
  lks->error = LKA_TEMPFAIL;
  break;
  }
+ } else {
+ if (! dsp->u.local.allow_expand_exec) {
+ log_trace(TRACE_EXPAND, "expand: matched expand with no allow-exec");
+ lks->error = LKA_TEMPFAIL;
+ break;
+ }
  }
 
  log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s "
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 908c189c93d..3a42487acc7 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -608,7 +608,7 @@ USER STRING {
 
  dispatcher->u.local.user = $2;
 }
-| ALIAS tables {
+| ALIAS tables allow_exec {
  struct table   *t = $2;
 
  if (dispatcher->u.local.table_alias) {
@@ -628,8 +628,9 @@ USER STRING {
  }
 
  dispatcher->u.local.table_alias = strdup(t->t_name);
+ dispatcher->u.local.allow_expand_exec = $3;
 }
-| VIRTUAL tables {
+| VIRTUAL tables allow_exec {
  struct table   *t = $2;
 
  if (dispatcher->u.local.table_virtual) {
@@ -649,6 +650,7 @@ USER STRING {
  }
 
  dispatcher->u.local.table_virtual = strdup(t->t_name);
+ dispatcher->u.local.allow_expand_exec = $3;
 }
 | USERBASE tables {
  struct table   *t = $2;
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index c2ef5f568ca..15623b58d86 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -167,12 +167,16 @@ Relay the message to another SMTP server.
 .Pp
 The local delivery methods support additional options:
 .Bl -tag -width Ds
-.It Cm alias Pf < Ar table Ns >
+.It Cm alias Pf < Ar table Ns > Op Cm allow-exec
 Use the mapping
 .Ar table
 for
 .Xr aliases 5
 expansion.
+.Pp
+If
+.Cm allow-exec
+is specified, aliases are allowed to execute a custom command.
 .It Cm forward-file Op Cm allow-exec
 Allow the use of a .forward file in user home directory .
 .Pp
@@ -211,12 +215,16 @@ The
 does not apply for the
 .Cm user
 option.
-.It Cm virtual Pf < Ar table Ns >
+.It Cm virtual Pf < Ar table Ns > Op Cm allow-exec
 Use the mapping
 .Ar table
 for virtual expansion.
 The aliasing table format is described in
 .Xr table 5 .
+.Pp
+If
+.Cm allow-exec
+is specified, virtuals are allowed to execute a custom command.
 .It Cm wrapper Ar name
 Use the wrapper specified in
 .Cm mda wrapper .
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 57a8bebec79..7a0695ac5da 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1161,6 +1161,7 @@ struct dispatcher_local {
  uint8_t forward_only;
  uint8_t forward_file;
 
+ uint8_t allow_expand_exec;
  uint8_t allow_forward_exec;
 
  char *mda_wrapper;