Import sendmail-8.9.1 (slightly trimmed) onto a fresh branch under

src/contrib as per various discussions.  I will copy across our changes
and then point the Makefiles across once the dust has settled..

5 files changed, 566 insertions, 0 deletions

diff --git a/contrib/sendmail/test/Results b/contrib/sendmail/test/Results
new file mode 100644
index 0000000..3d930da
--- /dev/null
+++ b/contrib/sendmail/test/Results
@@ -0,0 +1,156 @@
+The following are results of running t_setreuid on various architectures.
+
+OPSYS	VERSION	STATUS	DATE	  TESTER/NOTES
+=====	=======	======	====	  ============
+
+SunOS	4.1	OK	93.07.19  eric
+SunOS	4.1.2	OK	93.07.19  eric
+SunOS	4.1.3	OK	93.09.25  Robert Elz
+
+BSD	4.4	OK	93.07.19  eric	(wierd results, but functional)
+BSD	4.3Utah	OK	93.07.19  eric
+
+FreeBSD	2.1-sta	OK	96.04.14  Jaye Mathisen <mrcpu@cdsnet.net>
+
+Ultrix	4.2A	OK	93.07.19  eric
+Ultrix	4.3A	OK	93.07.19  Allan Johannesen
+Ultrix	4.5	OK	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+HP-UX	8.07	OK	93.07.19  eric (on 7xx series)
+HP-UX	8.02	OK	93.07.19  Michael Corrigan (on 8xx series)
+HP-UX	8.00	OK	93.07.21  Michael Corrigan (on 3xx/4xx series)
+HP-UX	9.01	OK	93.11.19  Cassidy (on 7xx series)
+
+Solaris	2.1
+Solaris	2.2	FAIL	93.07.19  Bill Wisner
+Solaris	2.3	FAIL	95.11.22  Scott J. Kramer <sjk@lux.com>
+Solaris	2.5	OK	96.02.29  Carson Gaspar <carson@lehman.com>
+Solaris	2.5.1	OK	96.11.29  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+OSF/1	T1.3-4	OK	93.07.19  eric (on DEC Alpha)
+OSF/1	1.3	OK	94.12.10  Jeff A. Earickson (on Intel Paragon)
+OSF/1	3.2D	OK	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+OSF/1	4.0	OK	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+CxOS	11.5	OK	96.07.08  Eric Schnoebelen <eric@cirr.com>
+CxOS	11.0	OK	93.01.21  Eric Schnoebelen (CxOS 11.0 beta 1)
+CxOS	10.x	OK	93.01.21  Eric Schnoebelen
+
+AIX	3.1.5	FAIL	93.08.07  David J. N. Begley
+AIX	3.2.3e	FAIL	93.07.26  Steve Bauer <sbauer@silver.sdsmt.edu>
+AIX	3.2.4	FAIL	93.10.07  David J. N. Begley
+AIX	3.2.5	FAIL	94.05.17  Steve Bauer <sbauer@hpcmmib.hpc.sdsmt.edu>
+AIX	4.1	FAIL	96.10.21  Hakan Lindholm <hakan@af.lu.se>
+AIX	4.2	OK	96.10.16  Steve Bauer <sbauer@krypton.hpc.sdsmt.edu>
+
+IRIX	4.0.4	OK	93.09.25  Robert Elz
+IRIX	5.2	OK	94.12.06  Mark Andrews <mandrews@alias.com>
+IRIX	5.3	OK	94.12.06  Mark Andrews <mandrews@alias.com>
+IRIX	6.2	OK	96.09.16  Kari E. Hurtta <Kari.Hurtta@ozone.FMI.FI>
+IRIX	6.3	OK	97.02.10  Mark Andrews <mandrews@aw.sgi.com>
+
+SCO	3.2v4.0	OK	93.10.02  Peter Wemm (with -lsocket from 3.2v4 devsys)
+
+NeXT	2.1	OK	93.07.28  eric
+NeXT	3.0	OK	34.05.05  Kevin John Wang <kwang@lore.acs.calpoly.edu>
+
+Linux	0.99p10	OK	93.08.08  Karl London
+Linux	0.99p13	OK	93.09.27  Christian Kuhtz
+Linux	0.99p14	OK	93.11.30  Christian Kuhtz <chk@data-hh.Hanse.DE>
+Linux	1.0	OK	94.03.19  Shayne Smith <snsmith@rastus.brisnet.org.au>
+Linux	1.2.13	OK	95.11.02  Sven Neuhaus <sven@ping.de>
+Linux	2.0.17	OK	96.09.03  Horst von Brand <vonbrand@sleipnir.valparaiso.cl>
+
+BSD/386	1.0	OK	93.11.13  Tony Sanders
+
+DELL	2.2	OK	93.11.15  Peter Wemm (using -DSETEUID)
+
+Pyramid	5.0d	OK	95.01.14  David Miller <davem@nadzieja.rutgers.edu>
+
+
+
+The following are results of running t_seteuid on various architectures.
+
+OPSYS	VERSION	STATUS	DATE	  TESTER/NOTES
+=====	=======	======	====	  ============
+
+Solaris	2.3	OK	95.11.22  Scott J. Kramer <sjk@lux.com>
+Solaris	2.4	OK	95.09.22  Thomas 'Mike' Michlmayr <mike@cosy.sbg.ac.at>
+Solaris	2.5	OK	96.02.29  Carson Gaspar <carson@lehman.com>
+Solaris	2.5.1	OK	96.11.29  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+Linux	1.2.13	FAIL	95.11.02  Sven Neuhaus <sven@ping.de>
+Linux	2.0.17	FAIL	96.09.03  Horst von Brand <vonbrand@sleipnir.valparaiso.cl>
+
+AIX	4.1	OK	96.10.21  Hakan Lindholm <hakan@af.lu.se>
+
+IRIX	5.2	OK	95.12.01  Mark Andrews <mandrews@aw.sgi.com>
+IRIX	5.3	OK	95.12.01  Mark Andrews <mandrews@aw.sgi.com>
+IRIX	6.2	OK	96.09.16  Kari E. Hurtta <Kari.Hurtta@ozone.FMI.FI>
+IRIX	6.3	OK	97.02.10  Mark Andrews <mandrews@aw.sgi.com>
+
+FreeBSD	2.1-sta	OK	96.04.14  Jaye Mathisen <mrcpu@cdsnet.net>
+
+Ultrix	4.5	FAIL	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+OSF/1	3.2D	OK	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+OSF/1	4.0	OK	96.09.18  Gregory Neil Shapiro <gshapiro@wpi.edu>
+
+CxOS	11.5	FAIL	96.07.08  Eric Schnoebelen <eric@cirr.com>
+
+
+The following are the results of running t_pathconf.c.  Safe means that
+the underlying filesystem (in NFS, the filesystem on the server) does not
+permit regular (non-root) users to chown their files to another user.
+Unsafe means that they can.  Typically, BSD-based systems do not permit
+giveaway and System V-based systems do.  However, some systems (e.g.,
+Solaris) can set this on a per-system or per-filesystem basis.  Entries
+are the return value of pathconf, the errno value, and a * if chown
+disagreed with the result of the pathconf call, and a ? if the test has
+not been run.  A mark of [R] means that the local filesystem has
+chown set to be restricted, [U] means that it is set to be unrestricted.
+
+			     Safe Filesystem	     Unsafe Filesystem
+SYSTEM		LOCAL	    NFS-V2	NFS-V3	    NFS-V2	 NFS-V3
+
+SunOS 4.1.3_U1	1/0	    -1/EINVAL*	n/a	    -1/EINVAL?	 n/a
+SunOS 4.1.4	1/0	    -1/EINVAL*	n/a	    -1/EINVAL	 n/a
+
+AIX 3.2		0/0	    0/0
+
+Solaris 2.4	1/0	    -1/EINVAL*
+Solaris 2.5	1/0	    -1/EINVAL*	1/0			 0/0?
+Solaris 2.5.1	1/0	    -1/EINVAL*	0/0
+
+DEC OSF1 3.0	0/0	    0/0
+DEC OSF1 3.2D-2	0/0	    0/0		0/0
+DEC OSF1 4.0A	0/0	    0/0		0/0
+DEC OSF 4.0B	0/0	    0/0		0/0
+
+Ultrix 4.3	0/0	    0/0		n/a			 n/a
+Ultrix 4.5	1/0	    1/0
+
+HP-UX 9.05	-1/0	    -1/EOPNOTSUPP*	    -1/EOPNOTSUPP
+HP-UX 9.05[R]	1/0	    -1/EOPNOTSUPP*	    -1/EOPNOTSUPP*
+HP-UX 10.10	-1/0	    -1/EOPNOTSUPP*	    -1/EOPNOTSUPP
+HP-UX 10.20		    -1/EOPNOTSUPP?			 -1/EOPNOTSUPP?
+HP-UX 10.30	-1/0	    -1/EOPNOTSUPP	    -1/EOPNOTSUPP
+
+BSD/OS 2.1	1/0
+
+FreeBSD 2.1.7	1/0	    -1/EINVAL*		    -1/EINVAL
+
+Irix 5.3		    -1/0*		    -1/0
+Irix 6.2		    1/0			    -1/0	 0/0*
+Irix 6.2	-1/0	    -1/0
+Irix 6.3 R10000	-1/0				    -1/0	 0/0*
+
+A/UX 3.1.1	1/0
+
+DomainOS [R]	-1/0*
+DomainOS [U]	-1/0
+
+NCR MP-RAS 2	-1/0
+NCR MP-RAS 3	-1/0
+
+Linux 2.0.27	1/0	    1/0
diff --git a/contrib/sendmail/test/t_exclopen.c b/contrib/sendmail/test/t_exclopen.c
new file mode 100644
index 0000000..a42baa9
--- /dev/null
+++ b/contrib/sendmail/test/t_exclopen.c
@@ -0,0 +1,93 @@
+/*
+**  This program tests your system to see if you have the lovely
+**  security-defeating semantics that an open with O_CREAT|O_EXCL
+**  set will successfully open a file named by a symbolic link that
+**  points to a non-existent file.  Sadly, Posix is mute on what
+**  should happen in this situation.
+**
+**  Results to date:
+**	AIX 3.2		OK
+**	BSD family	OK
+**	  BSD/OS 2.1	OK
+**	  FreeBSD 2.1	OK
+**	DEC OSF/1 3.0	OK
+**	HP-UX 9.04	FAIL
+**	HP-UX 9.05	FAIL
+**	HP-UX 9.07	OK
+**	HP-UX 10.01	OK
+**	HP-UX 10.10	OK
+**	HP-UX 10.20	OK
+**	Irix 5.3	OK
+**	Irix 6.2	OK
+**	Irix 6.3	OK
+**	Irix 6.4	OK
+**	Linux		OK
+**	NeXT 2.1	OK
+**	Solaris 2.x	OK
+**	SunOS 4.x	OK
+**	Ultrix 4.3	OK
+*/
+
+#include <stdio.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+char Attacker[128];
+char Attackee[128];
+
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	struct stat st;
+
+	sprintf(Attacker, "/tmp/attacker.%d.%ld", getpid(), time(NULL));
+	sprintf(Attackee, "/tmp/attackee.%d.%ld", getpid(), time(NULL));
+
+	if (symlink(Attackee, Attacker) < 0)
+	{
+		printf("Could not create %s->%s symlink: %d\n",
+			Attacker, Attackee, errno);
+		bail(1);
+	}
+	(void) unlink(Attackee);
+	if (stat(Attackee, &st) >= 0)
+	{
+		printf("%s already exists -- remove and try again.\n",
+			Attackee);
+		bail(1);
+	}
+	if (open(Attacker, O_WRONLY|O_CREAT|O_EXCL, 0644) < 0)
+	{
+		int saveerr = errno;
+
+		if (stat(Attackee, &st) >= 0)
+		{
+			printf("Weird.  Open failed but %s was created anyhow (errno = %d)\n",
+				Attackee, saveerr);
+			bail(1);
+		}
+		printf("Good show!  Exclusive open works properly with symbolic links (errno = %d).\n",
+			saveerr);
+		bail(0);
+	}
+	if (stat(Attackee, &st) < 0)
+	{
+		printf("Weird.  Open succeeded but %s was not created\n",
+			Attackee);
+		bail(2);
+	}
+	printf("Bad news: you can do an exclusive open through a symbolic link\n");
+	printf("\tBe sure you #define BOGUS_O_EXCL in conf.h\n");
+	bail(1);
+}
+
+bail(stat)
+	int stat;
+{
+	(void) unlink(Attacker);
+	(void) unlink(Attackee);
+	exit(stat);
+}
diff --git a/contrib/sendmail/test/t_pathconf.c b/contrib/sendmail/test/t_pathconf.c
new file mode 100644
index 0000000..a4b5038
--- /dev/null
+++ b/contrib/sendmail/test/t_pathconf.c
@@ -0,0 +1,63 @@
+/*
+**  The following test program tries the pathconf(2) routine.  It should
+**  be run in a non-NFS-mounted directory (e.g., /tmp) and on remote (NFS)
+**  mounted directories running both NFS-v2 and NFS-v3 from systems that
+**  both do and do not permit file giveaway.
+*/
+
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sysexits.h>
+
+main()
+{
+	int fd;
+	int i;
+	char tbuf[100];
+	extern int errno;
+
+	if (geteuid() == 0)
+	{
+		printf("*** Run me as a non-root user! ***\n");
+		exit(EX_USAGE);
+	}
+
+	strcpy(tbuf, "TXXXXXX");
+	fd = mkstemp(tbuf);
+	if (fd < 0)
+	{
+		printf("*** Could not create test file %s\n", tbuf);
+		exit(EX_CANTCREAT);
+	}
+	errno = 0;
+	i = pathconf(".", _PC_CHOWN_RESTRICTED);
+	printf("pathconf(.) returns %2d, errno = %d\n", i, errno);
+	errno = 0;
+	i = pathconf(tbuf, _PC_CHOWN_RESTRICTED);
+	printf("pathconf(%s) returns %2d, errno = %d\n", tbuf, i, errno);
+	errno = 0;
+	i = fpathconf(fd, _PC_CHOWN_RESTRICTED);
+	printf("fpathconf(%s) returns %2d, errno = %d\n", tbuf, i, errno);
+	if (errno == 0 && i >= 0)
+	{
+		/* so it claims that it doesn't work -- try anyhow */
+		printf("  fpathconf claims that chown is safe ");
+		if (fchown(fd, 1, 1) >= 0)
+			printf("*** but fchown works anyhow! ***\n");
+		else
+			printf("and fchown agrees\n");
+	}
+	else
+	{
+		/* well, let's see what really happens */
+		printf("  fpathconf claims that chown is not safe ");
+		if (fchown(fd, 1, 1) >= 0)
+			printf("as indeed it is not\n");
+		else
+			printf("*** but in fact it is safe ***\n");
+	}
+	unlink(tbuf);
+	exit(EX_OK);
+}
diff --git a/contrib/sendmail/test/t_seteuid.c b/contrib/sendmail/test/t_seteuid.c
new file mode 100644
index 0000000..f3bd529
--- /dev/null
+++ b/contrib/sendmail/test/t_seteuid.c
@@ -0,0 +1,121 @@
+/*
+**  This program checks to see if your version of seteuid works.
+**  Compile it, make it setuid root, and run it as yourself (NOT as
+**  root).  If it won't compile or outputs any MAYDAY messages, don't
+**  define USESETEUID in conf.h.
+**
+**	NOTE:  It is not sufficient to have seteuid in your library.
+**	You must also have saved uids that function properly.
+**
+**  Compilation is trivial -- just "cc t_seteuid.c".  Make it setuid,
+**  root and then execute it as a non-root user.
+*/
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#ifdef __hpux
+#define seteuid(e)	setresuid(-1, e, -1)
+#endif
+
+main()
+{
+	int fail = 0;
+	uid_t realuid = getuid();
+
+	printuids("initial uids", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		printf("SETUP ERROR: re-run setuid root\n");
+		exit(1);
+	}
+
+	if (getuid() == 0)
+	{
+		printf("SETUP ERROR: must be run by a non-root user\n");
+		exit(1);
+	}
+
+	if (seteuid(1) < 0)
+		printf("seteuid(1) failure\n");
+	printuids("after seteuid(1)", realuid, 1);
+
+	if (geteuid() != 1)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+
+	/* do activity here */
+
+	if (seteuid(0) < 0)
+	{
+		fail++;
+		printf("seteuid(0) failure\n");
+	}
+	printuids("after seteuid(0)", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+	if (getuid() != realuid)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong real uid\n");
+	}
+	printf("\n");
+
+	if (seteuid(2) < 0)
+	{
+		fail++;
+		printf("seteuid(2) failure\n");
+	}
+	printuids("after seteuid(2)", realuid, 2);
+
+	if (geteuid() != 2)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+
+	/* do activity here */
+
+	if (seteuid(0) < 0)
+	{
+		fail++;
+		printf("seteuid(0) failure\n");
+	}
+	printuids("after seteuid(0)", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+	if (getuid() != realuid)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong real uid\n");
+	}
+
+	if (fail)
+	{
+		printf("\nThis system cannot use seteuid\n");
+		exit(1);
+	}
+
+	printf("\nIt is safe to define USESETEUID on this system\n");
+	exit(0);
+}
+
+printuids(str, r, e)
+	char *str;
+	int r, e;
+{
+	printf("%s (should be %d/%d): r/euid=%d/%d\n", str, r, e,
+		getuid(), geteuid());
+}
diff --git a/contrib/sendmail/test/t_setreuid.c b/contrib/sendmail/test/t_setreuid.c
new file mode 100644
index 0000000..6622068
--- /dev/null
+++ b/contrib/sendmail/test/t_setreuid.c
@@ -0,0 +1,133 @@
+/*
+**  This program checks to see if your version of setreuid works.
+**  Compile it, make it setuid root, and run it as yourself (NOT as
+**  root).  If it won't compile or outputs any MAYDAY messages, don't
+**  define HASSETREUID in conf.h.
+**
+**  Compilation is trivial -- just "cc t_setreuid.c".  Make it setuid,
+**  root and then execute it as a non-root user.
+*/
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#ifdef __hpux
+#define setreuid(r, e)	setresuid(r, e, -1)
+#endif
+
+main()
+{
+	int fail = 0;
+	uid_t realuid = getuid();
+
+	printuids("initial uids", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		printf("SETUP ERROR: re-run setuid root\n");
+		exit(1);
+	}
+
+	if (getuid() == 0)
+	{
+		printf("SETUP ERROR: must be run by a non-root user\n");
+		exit(1);
+	}
+
+	if (setreuid(0, 1) < 0)
+	{
+		fail++;
+		printf("setreuid(0, 1) failure\n");
+	}
+	printuids("after setreuid(0, 1)", 0, 1);
+
+	if (geteuid() != 1)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+
+	/* do activity here */
+
+	if (setreuid(-1, 0) < 0)
+	{
+		fail++;
+		printf("setreuid(-1, 0) failure\n");
+	}
+	printuids("after setreuid(-1, 0)", 0, 0);
+	if (setreuid(realuid, 0) < 0)
+	{
+		fail++;
+		printf("setreuid(%d, 0) failure\n", realuid);
+	}
+	printuids("after setreuid(realuid, 0)", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+	if (getuid() != realuid)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong real uid\n");
+	}
+	printf("\n");
+
+	if (setreuid(0, 2) < 0)
+	{
+		fail++;
+		printf("setreuid(0, 2) failure\n");
+	}
+	printuids("after setreuid(0, 2)", 0, 2);
+
+	if (geteuid() != 2)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+
+	/* do activity here */
+
+	if (setreuid(-1, 0) < 0)
+	{
+		fail++;
+		printf("setreuid(-1, 0) failure\n");
+	}
+	printuids("after setreuid(-1, 0)", 0, 0);
+	if (setreuid(realuid, 0) < 0)
+	{
+		fail++;
+		printf("setreuid(%d, 0) failure\n", realuid);
+	}
+	printuids("after setreuid(realuid, 0)", realuid, 0);
+
+	if (geteuid() != 0)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong effective uid\n");
+	}
+	if (getuid() != realuid)
+	{
+		fail++;
+		printf("MAYDAY!  Wrong real uid\n");
+	}
+
+	if (fail)
+	{
+		printf("\nThis system cannot use setreuid\n");
+		exit(1);
+	}
+
+	printf("\nIt is safe to define HASSETREUID on this system\n");
+	exit(0);
+}
+
+printuids(str, r, e)
+	char *str;
+	int r, e;
+{
+	printf("%s (should be %d/%d): r/euid=%d/%d\n", str, r, e,
+		getuid(), geteuid());
+}