add SENDER to mda environment and teach lmtp to use that instead of command

line parameter. this allows simplifying lmtp command line and it would have
prevented the unpriv command exec for LMTP in recent advisory.

ok millert@ and jung@

3 files changed, 32 insertions, 10 deletions

diff --git a/usr.sbin/smtpd/mail.lmtp.c b/usr.sbin/smtpd/mail.lmtp.c
index 94d19155961..f427e73dc35 100644
--- a/usr.sbin/smtpd/mail.lmtp.c
+++ b/usr.sbin/smtpd/mail.lmtp.c
@@ -41,6 +41,7 @@ enum phase {
 struct session {
 	const char	*lhlo;
 	const char	*mailfrom;
+	char		*rcptto;
 
 	char		**rcpts;
 	int		n_rcpts;
@@ -62,9 +63,9 @@ main(int argc, char *argv[])
 		errx(EX_TEMPFAIL, "mail.lmtp: may not be executed as root");
 
 	session.lhlo = "localhost";
-	session.mailfrom = NULL;
+	session.mailfrom = getenv("SENDER");
 
-	while ((ch = getopt(argc, argv, "d:l:f:")) != -1) {
+	while ((ch = getopt(argc, argv, "d:l:f:ru")) != -1) {
 		switch (ch) {
 		case 'd':
 			destination = optarg;
@@ -75,6 +76,15 @@ main(int argc, char *argv[])
 		case 'f':
 			session.mailfrom = optarg;
 			break;
+
+		case 'r':
+			session.rcptto = getenv("RECIPIENT");
+			break;
+
+		case 'u':
+			session.rcptto = getenv("USER");
+			break;
+
 		default:
 			break;
 		}
@@ -85,11 +95,17 @@ main(int argc, char *argv[])
 	if (session.mailfrom == NULL)
 		errx(EX_TEMPFAIL, "sender must be specified with -f");
 
-	if (argc == 0)
+	if (argc == 0 && session.rcptto == NULL)
 		errx(EX_TEMPFAIL, "no recipient was specified");
 
-	session.rcpts = argv;
-	session.n_rcpts = argc;
+	if (session.rcptto) {
+		session.rcpts = &session.rcptto;
+		session.n_rcpts = 1;
+	}
+	else {
+		session.rcpts = argv;
+		session.n_rcpts = argc;
+	}
 
 	conn = lmtp_connect(destination);
 	lmtp_engine(conn, &session);
diff --git a/usr.sbin/smtpd/mda_unpriv.c b/usr.sbin/smtpd/mda_unpriv.c
index 23754070539..636bb59aef1 100644
--- a/usr.sbin/smtpd/mda_unpriv.c
+++ b/usr.sbin/smtpd/mda_unpriv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mda_unpriv.c,v 1.5 2018/12/27 15:41:50 gilles Exp $	*/
+/*	$OpenBSD: mda_unpriv.c,v 1.6 2020/02/02 22:13:48 gilles Exp $	*/
 
 /*
  * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org>
@@ -40,7 +40,7 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
     const char *pw_name, const char *pw_dir)
 {
 	int		idx;
-	char	       *mda_environ[10];
+	char	       *mda_environ[11];
 	char		mda_exec[LINE_MAX];
 	char		mda_wrapper[LINE_MAX];
 	const char     *mda_command;
@@ -72,6 +72,12 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
 	xasprintf(&mda_environ[idx++], "LOGNAME=%s", pw_name);
 	xasprintf(&mda_environ[idx++], "USER=%s", pw_name);
 
+	if (deliver->sender.user[0])
+		xasprintf(&mda_environ[idx++], "SENDER=%s@%s",
+		    deliver->sender.user, deliver->sender.domain);
+	else
+		xasprintf(&mda_environ[idx++], "SENDER=");
+
 	if (deliver->mda_subaddress[0])
 		xasprintf(&mda_environ[idx++], "EXTENSION=%s", deliver->mda_subaddress);
 
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index eaa465ae83a..44fcf824fa8 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.274 2020/01/31 22:01:20 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.275 2020/02/02 22:13:48 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -690,11 +690,11 @@ MBOX {
 } dispatcher_local_options
 | LMTP STRING {
 	asprintf(&dispatcher->u.local.command,
-	    "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", $2);
+	    "/usr/libexec/mail.lmtp -d %s -u", $2);
 } dispatcher_local_options
 | LMTP STRING RCPT_TO {
 	asprintf(&dispatcher->u.local.command,
-	    "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2);
+	    "/usr/libexec/mail.lmtp -d %s -r", $2);
 } dispatcher_local_options
 | MDA STRING {
 	asprintf(&dispatcher->u.local.command,