1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2014 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions for writing log files. The code for maintaining datestamped
9 log files was originally contributed by Tony Sheen. */
14 #define LOG_NAME_SIZE 256
15 #define MAX_SYSLOG_LEN 870
17 #define LOG_MODE_FILE 1
18 #define LOG_MODE_SYSLOG 2
20 enum { lt_main, lt_reject, lt_panic, lt_debug };
22 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
26 /*************************************************
27 * Local static variables *
28 *************************************************/
30 static uschar mainlog_name[LOG_NAME_SIZE];
31 static uschar rejectlog_name[LOG_NAME_SIZE];
32 static uschar debuglog_name[LOG_NAME_SIZE];
34 static uschar *mainlog_datestamp = NULL;
35 static uschar *rejectlog_datestamp = NULL;
37 static int mainlogfd = -1;
38 static int rejectlogfd = -1;
39 static ino_t mainlog_inode = 0;
40 static ino_t rejectlog_inode = 0;
42 static uschar *panic_save_buffer = NULL;
43 static BOOL panic_recurseflag = FALSE;
45 static BOOL syslog_open = FALSE;
46 static BOOL path_inspected = FALSE;
47 static int logging_mode = LOG_MODE_FILE;
48 static uschar *file_path = US"";
53 /*************************************************
55 *************************************************/
57 /* The given string is split into sections according to length, or at embedded
58 newlines, and syslogged as a numbered sequence if it is overlong or if there is
59 more than one line. However, if we are running in the test harness, do not do
60 anything. (The test harness doesn't use syslog - for obvious reasons - but we
61 can get here if there is a failure to open the panic log.)
64 priority syslog priority
65 s the string to be written
71 write_syslog(int priority, uschar *s)
76 if (running_in_test_harness) return;
78 if (!syslog_timestamp) s += log_timezone? 26 : 20;
86 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
88 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
94 /* First do a scan through the message in order to determine how many lines
95 it is going to end up as. Then rescan to output it. */
97 for (pass = 0; pass < 2; pass++)
102 for (i = 1, tlen = len; tlen > 0; i++)
105 uschar *nlptr = Ustrchr(ss, '\n');
106 if (nlptr != NULL) plen = nlptr - ss;
107 #ifndef SYSLOG_LONG_LINES
108 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
111 if (ss[plen] == '\n') tlen--; /* chars left */
113 if (pass == 0) linecount++; else
116 syslog(priority, "%.*s", plen, ss);
118 syslog(priority, "[%d%c%d] %.*s", i,
119 (ss[plen] == '\n' && tlen != 0)? '\\' : '/',
120 linecount, plen, ss);
123 if (*ss == '\n') ss++;
130 /*************************************************
132 *************************************************/
134 /* This is called when Exim is dying as a result of something going wrong in
135 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
136 message to debug_file or a stderr file, if they exist. Then, if in the middle
137 of accepting a message, throw it away tidily by calling receive_bomb_out();
138 this will attempt to send an SMTP response if appropriate. Passing NULL as the
139 first argument stops it trying to run the NOTQUIT ACL (which might try further
140 logging and thus cause problems). Otherwise, try to close down an outstanding
144 s1 Error message to write to debug_file and/or stderr and syslog
145 s2 Error message for any SMTP call that is in progress
146 Returns: The function does not return
150 die(uschar *s1, uschar *s2)
154 write_syslog(LOG_CRIT, s1);
155 if (debug_file != NULL) debug_printf("%s\n", s1);
156 if (log_stderr != NULL && log_stderr != debug_file)
157 fprintf(log_stderr, "%s\n", s1);
159 if (receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
160 if (smtp_input) smtp_closedown(s2);
161 exim_exit(EXIT_FAILURE);
166 /*************************************************
167 * Create a log file *
168 *************************************************/
170 /* This function is called to create and open a log file. It may be called in a
171 subprocess when the original process is root.
176 The file name has been build in a working buffer, so it is permissible to
177 overwrite it temporarily if it is necessary to create the directory.
179 Returns: a file descriptor, or < 0 on failure (errno set)
183 log_create(uschar *name)
185 int fd = Uopen(name, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
187 /* If creation failed, attempt to build a log directory in case that is the
190 if (fd < 0 && errno == ENOENT)
193 uschar *lastslash = Ustrrchr(name, '/');
195 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
196 DEBUG(D_any) debug_printf("%s log directory %s\n",
197 created? "created" : "failed to create", name);
199 if (created) fd = Uopen(name, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
207 /*************************************************
208 * Create a log file as the exim user *
209 *************************************************/
211 /* This function is called when we are root to spawn an exim:exim subprocess
212 in which we can create a log file. It must be signal-safe since it is called
213 by the usr1_handler().
218 Returns: a file descriptor, or < 0 on failure (errno set)
222 log_create_as_exim(uschar *name)
228 /* In the subprocess, change uid/gid and do the creation. Return 0 from the
229 subprocess on success. If we don't check for setuid failures, then the file
230 can be created as root, so vulnerabilities which cause setuid to fail mean
231 that the Exim user can use symlinks to cause a file to be opened/created as
232 root. We always open for append, so can't nuke existing content but it would
233 still be Rather Bad. */
237 if (setgid(exim_gid) < 0)
238 die(US"exim: setgid for log-file creation failed, aborting",
239 US"Unexpected log failure, please try later");
240 if (setuid(exim_uid) < 0)
241 die(US"exim: setuid for log-file creation failed, aborting",
242 US"Unexpected log failure, please try later");
243 _exit((log_create(name) < 0)? 1 : 0);
246 /* If we created a subprocess, wait for it. If it succeeded, try the open. */
248 while (pid > 0 && waitpid(pid, &status, 0) != pid);
249 if (status == 0) fd = Uopen(name, O_APPEND|O_WRONLY, LOG_MODE);
251 /* If we failed to create a subprocess, we are in a bad way. We return
252 with fd still < 0, and errno set, letting the caller handle the error. */
260 /*************************************************
262 *************************************************/
264 /* This function opens one of a number of logs, creating the log directory if
265 it does not exist. This may be called recursively on failure, in order to open
268 The directory is in the static variable file_path. This is static so that it
269 the work of sorting out the path is done just once per Exim process.
271 Exim is normally configured to avoid running as root wherever possible, the log
272 files must be owned by the non-privileged exim user. To ensure this, first try
273 an open without O_CREAT - most of the time this will succeed. If it fails, try
274 to create the file; if running as root, this must be done in a subprocess to
278 fd where to return the resulting file descriptor
279 type lt_main, lt_reject, lt_panic, or lt_debug
280 tag optional tag to include in the name (only hooked up for debug)
286 open_log(int *fd, int type, uschar *tag)
290 uschar buffer[LOG_NAME_SIZE];
292 /* The names of the log files are controlled by file_path. The panic log is
293 written to the same directory as the main and reject logs, but its name does
294 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
295 When opening the panic log, if %D or %M is present, we remove the datestamp
296 from the generated name; if it is at the start, remove a following
297 non-alphanumeric character as well; otherwise, remove a preceding
298 non-alphanumeric character. This is definitely kludgy, but it sort of does what
299 people want, I hope. */
301 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
303 /* Save the name of the mainlog for rollover processing. Without a datestamp,
304 it gets statted to see if it has been cycled. With a datestamp, the datestamp
305 will be compared. The static slot for saving it is the same size as buffer,
306 and the text has been checked above to fit, so this use of strcpy() is OK. */
310 Ustrcpy(mainlog_name, buffer);
311 mainlog_datestamp = mainlog_name + string_datestamp_offset;
314 /* Ditto for the reject log */
316 else if (type == lt_reject)
318 Ustrcpy(rejectlog_name, buffer);
319 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
322 /* and deal with the debug log (which keeps the datestamp, but does not
325 else if (type == lt_debug)
327 Ustrcpy(debuglog_name, buffer);
330 /* this won't change the offset of the datestamp */
331 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
334 Ustrcpy(debuglog_name, buffer);
338 /* Remove any datestamp if this is the panic log. This is rare, so there's no
339 need to optimize getting the datestamp length. We remove one non-alphanumeric
340 char afterwards if at the start, otherwise one before. */
342 else if (string_datestamp_offset >= 0)
344 uschar *from = buffer + string_datestamp_offset;
345 uschar *to = from + string_datestamp_length;
346 if (from == buffer || from[-1] == '/')
348 if (!isalnum(*to)) to++;
352 if (!isalnum(from[-1])) from--;
355 /* This strcpy is ok, because we know that to is a substring of from. */
360 /* If the file name is too long, it is an unrecoverable disaster */
364 die(US"exim: log file path too long: aborting",
365 US"Logging failure; please try later");
368 /* We now have the file name. Try to open an existing file. After a successful
369 open, arrange for automatic closure on exec(), and then return. */
371 *fd = Uopen(buffer, O_APPEND|O_WRONLY, LOG_MODE);
375 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
379 /* Open was not successful: try creating the file. If this is a root process,
380 we must do the creating in a subprocess set to exim:exim in order to ensure
381 that the file is created with the right ownership. Otherwise, there can be a
382 race if another Exim process is trying to write to the log at the same time.
383 The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous
388 /* If we are already running as the Exim user (even if that user is root),
389 we can go ahead and create in the current process. */
391 if (euid == exim_uid) *fd = log_create(buffer);
393 /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we
394 are neither exim nor root, creation is not attempted. */
396 else if (euid == root_uid) *fd = log_create_as_exim(buffer);
398 /* If we now have an open file, set the close-on-exec flag and return. */
402 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
406 /* Creation failed. There are some circumstances in which we get here when
407 the effective uid is not root or exim, which is the problem. (For example, a
408 non-setuid binary with log_arguments set, called in certain ways.) Rather than
409 just bombing out, force the log to stderr and carry on if stderr is available.
412 if (euid != root_uid && euid != exim_uid && log_stderr != NULL)
414 *fd = fileno(log_stderr);
418 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
419 log. If possible, save a copy of the original line that was being logged. If we
420 are recursing (can't open the panic log either), the pointer will already be
423 if (panic_save_buffer == NULL)
425 panic_save_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
426 if (panic_save_buffer != NULL)
427 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
430 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
431 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
437 /*************************************************
438 * Add configuration file info to log line *
439 *************************************************/
441 /* This is put in a function because it's needed twice (once for debugging,
445 ptr pointer to the end of the line we are building
448 Returns: updated pointer
452 log_config_info(uschar *ptr, int flags)
454 Ustrcpy(ptr, "Exim configuration error");
457 if ((flags & (LOG_CONFIG_FOR & ~LOG_CONFIG)) != 0)
459 Ustrcpy(ptr, " for ");
463 if ((flags & (LOG_CONFIG_IN & ~LOG_CONFIG)) != 0)
465 sprintf(CS ptr, " in line %d of %s", config_lineno, config_filename);
469 Ustrcpy(ptr, ":\n ");
474 /*************************************************
475 * A write() operation failed *
476 *************************************************/
478 /* This function is called when write() fails on anything other than the panic
479 log, which can happen if a disk gets full or a file gets too large or whatever.
480 We try to save the relevant message in the panic_save buffer before crashing
483 The potential invoker should probably not call us for EINTR -1 writes. But
484 otherwise, short writes are bad as we don't do non-blocking writes to fds
485 subject to flow control. (If we do, that's new and the logic of this should
489 name the name of the log being written
490 length the string length being written
491 rc the return value from write()
493 Returns: does not return
497 log_write_failed(uschar *name, int length, int rc)
499 int save_errno = errno;
501 if (panic_save_buffer == NULL)
503 panic_save_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
504 if (panic_save_buffer != NULL)
505 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
508 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
509 "errno=%d (%s)", name, length, rc, save_errno,
510 (save_errno == 0)? "write incomplete" : strerror(save_errno));
516 /*************************************************
517 * Write to an fd, retrying after signals *
518 *************************************************/
520 /* Basic write to fd for logs, handling EINTR.
523 fd the fd to write to
524 buf the string to write
525 length the string length being written
528 length actually written, persisting an errno from write()
531 write_to_fd_buf(int fd, const uschar *buf, size_t length)
534 size_t total_written = 0;
535 const uschar *p = buf;
536 size_t left = length;
540 wrote = write(fd, p, left);
541 if (wrote == (ssize_t)-1)
543 if (errno == EINTR) continue;
546 total_written += wrote;
555 return total_written;
563 int sep = ':'; /* Fixed separator - outside use */
565 const uschar *tt = US LOG_FILE_PATH;
566 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
568 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
569 file_path = string_copy(t);
576 /*************************************************
577 * Write message to log file *
578 *************************************************/
580 /* Exim can be configured to log to local files, or use syslog, or both. This
581 is controlled by the setting of log_file_path. The following cases are
584 log_file_path = "" write files in the spool/log directory
585 log_file_path = "xxx" write files in the xxx directory
586 log_file_path = "syslog" write to syslog
587 log_file_path = "syslog : xxx" write to syslog and to files (any order)
589 The message always gets '\n' added on the end of it, since more than one
590 process may be writing to the log at once and we don't want intermingling to
591 happen in the middle of lines. To be absolutely sure of this we write the data
592 into a private buffer and then put it out in a single write() call.
594 The flags determine which log(s) the message is written to, or for syslogging,
595 which priority to use, and in the case of the panic log, whether the process
596 should die afterwards.
598 The variable really_exim is TRUE only when exim is running in privileged state
599 (i.e. not with a changed configuration or with testing options such as -brw).
600 If it is not, don't try to write to the log because permission will probably be
603 Avoid actually writing to the logs when exim is called with -bv or -bt to
604 test an address, but take other actions, such as panicing.
606 In Exim proper, the buffer for building the message is got at start-up, so that
607 nothing gets done if it can't be got. However, some functions that are also
608 used in utilities occasionally obey log_write calls in error situations, and it
609 is simplest to put a single malloc() here rather than put one in each utility.
610 Malloc is used directly because the store functions may call log_write().
612 If a message_id exists, we include it after the timestamp.
615 selector write to main log or LOG_INFO only if this value is zero, or if
616 its bit is set in log_write_selector
617 flags each bit indicates some independent action:
618 LOG_SENDER add raw sender to the message
619 LOG_RECIPIENTS add raw recipients list to message
620 LOG_CONFIG add "Exim configuration error"
621 LOG_CONFIG_FOR add " for " instead of ":\n "
622 LOG_CONFIG_IN add " in line x[ of file y]"
623 LOG_MAIN write to main log or syslog LOG_INFO
624 LOG_REJECT write to reject log or syslog LOG_NOTICE
625 LOG_PANIC write to panic log or syslog LOG_ALERT
626 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
627 format a printf() format
628 ... arguments for format
634 log_write(unsigned int selector, int flags, const char *format, ...)
642 /* If panic_recurseflag is set, we have failed to open the panic log. This is
643 the ultimate disaster. First try to write the message to a debug file and/or
644 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
645 original log line that caused the problem. Afterwards, expire. */
647 if (panic_recurseflag)
649 uschar *extra = (panic_save_buffer == NULL)? US"" : panic_save_buffer;
650 if (debug_file != NULL) debug_printf("%s%s", extra, log_buffer);
651 if (log_stderr != NULL && log_stderr != debug_file)
652 fprintf(log_stderr, "%s%s", extra, log_buffer);
653 if (*extra != 0) write_syslog(LOG_CRIT, extra);
654 write_syslog(LOG_CRIT, log_buffer);
655 die(US"exim: could not open panic log - aborting: see message(s) above",
656 US"Unexpected log failure, please try later");
659 /* Ensure we have a buffer (see comment above); this should never be obeyed
660 when running Exim proper, only when running utilities. */
662 if (log_buffer == NULL)
664 log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
665 if (log_buffer == NULL)
667 fprintf(stderr, "exim: failed to get store for log buffer\n");
668 exim_exit(EXIT_FAILURE);
672 /* If we haven't already done so, inspect the setting of log_file_path to
673 determine whether to log to files and/or to syslog. Bits in logging_mode
674 control this, and for file logging, the path must end up in file_path. This
675 variable must be in permanent store because it may be required again later in
680 BOOL multiple = FALSE;
681 int old_pool = store_pool;
683 store_pool = POOL_PERM;
685 /* If nothing has been set, don't waste effort... the default values for the
686 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
690 int sep = ':'; /* Fixed separator - outside use */
692 const uschar *ss = log_file_path;
694 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
696 if (Ustrcmp(s, "syslog") == 0)
697 logging_mode |= LOG_MODE_SYSLOG;
698 else if ((logging_mode & LOG_MODE_FILE) != 0) multiple = TRUE;
701 logging_mode |= LOG_MODE_FILE;
703 /* If a non-empty path is given, use it */
706 file_path = string_copy(s);
708 /* If the path is empty, we want to use the first non-empty, non-
709 syslog item in LOG_FILE_PATH, if there is one, since the value of
710 log_file_path may have been set at runtime. If there is no such item,
711 use the ultimate default in the spool directory. */
714 set_file_path(); /* Empty item in log_file_path */
715 } /* First non-syslog item in log_file_path */
716 } /* Scan of log_file_path */
719 /* If no modes have been selected, it is a major disaster */
721 if (logging_mode == 0)
722 die(US"Neither syslog nor file logging set in log_file_path",
723 US"Unexpected logging failure");
725 /* Set up the ultimate default if necessary. Then revert to the old store
726 pool, and record that we've sorted out the path. */
728 if ((logging_mode & LOG_MODE_FILE) != 0 && file_path[0] == 0)
729 file_path = string_sprintf("%s/log/%%slog", spool_directory);
730 store_pool = old_pool;
731 path_inspected = TRUE;
733 /* If more than one file path was given, log a complaint. This recursive call
734 should work since we have now set up the routing. */
737 log_write(0, LOG_MAIN|LOG_PANIC,
738 "More than one path given in log_file_path: using %s", file_path);
741 /* If debugging, show all log entries, but don't show headers. Do it all
742 in one go so that it doesn't get split when multi-processing. */
749 Ustrcpy(ptr, "LOG:");
752 /* Show the options that were passed into the call. These are those whose
753 flag values do not have the 0x80000000 bit in them. Note that this
754 automatically exclude the "all" setting. */
756 for (i = 0; i < log_options_count; i++)
758 unsigned int bit = log_options[i].bit;
759 if ((bit & 0x80000000) != 0) continue;
760 if ((selector & bit) != 0)
763 Ustrcpy(ptr, log_options[i].name);
768 sprintf(CS ptr, "%s%s%s%s\n ",
769 ((flags & LOG_MAIN) != 0)? " MAIN" : "",
770 ((flags & LOG_PANIC) != 0)? " PANIC" : "",
771 ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE)? " DIE" : "",
772 ((flags & LOG_REJECT) != 0)? " REJECT" : "");
775 if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
777 va_start(ap, format);
778 if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
779 Ustrcpy(ptr, "**** log string overflowed log buffer ****");
784 debug_printf("%s", log_buffer);
787 /* If no log file is specified, we are in a mess. */
789 if ((flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)) == 0)
790 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
793 /* There are some weird circumstances in which logging is disabled. */
797 DEBUG(D_any) debug_printf("log writing disabled\n");
801 /* Handle disabled reject log */
803 if (!write_rejectlog) flags &= ~LOG_REJECT;
805 /* Create the main message in the log buffer. Do not include the message id
806 when called by a utility. */
809 sprintf(CS ptr, "%s ", tod_stamp(tod_log));
812 if ((log_extra_selector & LX_pid) != 0)
814 sprintf(CS ptr, "[%d] ", (int)getpid());
818 if (really_exim && message_id[0] != 0)
820 sprintf(CS ptr, "%s ", message_id);
824 if ((flags & LOG_CONFIG) != 0) ptr = log_config_info(ptr, flags);
826 va_start(ap, format);
827 if (!string_vformat(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer)-1, format, ap))
828 Ustrcpy(ptr, "**** log string overflowed log buffer ****\n");
832 /* Add the raw, unrewritten, sender to the message if required. This is done
833 this way because it kind of fits with LOG_RECIPIENTS. */
835 if ((flags & LOG_SENDER) != 0 &&
836 ptr < log_buffer + LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
838 sprintf(CS ptr, " from <%s>", raw_sender);
842 /* Add list of recipients to the message if required; the raw list,
843 before rewriting, was saved in raw_recipients. There may be none, if an ACL
844 discarded them all. */
846 if ((flags & LOG_RECIPIENTS) != 0 && ptr < log_buffer + LOG_BUFFER_SIZE - 6 &&
847 raw_recipients_count > 0)
850 sprintf(CS ptr, " for");
852 for (i = 0; i < raw_recipients_count; i++)
854 uschar *s = raw_recipients[i];
855 if (log_buffer + LOG_BUFFER_SIZE - ptr < Ustrlen(s) + 3) break;
856 sprintf(CS ptr, " %s", s);
861 sprintf(CS ptr, "\n");
863 length = ptr - log_buffer;
865 /* Handle loggable errors when running a utility, or when address testing.
866 Write to log_stderr unless debugging (when it will already have been written),
867 or unless there is no log_stderr (expn called from daemon, for example). */
869 if (!really_exim || log_testing_mode)
871 if (debug_selector == 0 && log_stderr != NULL &&
872 (selector == 0 || (selector & log_write_selector) != 0))
875 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
877 fprintf(log_stderr, "%s", CS log_buffer);
879 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
883 /* Handle the main log. We know that either syslog or file logging (or both) is
884 set up. A real file gets left open during reception or delivery once it has
885 been opened, but we don't want to keep on writing to it for too long after it
886 has been renamed. Therefore, do a stat() and see if the inode has changed, and
889 if ((flags & LOG_MAIN) != 0 &&
890 (selector == 0 || (selector & log_write_selector) != 0))
892 if ((logging_mode & LOG_MODE_SYSLOG) != 0 &&
893 (syslog_duplication || (flags & (LOG_REJECT|LOG_PANIC)) == 0))
894 write_syslog(LOG_INFO, log_buffer);
896 if ((logging_mode & LOG_MODE_FILE) != 0)
900 /* Check for a change to the mainlog file name when datestamping is in
901 operation. This happens at midnight, at which point we want to roll over
902 the file. Closing it has the desired effect. */
904 if (mainlog_datestamp != NULL)
906 uschar *nowstamp = tod_stamp(string_datestamp_type);
907 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
909 (void)close(mainlogfd); /* Close the file */
910 mainlogfd = -1; /* Clear the file descriptor */
911 mainlog_inode = 0; /* Unset the inode */
912 mainlog_datestamp = NULL; /* Clear the datestamp */
916 /* Otherwise, we want to check whether the file has been renamed by a
917 cycling script. This could be "if else", but for safety's sake, leave it as
918 "if" so that renaming the log starts a new file even when datestamping is
923 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
925 (void)close(mainlogfd);
931 /* If the log is closed, open it. Then write the line. */
935 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
936 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
939 /* Failing to write to the log is disastrous */
941 written_len = write_to_fd_buf(mainlogfd, log_buffer, length);
942 if (written_len != length)
944 log_write_failed(US"main log", length, written_len);
945 /* That function does not return */
950 /* Handle the log for rejected messages. This can be globally disabled, in
951 which case the flags are altered above. If there are any header lines (i.e. if
952 the rejection is happening after the DATA phase), log the recipients and the
955 if ((flags & LOG_REJECT) != 0)
959 if (header_list != NULL && (log_extra_selector & LX_rejected_header) != 0)
961 if (recipients_count > 0)
965 /* List the sender */
967 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
968 "Envelope-from: <%s>\n", sender_address);
971 /* List up to 5 recipients */
973 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
974 "Envelope-to: <%s>\n", recipients_list[0].address);
977 for (i = 1; i < recipients_count && i < 5; i++)
979 string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer), " <%s>\n",
980 recipients_list[i].address);
984 if (i < recipients_count)
986 (void)string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
992 /* A header with a NULL text is an unfilled in Received: header */
994 for (h = header_list; h != NULL; h = h->next)
997 if (h->text == NULL) continue;
998 fitted = string_format(ptr, LOG_BUFFER_SIZE - (ptr-log_buffer),
999 "%c %s", h->type, h->text);
1001 if (!fitted) /* Buffer is full; truncate */
1003 ptr -= 100; /* For message and separator */
1004 if (ptr[-1] == '\n') ptr--;
1005 Ustrcpy(ptr, "\n*** truncated ***\n");
1011 length = ptr - log_buffer;
1014 /* Write to syslog or to a log file */
1016 if ((logging_mode & LOG_MODE_SYSLOG) != 0 &&
1017 (syslog_duplication || (flags & LOG_PANIC) == 0))
1018 write_syslog(LOG_NOTICE, log_buffer);
1020 /* Check for a change to the rejectlog file name when datestamping is in
1021 operation. This happens at midnight, at which point we want to roll over
1022 the file. Closing it has the desired effect. */
1024 if ((logging_mode & LOG_MODE_FILE) != 0)
1026 struct stat statbuf;
1028 if (rejectlog_datestamp != NULL)
1030 uschar *nowstamp = tod_stamp(string_datestamp_type);
1031 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1033 (void)close(rejectlogfd); /* Close the file */
1034 rejectlogfd = -1; /* Clear the file descriptor */
1035 rejectlog_inode = 0; /* Unset the inode */
1036 rejectlog_datestamp = NULL; /* Clear the datestamp */
1040 /* Otherwise, we want to check whether the file has been renamed by a
1041 cycling script. This could be "if else", but for safety's sake, leave it as
1042 "if" so that renaming the log starts a new file even when datestamping is
1045 if (rejectlogfd >= 0)
1047 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1048 statbuf.st_ino != rejectlog_inode)
1050 (void)close(rejectlogfd);
1052 rejectlog_inode = 0;
1056 /* Open the file if necessary, and write the data */
1058 if (rejectlogfd < 0)
1060 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1061 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1064 written_len = write_to_fd_buf(rejectlogfd, log_buffer, length);
1065 if (written_len != length)
1067 log_write_failed(US"reject log", length, written_len);
1068 /* That function does not return */
1074 /* Handle the panic log, which is not kept open like the others. If it fails to
1075 open, there will be a recursive call to log_write(). We detect this above and
1076 attempt to write to the system log as a last-ditch try at telling somebody. In
1077 all cases except mua_wrapper, try to write to log_stderr. */
1079 if ((flags & LOG_PANIC) != 0)
1081 if (log_stderr != NULL && log_stderr != debug_file && !mua_wrapper)
1082 fprintf(log_stderr, "%s", CS log_buffer);
1084 if ((logging_mode & LOG_MODE_SYSLOG) != 0)
1086 write_syslog(LOG_ALERT, log_buffer);
1089 /* If this panic logging was caused by a failure to open the main log,
1090 the original log line is in panic_save_buffer. Make an attempt to write it. */
1092 if ((logging_mode & LOG_MODE_FILE) != 0)
1094 panic_recurseflag = TRUE;
1095 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1096 panic_recurseflag = FALSE;
1098 if (panic_save_buffer != NULL)
1100 int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1101 i = i; /* compiler quietening */
1104 written_len = write_to_fd_buf(paniclogfd, log_buffer, length);
1105 if (written_len != length)
1107 int save_errno = errno;
1108 write_syslog(LOG_CRIT, log_buffer);
1109 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1110 "errno=%d (%s)", length, (int)written_len, save_errno, strerror(save_errno));
1111 write_syslog(LOG_CRIT, log_buffer);
1112 flags |= LOG_PANIC_DIE;
1115 (void)close(paniclogfd);
1118 /* Give up if the DIE flag is set */
1120 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1121 die(NULL, US"Unexpected failure, please try later");
1127 /*************************************************
1128 * Close any open log files *
1129 *************************************************/
1135 { (void)close(mainlogfd); mainlogfd = -1; }
1136 if (rejectlogfd >= 0)
1137 { (void)close(rejectlogfd); rejectlogfd = -1; }
1139 syslog_open = FALSE;
1144 /*************************************************
1145 * Decode bit settings for log/debug *
1146 *************************************************/
1148 /* This function decodes a string containing bit settings in the form of +name
1149 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1150 also recognizes a numeric setting of the form =<number>, but this is not
1151 intended for user use. It's an easy way for Exim to pass the debug settings
1152 when it is re-exec'ed.
1154 The log options are held in two unsigned ints (because there became too many
1155 for one). The top bit in the table means "put in 2nd selector". This does not
1156 yet apply to debug options, so the "=" facility sets only the first selector.
1158 The "all" selector, which must be equal to 0xffffffff, is recognized specially.
1159 It sets all the bits in both selectors. However, there is a facility for then
1160 unsetting certain bits, because we want to turn off "memory" in the debug case.
1162 The action taken for bad values varies depending upon why we're here.
1163 For log messages, or if the debugging is triggered from config, then we write
1164 to the log on the way out. For debug setting triggered from the command-line,
1165 we treat it as an unknown option: error message to stderr and die.
1168 selector1 address of the first bit string
1169 selector2 address of the second bit string, or NULL
1170 notall1 bits to exclude from "all" for selector1
1171 notall2 bits to exclude from "all" for selector2
1172 string the configured string
1173 options the table of option names
1175 which "log" or "debug"
1176 flags DEBUG_FROM_CONFIG
1178 Returns: nothing on success - bomb out on failure
1182 decode_bits(unsigned int *selector1, unsigned int *selector2, int notall1,
1183 int notall2, uschar *string, bit_table *options, int count, uschar *which,
1187 if (string == NULL) return;
1191 char *end; /* Not uschar */
1192 *selector1 = strtoul(CS string+1, &end, 0);
1193 if (*end == 0) return;
1194 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1199 /* Handle symbolic setting */
1206 bit_table *start, *end;
1208 while (isspace(*string)) string++;
1209 if (*string == 0) return;
1211 if (*string != '+' && *string != '-')
1213 errmsg = string_sprintf("malformed %s_selector setting: "
1214 "+ or - expected but found \"%s\"", which, string);
1218 adding = *string++ == '+';
1220 while (isalnum(*string) || *string == '_') string++;
1224 end = options + count;
1228 bit_table *middle = start + (end - start)/2;
1229 int c = Ustrncmp(s, middle->name, len);
1232 if (middle->name[len] != 0) c = -1; else
1234 unsigned int bit = middle->bit;
1235 unsigned int *selector;
1237 /* The value with all bits set means "force all bits in both selectors"
1238 in the case where two are being handled. However, the top bit in the
1239 second selector is never set. When setting, some bits can be excluded.
1242 if (bit == 0xffffffff)
1246 *selector1 = 0xffffffff ^ notall1;
1247 if (selector2 != NULL) *selector2 = 0x7fffffff ^ notall2;
1252 if (selector2 != NULL) *selector2 = 0;
1256 /* Otherwise, the 0x80000000 bit means "this value, without the top
1257 bit, belongs in the second selector". */
1261 if ((bit & 0x80000000) != 0)
1263 selector = selector2;
1266 else selector = selector1;
1267 if (adding) *selector |= bit; else *selector &= ~bit;
1269 break; /* Out of loop to match selector name */
1272 if (c < 0) end = middle; else start = middle + 1;
1273 } /* Loop to match selector name */
1277 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1278 adding? '+' : '-', len, s);
1281 } /* Loop for selector names */
1283 /* Handle disasters */
1286 if (Ustrcmp(which, "debug") == 0)
1288 if (flags & DEBUG_FROM_CONFIG)
1290 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1293 fprintf(stderr, "exim: %s\n", errmsg);
1296 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1301 /*************************************************
1302 * Activate a debug logfile (late) *
1303 *************************************************/
1305 /* Normally, debugging is activated from the command-line; it may be useful
1306 within the configuration to activate debugging later, based on certain
1307 conditions. If debugging is already in progress, we return early, no action
1308 taken (besides debug-logging that we wanted debug-logging).
1310 Failures in options are not fatal but will result in paniclog entries for the
1313 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1314 which can be combined with conditions, etc, to activate extra logging only
1315 for certain sources. The second use is inetd wait mode debug preservation. */
1318 debug_logging_activate(uschar *tag_name, uschar *opts)
1324 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1325 "DEBUG: Tag=\"%s\" Opts=\"%s\"\n", tag_name, opts ? opts : US"");
1329 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1331 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1336 debug_selector = D_default;
1339 decode_bits(&debug_selector, NULL, D_memory, 0, opts,
1340 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1343 /* When activating from a transport process we may never have logged at all
1344 resulting in certain setup not having been done. Hack this for now so we
1345 do not segfault; note that nondefault log locations will not work */
1347 if (!*file_path) set_file_path();
1349 open_log(&fd, lt_debug, tag_name);
1352 debug_file = fdopen(fd, "w");
1354 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");