Avoid segfault on ref:name specified as uid.

If group not also specified, make this a fatal error.  If group
specified, we'll error out anyway unless the group can be resolved.

Approach considered but not followed: fatal config error if built with
ref:name where name is a number.

fixes bug 1098

2 files changed, 16 insertions, 1 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 7105e5fc6..2b3ec8573 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -15,6 +15,9 @@ PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
 
 PP/04 New "dns_use_edns0" global option.
 
+PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
+      Bugzilla 1098.
+
 
 Exim version 4.75
 -----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index 30974c9c6..528ffc7c8 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1414,7 +1414,19 @@ if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
       EXIM_USERNAME);
     exit(EXIT_FAILURE);
     }
-  exim_gid = pw->pw_gid;
+  /* If ref:name uses a number as the name, route_finduser() returns
+  TRUE with exim_uid set and pw coerced to NULL. */
+  if (pw)
+    exim_gid = pw->pw_gid;
+#ifndef EXIM_GROUPNAME
+  else
+    {
+    fprintf(stderr,
+        "exim: ref:name should specify a usercode, not a group.\n"
+        "exim: can't let you get away with it unless you also specify a group.\n");
+    exit(EXIT_FAILURE);
+    }
+#endif
   }
 else
   {