From e970f305d4708134c60a9b416bd48793ac3e8844 Mon Sep 17 00:00:00 2001
From: Miklos Szeredi <miklos@szeredi.hu>
Date: Wed, 25 Feb 2004 08:39:42 +0000
Subject: [PATCH] fix

---
 ChangeLog    |  4 ++++
 README       | 35 +++++++++++------------------
 lib/helper.c | 63 ++++++++++++++++++++++++++++------------------------
 3 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 162916e..7c39dd8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2004-02-25  Miklos Szeredi <mszeredi@inf.bme.hu>
+
+	* Clean up option parsing in fuse_main()
+
 2004-02-20  Miklos Szeredi <mszeredi@inf.bme.hu>
 
 	* removed old way of mounting (fusermount mountpoint program)
diff --git a/README b/README
index 051bc7a..009643c 100644
--- a/README
+++ b/README
@@ -54,12 +54,10 @@ steps (after installing FUSE):
 If it doesn't work out, please ask!  Also see the file 'include/fuse.h' for
 detailed documentation of the library interface.
 
-You can also mount your filesystem like this:
+The fusermount program accepts a couple of additional options (see
+'fusermount -h').  You can add these options after a '--' like this:
 
-   fusermount /mnt/whatever example/fusexmp -d
-
-The fusermount program now accepts a couple of additional options.
-Run it with the '-h' option to see a description.
+   example/fusexmp /mnt/whatever -d -- -l
 
 Security
 ========
@@ -80,22 +78,15 @@ doing nasty things.  Currently those limitations are:
   - No other user (including root) can access the contents of the mounted
     filesystem.
 
-When linux will have private namespaces (as soon as version 2.5 comes out
-hopefully) then this third condition is useless and can be gotten rid of.
-
-Currently the first two conditions are checked by the fusermount program
-before doing the mount.  This has the nice feature, that it's totally
-useless.  Here's why:
-
-   - user creates /tmp/mydir
-   - user starts fusermount
-   - user removes /tmp/mydir just after fusermount checked that it is OK
-   - user creates symlink: ln -s / /tmp/mydir
-   - fusermount actually mounts user's filesystem on '/'
-   - this is bad :(
+Currently the first two conditions are checked by the fusermount
+program before doing the mount.  This is in fact not perfectly secure,
+since there is a window of time, after fusermount has checked the
+mountpoint and before the mount actually takes place, when the user is
+able to change the mountpoint (e.g. by changing symbolic links). 
 
-So to make this secure, the checks must be done by the kernel.  And so
-there is a patch (patch/ms_permission.patch) which does exactly this.
-This is against 2.4.14, but applies to some earlier kernels (not too
-much earlier though), and possibly some later.
+The preferred method would be if the kernel would check the
+permissions.  There is a patch for this for the 2.6.X kernel (where X
+>= 3) in the patch directory.  If you apply this patch then the suid
+bit can be removed from the fusermount program.
 
+Comments about this are appreciated.
diff --git a/lib/helper.c b/lib/helper.c
index 7cbb9eb..e06c01c 100644
--- a/lib/helper.c
+++ b/lib/helper.c
@@ -70,43 +70,51 @@ static void set_signal_handlers()
 
 void fuse_main(int argc, char *argv[], const struct fuse_operations *op)
 {
-    int argctr = 2;
+    int argctr;
     int flags;
     int multithreaded;
     int fuse_fd;
     char *fuse_mountpoint = NULL;
-    char umount_cmd[1024] = "";
     char **fusermount_args = NULL;
     
     flags = 0;
     multithreaded = 1;
-    for(; argctr < argc && !fusermount_args; argctr ++) {
-        if(argv[argctr][0] == '-' && strlen(argv[argctr]) == 2)
-            switch(argv[argctr][1]) {
-            case 'd':
-                flags |= FUSE_DEBUG;
-                break;
-                
-            case 's':
-                multithreaded = 0;
-                break;
-                
-            case 'h':
-                usage(argv[0]);
-                break;
-                
-            case '-':
-                fusermount_args = &argv[argctr+1];
-                break;
-                
-            default:
+    for(argctr = 1; argctr < argc && !fusermount_args; argctr ++) {
+        if(argv[argctr][0] == '-') {
+            if(strlen(argv[argctr]) == 2)
+                switch(argv[argctr][1]) {
+                case 'd':
+                    flags |= FUSE_DEBUG;
+                    break;
+                    
+                case 's':
+                    multithreaded = 0;
+                    break;
+                    
+                case 'h':
+                    usage(argv[0]);
+                    break;
+                    
+                case '-':
+                    fusermount_args = &argv[argctr+1];
+                    break;
+                    
+                default:
+                    invalid_option(argv, argctr);
+                }
+            else
                 invalid_option(argv, argctr);
-            }
-        else 
+        } else if(fuse_mountpoint == NULL)
+            fuse_mountpoint = strdup(argv[argctr]);
+        else
             invalid_option(argv, argctr);
     }
 
-    fuse_mountpoint = strdup(argv[1]);
+    if(fuse_mountpoint == NULL) {
+        fprintf(stderr, "missing mountpoint\n");
+        usage(argv[0]);
+    }
+
     fuse_fd = fuse_mount(fuse_mountpoint, (const char **) fusermount_args);
     if(fuse_fd == -1)
         exit(1);
@@ -123,9 +131,6 @@ void fuse_main(int argc, char *argv[], const struct fuse_operations *op)
         fuse_loop(fuse);
 
     close(fuse_fd);
-    if(fuse_mountpoint != NULL)
-        fuse_unmount(fuse_mountpoint);
-    else if(umount_cmd[0] != '\0')
-        system(umount_cmd);
+    fuse_unmount(fuse_mountpoint);
 }
 
-- 
2.30.2