diff options
author | Jann Horn <jannh@google.com> | 2018-07-14 03:47:50 -0700 |
---|---|---|
committer | Nikolaus Rath <Nikolaus@rath.org> | 2018-07-21 12:17:49 +0100 |
commit | d50017e850d6123d3dc93c1b3eafef6f7bba09f2 (patch) | |
tree | 9374376d437c84bafad0a2de3ef970c78f38f8e6 | |
parent | 7c49d3cb74b215fcd527dbd9e1884fcc5b0cd469 (diff) | |
download | fuse-d50017e850d6123d3dc93c1b3eafef6f7bba09f2.tar.gz |
fusermount: refuse unknown options
Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.
Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.
-rw-r--r-- | util/fusermount.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/util/fusermount.c b/util/fusermount.c index 012affb..552ac6c 100644 --- a/util/fusermount.c +++ b/util/fusermount.c @@ -806,10 +806,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode, flags |= flag; else flags &= ~flag; - } else { + } else if (opt_eq(s, len, "default_permissions") || + opt_eq(s, len, "allow_other") || + begins_with(s, "max_read=") || + begins_with(s, "blksize=")) { memcpy(d, s, len); d += len; *d++ = ','; + } else { + fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s); + exit(1); } } } |