/*

 * Mount helper utility for Linux CIFS VFS (virtual filesystem) client

 * Copyright (C) 2003,2010 Steve French  (sfrench@us.ibm.com)

 * Copyright (C) 2008 Jeremy Allison (jra@samba.org)

 * Copyright (C) 2010 Jeff Layton (jlayton@samba.org)

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

#ifdef HAVE_CONFIG_H

#include "config.h"

#endif /* HAVE_CONFIG_H */

#include <stdlib.h>

#include <stdio.h>

#include <unistd.h>

#include <pwd.h>

#include <grp.h>

#include <ctype.h>

#include <sys/types.h>

#include <sys/mount.h>

#include <sys/stat.h>

#include <sys/utsname.h>

#include <sys/socket.h>

#include <arpa/inet.h>

#include <getopt.h>

#include <errno.h>

#include <netdb.h>

#include <string.h>

#include <mntent.h>

#include <fcntl.h>

#include <limits.h>

#include <paths.h>

#include <libgen.h>

#include <sys/mman.h>

#include <sys/wait.h>

#ifdef HAVE_SYS_FSUID_H

#include <sys/fsuid.h>

#endif /* HAVE_SYS_FSUID_H */

#ifdef HAVE_LIBCAP_NG

#include <cap-ng.h>

#else /* HAVE_LIBCAP_NG */

#ifdef HAVE_PRCTL

#include <sys/prctl.h>

#endif /* HAVE_PRCTL */

#ifdef HAVE_LIBCAP

#include <sys/capability.h>

#endif /* HAVE_LIBCAP */

#endif /* HAVE_LIBCAP_NG */

#include "mount.h"

#include "util.h"

#include "resolve_host.h"

#ifndef MS_MOVE 

#define MS_MOVE 8192 

#endif 

#ifndef MS_BIND

#define MS_BIND 4096

#endif

/* private flags - clear these before passing to kernel */

#define MS_USERS	0x40000000

#define MS_USER		0x80000000

#define MAX_UNC_LEN 1024

/* I believe that the kernel limits options data to a page */

#define MAX_OPTIONS_LEN	4096

/* max length of mtab options */

#define MTAB_OPTIONS_LEN 220

/*

 * Max share name, username, password and domain sizes match the kernel's

 * allowances for these string sizes which in turn match Microsoft's

 * documentation.

 */

/* Max length of the share name portion of a UNC. Share names over 80

 * characters cannot be accessed via commandline in Windows 2000/XP. */

#define MAX_SHARE_LEN 256

/* Max user name length. */

#define MAX_USERNAME_SIZE 256

/* Max domain size. */

#define MAX_DOMAIN_SIZE 256

/* Max password size. */

#define MOUNT_PASSWD_SIZE 512

/*

 * mount.cifs has been the subject of many "security" bugs that have arisen

 * because of users and distributions installing it as a setuid root program

 * before it had been audited for security holes. The default behavior is

 * now to allow mount.cifs to be run as a setuid root program. Some admins

 * may want to disable this fully, so this switch remains in place.

 */

#define CIFS_DISABLE_SETUID_CAPABILITY 0

/*

 * When an unprivileged user runs a setuid mount.cifs, we set certain mount

 * flags by default. These defaults can be changed here.

 */

#define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)

/*

 * Values for parsing a credentials file.

 */

#define CRED_UNPARSEABLE 0

#define CRED_USER        1

#define CRED_PASS        2

#define CRED_DOM         4

/*

 * Values for parsing command line options.

 */

#define OPT_ERROR       -1

#define OPT_IGNORE      0

#define OPT_USERS       1

#define OPT_USER        2

#define OPT_USER_XATTR  3

#define OPT_PASS        4

#define OPT_SEC         5

#define OPT_IP          6

#define OPT_UNC         7

#define OPT_CRED        8

#define OPT_UID         9

#define OPT_GID        10

#define OPT_FMASK      11

#define OPT_FILE_MODE  12

#define OPT_DMASK      13

#define OPT_DIR_MODE   14

#define OPT_DOM        15

#define OPT_NO_SUID    16

#define OPT_SUID       17

#define OPT_NO_DEV     18

#define OPT_DEV        19

#define OPT_NO_LOCK    20

#define OPT_NO_EXEC    21

#define OPT_EXEC       22

#define OPT_GUEST      23

#define OPT_RO         24

#define OPT_RW         25

#define OPT_REMOUNT    26

#define OPT_MAND       27

#define OPT_NOMAND     28

#define OPT_CRUID      29

#define OPT_BKUPUID    30

#define OPT_BKUPGID    31

#define OPT_NOFAIL     32

#define MNT_TMP_FILE "/.mtab.cifs.XXXXXX"

/* struct for holding parsed mount info for use by privleged process */

struct parsed_mount_info {

	unsigned long flags;

	char host[NI_MAXHOST + 1];

	char share[MAX_SHARE_LEN + 1];

	char prefix[PATH_MAX + 1];

	char options[MAX_OPTIONS_LEN];

	char domain[MAX_DOMAIN_SIZE + 1];

	char username[MAX_USERNAME_SIZE + 1];

	char password[MOUNT_PASSWD_SIZE + 1];

	char addrlist[MAX_ADDR_LIST_LEN];

	unsigned int got_user:1;

	unsigned int got_password:1;

	unsigned int fakemnt:1;

	unsigned int nomtab:1;

	unsigned int verboseflag:1;

	unsigned int nofail:1;

	unsigned int got_domain:1;

};

static const char *thisprogram;

static const char *cifs_fstype = "cifs";

static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info);

static int check_setuid(void)

{

	if (geteuid()) {

		fprintf(stderr, "This program is not installed setuid root - "

			" \"user\" CIFS mounts not supported.\n");

		return EX_USAGE;

	}

#if CIFS_DISABLE_SETUID_CAPABILITY

	if (getuid() && !geteuid()) {

		printf("This mount.cifs program has been built with the "

		       "ability to run as a setuid root program disabled.\n");

		return EX_USAGE;

	}

#endif /* CIFS_DISABLE_SETUID_CAPABILITY */

	return 0;

}

static int

check_fstab(const char *progname, const char *mountpoint, const char *devname,

	    char **options)

{

	FILE *fstab;

	struct mntent *mnt;

	/* make sure this mount is listed in /etc/fstab */

	fstab = setmntent(_PATH_MNTTAB, "r");

	if (!fstab) {

		fprintf(stderr, "Couldn't open %s for reading!\n", _PATH_MNTTAB);

		return EX_FILEIO;

	}

	while ((mnt = getmntent(fstab))) {

		if (!strcmp(mountpoint, mnt->mnt_dir))

			break;

	}

	endmntent(fstab);

	if (mnt == NULL || strcmp(mnt->mnt_fsname, devname)) {

		fprintf(stderr, "%s: permission denied: no match for "

			"%s found in %s\n", progname, mountpoint, _PATH_MNTTAB);

		return EX_USAGE;

	}

	/*

	 * 'mount' munges the options from fstab before passing them

	 * to us. It is non-trivial to test that we have the correct

	 * set of options. We don't want to trust what the user

	 * gave us, so just take whatever is in /etc/fstab.

	 */

	free(*options);

	*options = strdup(mnt->mnt_opts);

	return 0;

}

/* BB finish BB

	cifs_umount

	open nofollow - avoid symlink exposure? 

	get owner of dir see if matches self or if root

	call system(umount argv) etc.

BB end finish BB */

static int mount_usage(FILE * stream)

{

	fprintf(stream, "\nUsage:  %s <remotetarget> <dir> -o <options>\n",

		thisprogram);

	fprintf(stream, "\nMount the remote target, specified as a UNC name,");

	fprintf(stream, " to a local directory.\n\nOptions:\n");

	fprintf(stream, "\tuser=<arg>\n\tpass=<arg>\n\tdom=<arg>\n");

	fprintf(stream, "\nLess commonly used options:");

	fprintf(stream,

		"\n\tcredentials=<filename>,guest,perm,noperm,setuids,nosetuids,rw,ro,");

	fprintf(stream,

		"\n\tsep=<char>,iocharset=<codepage>,suid,nosuid,exec,noexec,serverino,");

	fprintf(stream,

		"\n\tmapchars,nomapchars,nolock,servernetbiosname=<SRV_RFC1001NAME>");

	fprintf(stream,

		"\n\tdirectio,nounix,cifsacl,sec=<authentication mechanism>,sign,seal,fsc");

	fprintf(stream,

		"\n\nOptions not needed for servers supporting CIFS Unix extensions");

	fprintf(stream,

		"\n\t(e.g. unneeded for mounts to most Samba versions):");

	fprintf(stream,

		"\n\tuid=<uid>,gid=<gid>,dir_mode=<mode>,file_mode=<mode>,sfu");

	fprintf(stream, "\n\nRarely used options:");

	fprintf(stream,

		"\n\tport=<tcpport>,rsize=<size>,wsize=<size>,unc=<unc_name>,ip=<ip_address>,");

	fprintf(stream,

		"\n\tdev,nodev,nouser_xattr,netbiosname=<OUR_RFC1001NAME>,hard,soft,intr,");

	fprintf(stream,

		"\n\tnointr,ignorecase,noposixpaths,noacl,prefixpath=<path>,nobrl");

	fprintf(stream,

		"\n\nOptions are described in more detail in the manual page");

	fprintf(stream, "\n\tman 8 mount.cifs\n");

	fprintf(stream, "\nTo display the version number of the mount helper:");

	fprintf(stream, "\n\t%s -V\n", thisprogram);

	if (stream == stderr)

		return EX_USAGE;

	return 0;

}

/*

 * CIFS has to "escape" commas in the password field so that they don't

 * end up getting confused for option delimiters. Copy password into pw

 * field, turning any commas into double commas.

 */

static int set_password(struct parsed_mount_info *parsed_info, const char *src)

{

	char *dst = parsed_info->password;

	unsigned int i = 0, j = 0;

	while (src[i]) {

		if (src[i] == ',')

			dst[j++] = ',';

		dst[j++] = src[i++];

		if (j > sizeof(parsed_info->password)) {

			fprintf(stderr, "Converted password too long!\n");

			return EX_USAGE;

		}

	}

	dst[j] = '\0';

	parsed_info->got_password = 1;

	return 0;

}

#ifdef HAVE_LIBCAP_NG

static int

drop_capabilities(int parent)

{

	capng_setpid(getpid());

	capng_clear(CAPNG_SELECT_BOTH);

	if (parent) {

		if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_READ_SEARCH, CAP_DAC_OVERRIDE, -1)) {

			fprintf(stderr, "Unable to update capability set.\n");

			return EX_SYSERR;

		}

		if (capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_ADMIN)) {

			fprintf(stderr, "Unable to update capability set.\n");

			return EX_SYSERR;

		}

	} else {

		if (capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_READ_SEARCH)) {

			fprintf(stderr, "Unable to update capability set.\n");

			return EX_SYSERR;

		}

	}

	if (capng_apply(CAPNG_SELECT_BOTH)) {

		fprintf(stderr, "Unable to apply new capability set.\n");

		return EX_SYSERR;

	}

	return 0;

}

static int

toggle_dac_capability(int writable, int enable)

{

	unsigned int capability = writable ? CAP_DAC_OVERRIDE : CAP_DAC_READ_SEARCH;

	if (capng_update(enable ? CAPNG_ADD : CAPNG_DROP, CAPNG_EFFECTIVE, capability)) {

		fprintf(stderr, "Unable to update capability set.\n");

		return EX_SYSERR;

	}

	if (capng_apply(CAPNG_SELECT_CAPS)) {

		fprintf(stderr, "Unable to apply new capability set.\n");

		return EX_SYSERR;

	}

	return 0;

}

#else /* HAVE_LIBCAP_NG */

#ifdef HAVE_LIBCAP

#ifdef HAVE_PRCTL

static int

prune_bounding_set(void)

{

	int i, rc = 0;

	static int bounding_set_cleared;

	if (bounding_set_cleared)

		return 0;

	for (i = 0; i <= CAP_LAST_CAP && rc == 0; ++i)

		rc = prctl(PR_CAPBSET_DROP, i);

	if (rc != 0) {

		fprintf(stderr, "Unable to clear capability bounding set: %d\n", rc);

		return EX_SYSERR;

	}

	++bounding_set_cleared;

	return 0;

}

#else /* HAVE_PRCTL */

static int

prune_bounding_set(void)

{

	return 0;

}

#endif /* HAVE_PRCTL */

static int

drop_capabilities(int parent)

{

	int rc, ncaps;

	cap_t caps;

	cap_value_t cap_list[3];

	rc = prune_bounding_set();

	if (rc)

		return rc;

	caps = cap_get_proc();

	if (caps == NULL) {

		fprintf(stderr, "Unable to get current capability set: %s\n",

			strerror(errno));

		return EX_SYSERR;

	}

	if (cap_clear(caps) == -1) {

		fprintf(stderr, "Unable to clear capability set: %s\n",

			strerror(errno));

		rc = EX_SYSERR;

		goto free_caps;

	}

	if (parent || getuid() == 0) {

		ncaps = 1;

		cap_list[0] = CAP_DAC_READ_SEARCH;

		if (parent) {

			cap_list[1] = CAP_DAC_OVERRIDE;

			cap_list[2] = CAP_SYS_ADMIN;

			ncaps += 2;

		}

		if (cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET) == -1) {

			fprintf(stderr, "Unable to set permitted capabilities: %s\n",

				strerror(errno));

			rc = EX_SYSERR;

			goto free_caps;

		}

		if (parent) {

			cap_list[0] = CAP_SYS_ADMIN;

			if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1) {

				fprintf(stderr, "Unable to set effective capabilities: %s\n",

					strerror(errno));

				rc = EX_SYSERR;

				goto free_caps;

			}

		}

	}

	if (cap_set_proc(caps) != 0) {

		fprintf(stderr, "Unable to set current process capabilities: %s\n",

			strerror(errno));

		rc = EX_SYSERR;

	}

free_caps:

	cap_free(caps);

	return rc;

}

static int

toggle_dac_capability(int writable, int enable)

{

	int rc = 0;

	cap_t caps;

	cap_value_t capability = writable ? CAP_DAC_OVERRIDE : CAP_DAC_READ_SEARCH;

	caps = cap_get_proc();

	if (caps == NULL) {

		fprintf(stderr, "Unable to get current capability set: %s\n",

			strerror(errno));

		return EX_SYSERR;

	}

	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &capability,

			 enable ? CAP_SET : CAP_CLEAR) == -1) {

		fprintf(stderr, "Unable to %s effective capabilities: %s\n",

			enable ? "set" : "clear", strerror(errno));

		rc = EX_SYSERR;

		goto free_caps;

	}

	if (cap_set_proc(caps) != 0) {

		fprintf(stderr, "Unable to set current process capabilities: %s\n",

			strerror(errno));

		rc = EX_SYSERR;

	}

free_caps:

	cap_free(caps);

	return rc;

}

#else /* HAVE_LIBCAP */

static int

drop_capabilities(int parent __attribute((unused)))

{

	return 0;

}

static int

toggle_dac_capability(int writable __attribute((unused)), int enable __attribute((unused)))

{

	return 0;

}

#endif /* HAVE_LIBCAP */

#endif /* HAVE_LIBCAP_NG */

static void null_terminate_endl(char *source)

{

	char *newline = strchr(source, '\n');

	if (newline)

		*newline = '\0';

}

/*

 * Parse a line from the credentials file.  Changes target to first

 * character after '=' on 'line' and returns the value type of the line

 * Returns CRED_UNPARSEABLE on failure or if either parameter is NULL.

 */

static int parse_cred_line(char *line, char **target)

{

	if (line == NULL || target == NULL)

		goto parsing_err;

	/* position target at first char of value */

	*target = strchr(line, '=');

	if (!*target)

		goto parsing_err;

	*target += 1;

	/* tell the caller which value target points to */

	if (strncasecmp("user", line, 4) == 0)

		return CRED_USER;

	if (strncasecmp("pass", line, 4) == 0)

		return CRED_PASS;

	if (strncasecmp("dom", line, 3) == 0)

		return CRED_DOM;

parsing_err:

	return CRED_UNPARSEABLE;

}

static int open_cred_file(char *file_name,

			struct parsed_mount_info *parsed_info)

{

	char *line_buf = NULL;

	char *temp_val = NULL;

	FILE *fs = NULL;

	int i;

	const int line_buf_size = 4096;

	const int min_non_white = 10;

	i = toggle_dac_capability(0, 1);

	if (i)

		goto return_i;

	i = access(file_name, R_OK);

	if (i) {

		toggle_dac_capability(0, 0);

		i = errno;

		goto return_i;

	}

	fs = fopen(file_name, "r");

	if (fs == NULL) {

		toggle_dac_capability(0, 0);

		i = errno;

		goto return_i;

	}

	i = toggle_dac_capability(0, 0);

	if (i)

		goto return_i;

	line_buf = (char *)malloc(line_buf_size);

	if (line_buf == NULL) {

		i = EX_SYSERR;

		goto return_i;

	}

	/* parse line from credentials file */

	while (fgets(line_buf, line_buf_size, fs)) {

		/* eat leading white space */

		for (i = 0; i < line_buf_size - min_non_white + 1; i++) {

			if ((line_buf[i] != ' ') && (line_buf[i] != '\t'))

				break;

		}

		null_terminate_endl(line_buf);

		/* parse next token */

		switch (parse_cred_line(line_buf + i, &temp_val)) {

		case CRED_USER:

			strlcpy(parsed_info->username, temp_val,

				sizeof(parsed_info->username));

			parsed_info->got_user = 1;

			break;

		case CRED_PASS:

			i = set_password(parsed_info, temp_val);

			if (i)

				goto return_i;

			break;

		case CRED_DOM:

			if (parsed_info->verboseflag)

				fprintf(stderr, "domain=%s\n",

					temp_val);

			strlcpy(parsed_info->domain, temp_val,

				sizeof(parsed_info->domain));

			break;

		case CRED_UNPARSEABLE:

			if (parsed_info->verboseflag)

				fprintf(stderr, "Credential formatted "

					"incorrectly: %s\n",

					temp_val ? temp_val : "(null)");

			break;

		}

	}

	i = 0;

return_i:

	if (fs != NULL)

		fclose(fs);

	/* make sure passwords are scrubbed from memory */

	if (line_buf != NULL)

		memset(line_buf, 0, line_buf_size);

	free(line_buf);

	return i;

}

static int

get_password_from_file(int file_descript, char *filename,

		       struct parsed_mount_info *parsed_info)

{

	int rc = 0;

	char buf[sizeof(parsed_info->password) + 1];

	if (filename != NULL) {

		rc = toggle_dac_capability(0, 1);

		if (rc)

			return rc;

		rc = access(filename, R_OK);

		if (rc) {

			fprintf(stderr,

				"mount.cifs failed: access check of %s failed: %s\n",

				filename, strerror(errno));

			toggle_dac_capability(0, 0);

			return EX_SYSERR;

		}

		file_descript = open(filename, O_RDONLY);

		if (file_descript < 0) {

			fprintf(stderr,

				"mount.cifs failed. %s attempting to open password file %s\n",

				strerror(errno), filename);

			toggle_dac_capability(0, 0);

			return EX_SYSERR;

		}

		rc = toggle_dac_capability(0, 0);

		if (rc) {

			rc = EX_SYSERR;

			goto get_pw_exit;

		}

	}

	memset(buf, 0, sizeof(buf));

	rc = read(file_descript, buf, sizeof(buf) - 1);

	if (rc < 0) {

		fprintf(stderr,

			"mount.cifs failed. Error %s reading password file\n",

			strerror(errno));

		rc = EX_SYSERR;

		goto get_pw_exit;

	}

	rc = set_password(parsed_info, buf);

get_pw_exit:

	if (filename != NULL)

		close(file_descript);

	return rc;

}

/*

 * Returns OPT_ERROR on unparsable token.

 */

static int parse_opt_token(const char *token)

{

	if (token == NULL)

		return OPT_ERROR;

	/*

	 * token is NULL terminated and contains exactly the

	 * keyword so we can match exactly

	 */

	if (strcmp(token, "users") == 0)

		return OPT_USERS;

	if (strcmp(token, "user_xattr") == 0)

		return OPT_USER_XATTR;

	if (strcmp(token, "user") == 0 ||

		strcmp(token, "username") == 0)

		return OPT_USER;

	if (strcmp(token, "pass") == 0 ||

		strcmp(token, "password") == 0)

		return OPT_PASS;

	if (strcmp(token, "sec") == 0)

		return OPT_SEC;

	if (strcmp(token, "ip") == 0 ||

		strcmp(token, "addr") == 0)

		return OPT_IP;

	if (strcmp(token, "unc") == 0 ||

		strcmp(token, "target") == 0 ||

		strcmp(token, "path") == 0)

		return OPT_UNC;

	if (strcmp(token, "dom") == 0 ||

		strcmp(token, "domain") == 0 ||

		strcmp(token, "workgroup") == 0)

		return OPT_DOM;

	if (strcmp(token, "cred") == 0 || /* undocumented */

		strcmp(token, "credentials") == 0)

		return OPT_CRED;

	if (strcmp(token, "uid") == 0)

		return OPT_UID;

	if (strcmp(token, "cruid") == 0)

		return OPT_CRUID;

	if (strcmp(token, "gid") == 0)

		return OPT_GID;

	if (strcmp(token, "fmask") == 0)

		return OPT_FMASK;

	if (strcmp(token, "file_mode") == 0)

		return OPT_FILE_MODE;

	if (strcmp(token, "dmask") == 0)

		return OPT_DMASK;

	if (strcmp(token, "dir_mode") == 0 ||

		strcmp(token, "dirm") == 0)

		return OPT_DIR_MODE;

	if (strcmp(token, "nosuid") == 0)

		return OPT_NO_SUID;

	if (strcmp(token, "suid") == 0)

		return OPT_SUID;

	if (strcmp(token, "nodev") == 0)

		return OPT_NO_DEV;

	if (strcmp(token, "nobrl") == 0 ||

		strcmp(token, "nolock") == 0)

		return OPT_NO_LOCK;

	if (strcmp(token, "mand") == 0)

		return OPT_MAND;

	if (strcmp(token, "nomand") == 0)

		return OPT_NOMAND;

	if (strcmp(token, "dev") == 0)

		return OPT_DEV;

	if (strcmp(token, "noexec") == 0)

		return OPT_NO_EXEC;

	if (strcmp(token, "exec") == 0)

		return OPT_EXEC;

	if (strcmp(token, "guest") == 0)

		return OPT_GUEST;

	if (strcmp(token, "ro") == 0)

		return OPT_RO;

	if (strcmp(token, "rw") == 0)

		return OPT_RW;

	if (strcmp(token, "remount") == 0)

		return OPT_REMOUNT;

	if (strcmp(token, "_netdev") == 0)

		return OPT_IGNORE;

	if (strcmp(token, "backupuid") == 0)

		return OPT_BKUPUID;

	if (strcmp(token, "backupgid") == 0)

		return OPT_BKUPGID;

	if (strcmp(token, "nofail") == 0)

		return OPT_NOFAIL;

	if (strncmp(token, "x-", 2) == 0)

		return OPT_IGNORE;

	return OPT_ERROR;

}

static int

parse_options(const char *data, struct parsed_mount_info *parsed_info)

{

	char *value = NULL;

	char *equals = NULL;

	char *next_keyword = NULL;

	char *out = parsed_info->options;

	unsigned long *filesys_flags = &parsed_info->flags;

	int out_len = 0;

	int word_len;

	int rc = 0;

	int got_bkupuid = 0;

	int got_bkupgid = 0;

	int got_uid = 0;

	int got_cruid = 0;

	int got_gid = 0;

	uid_t uid, cruid = 0, bkupuid = 0;

	gid_t gid, bkupgid = 0;

	char *ep;

	struct passwd *pw;

	struct group *gr;

	/*

	 * max 32-bit uint in decimal is 4294967295 which is 10 chars wide

	 * +1 for NULL, and +1 for good measure

	 */

	char txtbuf[12];

	/* make sure we're starting from beginning */

	out[0] = '\0';

	/* BB fixme check for separator override BB */

	uid = getuid();

	if (uid != 0)

		got_uid = 1;

	gid = getgid();

	if (gid != 0)

		got_gid = 1;

	if (!data)

		return EX_USAGE;

	/*

	 * format is keyword,keyword2=value2,keyword3=value3... 

	 * data  = next keyword

	 * value = next value ie stuff after equal sign

	 */

	while (data && *data) {

		next_keyword = strchr(data, ',');	/* BB handle sep= */

		/* temporarily null terminate end of keyword=value pair */

		if (next_keyword)

			*next_keyword++ = 0;

		/* temporarily null terminate keyword if there's a value */

		value = NULL;

		if ((equals = strchr(data, '=')) != NULL) {

			*equals = '\0';

			value = equals + 1;

		}

		switch(parse_opt_token(data)) {

		case OPT_USERS:

			if (!value || !*value) {

				*filesys_flags |= MS_USERS;

				goto nocopy;

			}

			break;

		case OPT_USER:

			if (!value || !*value) {

				if (data[4] == '\0') {

					*filesys_flags |= MS_USER;

					goto nocopy;

				} else {

					fprintf(stderr,

						"username specified with no parameter\n");

					return EX_USAGE;

				}

			} else {

				strlcpy(parsed_info->username, value,

					sizeof(parsed_info->username));

				parsed_info->got_user = 1;

				goto nocopy;

			}

		case OPT_PASS:

			if (parsed_info->got_password) {

				fprintf(stderr,

					"password specified twice, ignoring second\n");

				goto nocopy;

			}

			if (!value || !*value) {

				parsed_info->got_password = 1;

				goto nocopy;

			}

			rc = set_password(parsed_info, value);

			if (rc)

				return rc;

			goto nocopy;

		case OPT_SEC:

			if (value) {

				if (!strncmp(value, "none", 4) ||

				    !strncmp(value, "krb5", 4))

					parsed_info->got_password = 1;

			}

			break;

		case OPT_IP:

			if (!value || !*value) {