CVE-2019-3870 pysmbd: Ensure a zero umask is set for smbd.mkdir()

mkdir() is the other call that requires a umask of 0 in Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/knownfail.d/pymkdir-umask b/selftest/knownfail.d/pymkdir-umask
deleted file mode 100644 (file)
index 5af01be..0000000
--- a/selftest/knownfail.d/pymkdir-umask
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_mkdir
\ No newline at end of file

diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 179a1ee29435c29111af0ef7b5454760cc153a7b..845ea25f936bb8a9ad7a5f22a3479f2b41d7d72f 100644 (file)
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -739,6 +739,8 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
        TALLOC_CTX *frame = talloc_stackframe();
        struct connection_struct *conn = NULL;
        struct smb_filename *smb_fname = NULL;
+       int ret;
+       mode_t saved_umask;
 
        if (!PyArg_ParseTupleAndKeywords(args,
                                         kwargs,
@@ -769,8 +771,15 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
                return NULL;
        }
 
+       /* we want total control over the permissions on created files,
+          so set our umask to 0 */
+       saved_umask = umask(0);
+
+       ret = SMB_VFS_MKDIR(conn, smb_fname, 00755);
 
-       if (SMB_VFS_MKDIR(conn, smb_fname, 00755) == -1) {
+       umask(saved_umask);
+
+       if (ret == -1) {
                DBG_ERR("mkdir error=%d (%s)\n", errno, strerror(errno));
                TALLOC_FREE(frame);
                return NULL;