From 61414430c6bd6c9c9bfa1512880ecc6adbdbf9b4 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Mar 2019 17:24:14 +1300
Subject: [PATCH 5/5] CVE-2019-3870 pysmbd: Ensure a zero umask is set for
 smbd.mkdir()

mkdir() is the other call that requires a umask of 0 in Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/pymkdir-umask |  1 -
 source3/smbd/pysmbd.c              | 11 ++++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/pymkdir-umask

diff --git a/selftest/knownfail.d/pymkdir-umask b/selftest/knownfail.d/pymkdir-umask
deleted file mode 100644
index 5af01be44e3..00000000000
--- a/selftest/knownfail.d/pymkdir-umask
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_mkdir
\ No newline at end of file
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 179a1ee2943..845ea25f936 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -739,6 +739,8 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct connection_struct *conn = NULL;
 	struct smb_filename *smb_fname = NULL;
+	int ret;
+	mode_t saved_umask;
 
 	if (!PyArg_ParseTupleAndKeywords(args,
 					 kwargs,
@@ -769,8 +771,15 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs)
 		return NULL;
 	}
 
+	/* we want total control over the permissions on created files,
+	   so set our umask to 0 */
+	saved_umask = umask(0);
+
+	ret = SMB_VFS_MKDIR(conn, smb_fname, 00755);
 
-	if (SMB_VFS_MKDIR(conn, smb_fname, 00755) == -1) {
+	umask(saved_umask);
+
+	if (ret == -1) {
 		DBG_ERR("mkdir error=%d (%s)\n", errno, strerror(errno));
 		TALLOC_FREE(frame);
 		return NULL;
-- 
2.11.0