summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2010-11-15 12:22:52 +0100
committerGünther Deschner <gd@samba.org>2010-11-17 15:05:01 +0000
commit98612fe79321ade72c23ca0c1d966a1c192ec977 (patch)
treef7bc4ecb71ecdcc7a507e9ae1b20c6a5d7e17c00
parentee8c035c41c08e5ac599cf68214acd12712191fa (diff)
downloadsamba-98612fe79321ade72c23ca0c1d966a1c192ec977.tar.gz
samba-98612fe79321ade72c23ca0c1d966a1c192ec977.tar.bz2
samba-98612fe79321ade72c23ca0c1d966a1c192ec977.zip
s3-spoolss: make sure members of "BUILTIN\Print Operators" can open printers
with admin privileges. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Nov 17 15:05:02 UTC 2010 on sn-devel-104
-rw-r--r--source3/rpc_server/srv_spoolss_nt.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 755d8fc473..01b4a75083 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1791,6 +1791,7 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
if ((p->server_info->utok.uid != sec_initial_uid()) &&
!security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->server_info->ptok) &&
!token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
@@ -1800,7 +1801,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
close_printer_handle(p, r->out.handle);
ZERO_STRUCTP(r->out.handle);
DEBUG(3,("access DENIED as user is not root, "
- "has no printoperator privilege and "
+ "has no printoperator privilege, "
+ "not a member of the printoperater builtin group and "
"is not in printer admin list"));
return WERR_ACCESS_DENIED;
}