summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid O'Neill <dmo@samba.org>2001-01-19 16:57:39 +0000
committerDavid O'Neill <dmo@samba.org>2001-01-19 16:57:39 +0000
commita5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48 (patch)
tree94bbf938acf0969353a8d85e281250582dc0929c
parenta4c22506eff954ceacfb8d2405dae358b5b4c964 (diff)
downloadsamba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.tar.gz
samba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.tar.bz2
samba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.zip
Changes from APPLIANCE_HEAD:
source/printing/nt_printing.c - use se_create_child_secdesc() to create appropriate security descriptor when performing print job admin security checks. source/printing/printing.c - Use JOB_ACCESS_ADMINISTER instead of PRINTER_ACCESS_ADMINISTER in print_job_{delete,pause,resume}() - If stat'ing the job file fails, delete the job from printing.tdb - In print_job_end() check lpq cache time and do a print_queue_update() This prevents printing.tdb from growing when using NT/2K clients, and there isn't someone pressing F5 in a port monitor window. - In print_queue_resume() check lpq cache time and do a print_queue_update() Probably should do it for print_job_resume() too. (This used to be commit 0068b7741fd54706ef36ddbbc3092389d281e684)
-rw-r--r--source3/printing/nt_printing.c32
-rw-r--r--source3/printing/printing.c33
2 files changed, 45 insertions, 20 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 7b84f95161..9eb7dc12ed 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -3003,9 +3003,9 @@ void map_printer_permissions(SEC_DESC *sd)
}
/****************************************************************************
- Check a user has permissions to perform the given operation. We use some
- constants defined in include/rpc_spoolss.h that look relevant to check
- the various actions we perform when checking printer access.
+ Check a user has permissions to perform the given operation. We use the
+ permission constants defined in include/rpc_spoolss.h to check the various
+ actions we perform when checking printer access.
PRINTER_ACCESS_ADMINISTER:
print_queue_pause, print_queue_resume, update_printer_sec,
@@ -3015,7 +3015,7 @@ void map_printer_permissions(SEC_DESC *sd)
PRINTER_ACCESS_USE:
print_job_start
- PRINTER_ACCESS_ADMINISTER (should really be JOB_ACCESS_ADMINISTER):
+ JOB_ACCESS_ADMINISTER:
print_job_delete, print_job_pause, print_job_resume,
print_queue_purge
@@ -3051,14 +3051,34 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
/* Get printer security descriptor */
nt_printing_getsec(pname, &secdesc);
+
+ if (access_type == JOB_ACCESS_ADMINISTER) {
+ SEC_DESC_BUF *parent_secdesc = secdesc;
+
+ /* Create a child security descriptor to check permissions
+ against. This is because print jobs are child objects
+ objects of a printer. */
+
+ secdesc = se_create_child_secdesc(parent_secdesc->sec, False);
+
+ free_sec_desc_buf(&parent_secdesc);
+
+ /* Now this is the bit that really confuses me. The access
+ type needs to be changed from JOB_ACCESS_ADMINISTER to
+ PRINTER_ACCESS_ADMINISTER for this to work. Something
+ to do with the child (job) object becoming like a
+ printer?? -tpot */
+
+ access_type = PRINTER_ACCESS_ADMINISTER;
+ }
+
+ /* Check access */
map_printer_permissions(secdesc->sec);
result = se_access_check(secdesc->sec, user, access_type,
&access_granted, &status);
- /* Check access */
-
DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
/* Free mallocated memory */
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index 3ce58b5b78..a22c8b749a 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -580,7 +580,7 @@ BOOL print_job_delete(struct current_user *user, int jobid, int *errcode)
owns their job. */
if (!owner &&
- !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
+ !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
DEBUG(3, ("delete denied by security descriptor\n"));
*errcode = ERROR_ACCESS_DENIED;
return False;
@@ -622,7 +622,7 @@ BOOL print_job_pause(struct current_user *user, int jobid, int *errcode)
owner = is_owner(user, jobid);
if (!owner &&
- !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
+ !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
DEBUG(3, ("pause denied by security descriptor\n"));
*errcode = ERROR_ACCESS_DENIED;
return False;
@@ -673,7 +673,7 @@ BOOL print_job_resume(struct current_user *user, int jobid, int *errcode)
owner = is_owner(user, jobid);
if (!is_owner(user, jobid) &&
- !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
+ !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
DEBUG(3, ("resume denied by security descriptor\n"));
*errcode = ERROR_ACCESS_DENIED;
return False;
@@ -921,12 +921,17 @@ BOOL print_job_end(int jobid)
snum = print_job_snum(jobid);
- if (sys_fstat(pjob->fd, &sbuf) == 0)
+ if (sys_fstat(pjob->fd, &sbuf) == 0) {
pjob->size = sbuf.st_size;
-
- close(pjob->fd);
- pjob->fd = -1;
-
+ close(pjob->fd);
+ pjob->fd = -1;
+ } else {
+ /* Couldn't stat the job file, so something has gone wrong. Cleanup */
+ unlink(pjob->filename);
+ tdb_delete(tdb, print_key(jobid));
+ return False;
+ }
+
if (pjob->size == 0) {
/* don't bother spooling empty files */
unlink(pjob->filename);
@@ -965,9 +970,9 @@ BOOL print_job_end(int jobid)
pjob->spooled = True;
print_job_store(jobid, pjob);
- /* force update the database */
- print_cache_flush(snum);
-
+ /* make sure the database is up to date */
+ if (print_cache_expired(snum)) print_queue_update(snum);
+
/* Send a printer notify message */
printer_name = PRINTERNAME(snum);
@@ -1186,8 +1191,8 @@ BOOL print_queue_resume(struct current_user *user, int snum, int *errcode)
return False;
}
- /* force update the database */
- print_cache_flush(snum);
+ /* make sure the database is up to date */
+ if (print_cache_expired(snum)) print_queue_update(snum);
/* Send a printer notify message */
@@ -1216,7 +1221,7 @@ BOOL print_queue_purge(struct current_user *user, int snum, int *errcode)
}
}
- print_cache_flush(snum);
+ print_queue_update(snum);
safe_free(queue);
/* Send a printer notify message */