summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-05-05 16:24:52 -0700
committerJeremy Allison <jra@samba.org>2008-05-05 16:24:52 -0700
commitfbc780b60478bb8b30927beacdf65a9a766b2ca1 (patch)
tree1146cbe16f18869d98a09e5b760c5275efc9345c
parent7245a8e3b889ad6127d2cbf62a5a7f6e465e6bbd (diff)
downloadsamba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.tar.gz
samba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.tar.bz2
samba-fbc780b60478bb8b30927beacdf65a9a766b2ca1.zip
Try and fix bug #5095, "Manage Documents privilege is not functional".
Should map the created sd to printer jobs, not printer. Jerry please test and I'll add to 3.2 if it passes. Thanks, Jeremy. (This used to be commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc)
-rw-r--r--source3/include/rpc_spoolss.h9
-rw-r--r--source3/printing/nt_printing.c35
2 files changed, 29 insertions, 15 deletions
diff --git a/source3/include/rpc_spoolss.h b/source3/include/rpc_spoolss.h
index aff0bba444..98f6110f7a 100644
--- a/source3/include/rpc_spoolss.h
+++ b/source3/include/rpc_spoolss.h
@@ -164,6 +164,7 @@
#define PRINTER_ACCESS_ADMINISTER 0x00000004
#define PRINTER_ACCESS_USE 0x00000008
#define JOB_ACCESS_ADMINISTER 0x00000010
+#define JOB_ACCESS_READ 0x00000020
/* JOB status codes. */
@@ -193,10 +194,10 @@
#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
/* Access rights for jobs */
-#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
+#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE
+#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ
+#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
+#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
/* ACE masks for the various print permissions */
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index c31a48c585..a66b1e5c5f 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = {
SERVER_ALL_ACCESS
};
+/* Map generic permissions to job object specific permissions */
+
+const struct generic_mapping job_generic_mapping = {
+ JOB_READ,
+ JOB_WRITE,
+ JOB_EXECUTE,
+ JOB_ALL_ACCESS
+};
+
/* We need one default form to support our default printer. Msoft adds the
forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an
array index). Letter is always first, so (for the current code) additions
@@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd)
}
}
+void map_job_permissions(SEC_DESC *sd)
+{
+ int i;
+
+ for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
+ se_map_generic(&sd->dacl->aces[i].access_mask,
+ &job_generic_mapping);
+ }
+}
+
+
/****************************************************************************
Check a user has permissions to perform the given operation. We use the
permission constants defined in include/rpc_spoolss.h to check the various
@@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type)
return False;
}
- /* Now this is the bit that really confuses me. The access
- type needs to be changed from JOB_ACCESS_ADMINISTER to
- PRINTER_ACCESS_ADMINISTER for this to work. Something
- to do with the child (job) object becoming like a
- printer?? -tpot */
-
- access_type = PRINTER_ACCESS_ADMINISTER;
+ map_job_permissions(secdesc->sd);
+ } else {
+ map_printer_permissions(secdesc->sd);
}
-
- /* Check access */
-
- map_printer_permissions(secdesc->sd);
+ /* Check access */
result = se_access_check(secdesc->sd, user->nt_user_token, access_type,
&access_granted, &status);