summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-01-14 21:24:15 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:53:53 -0500
commit2c33c41b0c98ee36f5c9b6a368deb1192360fd5b (patch)
tree54c32d68910eb1a4a9a2e3fbaf43b531c1b9c88a
parent16b2db57a72e300117097f6d6f734e2827a0cc82 (diff)
downloadsamba-2c33c41b0c98ee36f5c9b6a368deb1192360fd5b.tar.gz
samba-2c33c41b0c98ee36f5c9b6a368deb1192360fd5b.tar.bz2
samba-2c33c41b0c98ee36f5c9b6a368deb1192360fd5b.zip
r4740: allow SE_PRINT_OPERATORS to have printer admin access
(This used to be commit 85731706c9d794e8bd3f26ce9b1f881c1ee6a3ba)
-rw-r--r--source3/printing/nt_printing.c17
-rw-r--r--source3/rpc_server/srv_spoolss_nt.c6
2 files changed, 18 insertions, 5 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index a72f63009a..a7513030bd 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -5034,6 +5034,11 @@ void map_printer_permissions(SEC_DESC *sd)
print_job_delete, print_job_pause, print_job_resume,
print_queue_purge
+ Try access control in the following order (for performance reasons):
+ 1) root ans SE_PRINT_OPERATOR can do anything (easy check)
+ 2) check security descriptor (bit comparisons in memory)
+ 3) "printer admins" (may result in numerous calls to winbind)
+
****************************************************************************/
BOOL print_access_check(struct current_user *user, int snum, int access_type)
{
@@ -5050,10 +5055,9 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
if (!user)
user = &current_user;
- /* Always allow root or printer admins to do anything */
+ /* Always allow root or SE_PRINT_OPERATROR to do anything */
- if (user->uid == 0 ||
- user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups)) {
+ if ( user->uid == 0 || user_has_privilege(user->nt_user_token, SE_PRINT_OPERATOR) ) {
return True;
}
@@ -5102,6 +5106,13 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
+ /* see if we need to try the printer admin list */
+
+ if ( access_granted == 0 ) {
+ if ( user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups) )
+ return True;
+ }
+
talloc_destroy(mem_ctx);
if (!result)
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index a3424fe73b..ba3ee4706c 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1689,10 +1689,12 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u,
return WERR_ACCESS_DENIED;
}
- /* if the user is not root and not a printer admin, then fail */
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
if ( user.uid != 0
- && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
+ && !user_has_privilege( user.nt_user_token, SE_PRINT_OPERATOR )
+ && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
{
close_printer_handle(p, handle);
return WERR_ACCESS_DENIED;