s3-spoolss: make sure members of "BUILTIN\Print Operators" can open printers

with admin privileges.

Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Nov 17 15:05:02 UTC 2010 on sn-devel-104

1 files changed, 3 insertions, 1 deletions

diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 755d8fc473..01b4a75083 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1791,6 +1791,7 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
 
 			if ((p->server_info->utok.uid != sec_initial_uid()) &&
 			    !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+			    !nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->server_info->ptok) &&
 			    !token_contains_name_in_list(
 				    uidtoname(p->server_info->utok.uid),
 				    p->server_info->info3->base.domain.string,
@@ -1800,7 +1801,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
 				close_printer_handle(p, r->out.handle);
 				ZERO_STRUCTP(r->out.handle);
 				DEBUG(3,("access DENIED as user is not root, "
-					"has no printoperator privilege and "
+					"has no printoperator privilege, "
+					"not a member of the printoperater builtin group and "
 					"is not in printer admin list"));
 				return WERR_ACCESS_DENIED;
 			}