diff options
author | David O'Neill <dmo@samba.org> | 2001-01-19 16:57:39 +0000 |
---|---|---|
committer | David O'Neill <dmo@samba.org> | 2001-01-19 16:57:39 +0000 |
commit | a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48 (patch) | |
tree | 94bbf938acf0969353a8d85e281250582dc0929c /source3/printing/nt_printing.c | |
parent | a4c22506eff954ceacfb8d2405dae358b5b4c964 (diff) | |
download | samba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.tar.gz samba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.tar.bz2 samba-a5b27e9cea2e7c89cabcfe44b89b269bc2c8ff48.zip |
Changes from APPLIANCE_HEAD:
source/printing/nt_printing.c
- use se_create_child_secdesc() to create appropriate security
descriptor when performing print job admin security checks.
source/printing/printing.c
- Use JOB_ACCESS_ADMINISTER instead of PRINTER_ACCESS_ADMINISTER in
print_job_{delete,pause,resume}()
- If stat'ing the job file fails, delete the job from printing.tdb
- In print_job_end() check lpq cache time and do a
print_queue_update() This prevents printing.tdb from growing when
using NT/2K clients, and there isn't someone pressing F5 in a
port monitor window.
- In print_queue_resume() check lpq cache time and do a
print_queue_update() Probably should do it for print_job_resume()
too.
(This used to be commit 0068b7741fd54706ef36ddbbc3092389d281e684)
Diffstat (limited to 'source3/printing/nt_printing.c')
-rw-r--r-- | source3/printing/nt_printing.c | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 7b84f95161..9eb7dc12ed 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -3003,9 +3003,9 @@ void map_printer_permissions(SEC_DESC *sd) } /**************************************************************************** - Check a user has permissions to perform the given operation. We use some - constants defined in include/rpc_spoolss.h that look relevant to check - the various actions we perform when checking printer access. + Check a user has permissions to perform the given operation. We use the + permission constants defined in include/rpc_spoolss.h to check the various + actions we perform when checking printer access. PRINTER_ACCESS_ADMINISTER: print_queue_pause, print_queue_resume, update_printer_sec, @@ -3015,7 +3015,7 @@ void map_printer_permissions(SEC_DESC *sd) PRINTER_ACCESS_USE: print_job_start - PRINTER_ACCESS_ADMINISTER (should really be JOB_ACCESS_ADMINISTER): + JOB_ACCESS_ADMINISTER: print_job_delete, print_job_pause, print_job_resume, print_queue_purge @@ -3051,14 +3051,34 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) /* Get printer security descriptor */ nt_printing_getsec(pname, &secdesc); + + if (access_type == JOB_ACCESS_ADMINISTER) { + SEC_DESC_BUF *parent_secdesc = secdesc; + + /* Create a child security descriptor to check permissions + against. This is because print jobs are child objects + objects of a printer. */ + + secdesc = se_create_child_secdesc(parent_secdesc->sec, False); + + free_sec_desc_buf(&parent_secdesc); + + /* Now this is the bit that really confuses me. The access + type needs to be changed from JOB_ACCESS_ADMINISTER to + PRINTER_ACCESS_ADMINISTER for this to work. Something + to do with the child (job) object becoming like a + printer?? -tpot */ + + access_type = PRINTER_ACCESS_ADMINISTER; + } + + /* Check access */ map_printer_permissions(secdesc->sec); result = se_access_check(secdesc->sec, user, access_type, &access_granted, &status); - /* Check access */ - DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE")); /* Free mallocated memory */ |