summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/include/proto.h15
-rw-r--r--source3/printing/nt_printing.c47
3 files changed, 31 insertions, 33 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f2579dcf57..ff97d5f0a3 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -331,7 +331,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(LIBSMB_OBJ) $(PARAM_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ)
PROTO_OBJ = $(SMBD_OBJ) $(NMBD_OBJ) $(SWAT_OBJ) $(CLIENT_OBJ) \
- $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1)
+ $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1) $(LIBMSRPC_OBJ)
NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) $(LIB_OBJ) $(NSSWINS_OBJ)
NSS_OBJ = $(NSS_OBJ_0:.o=.po)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 400517b9d7..1801164981 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -651,6 +651,21 @@ struct in_addr wins_srv_ip( void );
void wins_srv_died( struct in_addr boothill_ip );
unsigned long wins_srv_count( void );
+/*The following definitions come from libsmb/cli_lsarpc.c */
+
+struct cli_state *cli_lsa_initialise(struct cli_state *cli, char *system_name,
+ struct ntuser_creds *creds);
+void cli_lsa_shutdown(struct cli_state *cli);
+uint32 cli_lsa_open_policy(struct cli_state *cli, BOOL sec_qos,
+ uint32 des_access, POLICY_HND *hnd);
+uint32 cli_lsa_close(struct cli_state *cli, POLICY_HND *hnd);
+uint32 cli_lsa_lookup_sids(struct cli_state *cli, POLICY_HND *hnd,
+ int num_sids, DOM_SID *sids, char ***names,
+ uint32 **types, int *num_names);
+uint32 cli_lsa_lookup_names(struct cli_state *cli, POLICY_HND *hnd,
+ int num_names, char **names, DOM_SID **sids,
+ uint32 **types, int *num_sids);
+
/*The following definitions come from libsmb/cliconnect.c */
BOOL cli_session_setup(struct cli_state *cli,
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 2ad2e564ec..a3e4db2314 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -2971,7 +2971,6 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
uint32 access_granted, status, required_access = 0;
BOOL result;
char *pname;
- int i;
extern struct current_user current_user;
/* If user is NULL then use the current_user structure */
@@ -3011,13 +3010,20 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
Manage Documents 0x00020000 PRINTER_ACE_MANAGE_DOCUMENTS
*/
- switch (access_type) {
- case PRINTER_ACCESS_USE:
- required_access = PRINTER_ACE_PRINT;
- break;
- case PRINTER_ACCESS_ADMINISTER:
- required_access = PRINTER_ACE_MANAGE_DOCUMENTS |
- PRINTER_ACE_PRINT;
+ switch (access_type) {
+ case PRINTER_ACCESS_USE:
+ required_access = PRINTER_ACE_PRINT;
+ break;
+ case PRINTER_ACCESS_ADMINISTER:
+ /*
+ * This should be set to PRINTER_ACE_FULL_CONTROL, not to
+ * (PRINTER_ACE_PRINT | PRINTER_ACE_MANAGE_DOCUMENTS).
+ * Doing the latter gives anyone with both PRINTER_ACE_PRINT
+ * and PRINTER_ACE_MANAGE_DOCUMENTS (in any combination of ACLs)
+ * full control over all printer functions. This isn't what
+ * we want.
+ */
+ required_access = PRINTER_ACE_FULL_CONTROL;
break;
case JOB_ACCESS_ADMINISTER:
required_access = PRINTER_ACE_MANAGE_DOCUMENTS;
@@ -3027,30 +3033,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
result = False;
goto done;
}
-
- /* The ACE for Full Control in a printer security descriptor
- doesn't seem to map properly to the access checking model. For
- it to work properly it should be the logical OR of all the other
- values, i.e PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT.
- This would cause the access check to simply fall out when we
- check against any subset of these bits. To get things to work,
- change every ACE mask of PRINTER_ACE_FULL_CONTROL to
- PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT before
- performing the access check. I'm sure there is a better way to
- do this! */
-
- if (secdesc && secdesc->sec && secdesc->sec->dacl &&
- secdesc->sec->dacl->ace) {
- for(i = 0; i < secdesc->sec->dacl->num_aces; i++) {
- if (secdesc->sec->dacl->ace[i].info.mask ==
- PRINTER_ACE_FULL_CONTROL) {
- secdesc->sec->dacl->ace[i].info.mask =
- PRINTER_ACE_MANAGE_DOCUMENTS |
- PRINTER_ACE_PRINT;
- }
- }
- }
-
+
if ((result = se_access_check(secdesc->sec, user, required_access,
&access_granted, &status))) {
goto done;