diff options
-rw-r--r-- | source3/Makefile.in | 2 | ||||
-rw-r--r-- | source3/include/proto.h | 15 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 47 |
3 files changed, 31 insertions, 33 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index f2579dcf57..ff97d5f0a3 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -331,7 +331,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(LIBSMB_OBJ) $(PARAM_OBJ) \ $(UBIQX_OBJ) $(LIB_OBJ) PROTO_OBJ = $(SMBD_OBJ) $(NMBD_OBJ) $(SWAT_OBJ) $(CLIENT_OBJ) \ - $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1) + $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1) $(LIBMSRPC_OBJ) NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) $(LIB_OBJ) $(NSSWINS_OBJ) NSS_OBJ = $(NSS_OBJ_0:.o=.po) diff --git a/source3/include/proto.h b/source3/include/proto.h index 400517b9d7..1801164981 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -651,6 +651,21 @@ struct in_addr wins_srv_ip( void ); void wins_srv_died( struct in_addr boothill_ip ); unsigned long wins_srv_count( void ); +/*The following definitions come from libsmb/cli_lsarpc.c */ + +struct cli_state *cli_lsa_initialise(struct cli_state *cli, char *system_name, + struct ntuser_creds *creds); +void cli_lsa_shutdown(struct cli_state *cli); +uint32 cli_lsa_open_policy(struct cli_state *cli, BOOL sec_qos, + uint32 des_access, POLICY_HND *hnd); +uint32 cli_lsa_close(struct cli_state *cli, POLICY_HND *hnd); +uint32 cli_lsa_lookup_sids(struct cli_state *cli, POLICY_HND *hnd, + int num_sids, DOM_SID *sids, char ***names, + uint32 **types, int *num_names); +uint32 cli_lsa_lookup_names(struct cli_state *cli, POLICY_HND *hnd, + int num_names, char **names, DOM_SID **sids, + uint32 **types, int *num_sids); + /*The following definitions come from libsmb/cliconnect.c */ BOOL cli_session_setup(struct cli_state *cli, diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 2ad2e564ec..a3e4db2314 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -2971,7 +2971,6 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) uint32 access_granted, status, required_access = 0; BOOL result; char *pname; - int i; extern struct current_user current_user; /* If user is NULL then use the current_user structure */ @@ -3011,13 +3010,20 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) Manage Documents 0x00020000 PRINTER_ACE_MANAGE_DOCUMENTS */ - switch (access_type) { - case PRINTER_ACCESS_USE: - required_access = PRINTER_ACE_PRINT; - break; - case PRINTER_ACCESS_ADMINISTER: - required_access = PRINTER_ACE_MANAGE_DOCUMENTS | - PRINTER_ACE_PRINT; + switch (access_type) { + case PRINTER_ACCESS_USE: + required_access = PRINTER_ACE_PRINT; + break; + case PRINTER_ACCESS_ADMINISTER: + /* + * This should be set to PRINTER_ACE_FULL_CONTROL, not to + * (PRINTER_ACE_PRINT | PRINTER_ACE_MANAGE_DOCUMENTS). + * Doing the latter gives anyone with both PRINTER_ACE_PRINT + * and PRINTER_ACE_MANAGE_DOCUMENTS (in any combination of ACLs) + * full control over all printer functions. This isn't what + * we want. + */ + required_access = PRINTER_ACE_FULL_CONTROL; break; case JOB_ACCESS_ADMINISTER: required_access = PRINTER_ACE_MANAGE_DOCUMENTS; @@ -3027,30 +3033,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) result = False; goto done; } - - /* The ACE for Full Control in a printer security descriptor - doesn't seem to map properly to the access checking model. For - it to work properly it should be the logical OR of all the other - values, i.e PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT. - This would cause the access check to simply fall out when we - check against any subset of these bits. To get things to work, - change every ACE mask of PRINTER_ACE_FULL_CONTROL to - PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT before - performing the access check. I'm sure there is a better way to - do this! */ - - if (secdesc && secdesc->sec && secdesc->sec->dacl && - secdesc->sec->dacl->ace) { - for(i = 0; i < secdesc->sec->dacl->num_aces; i++) { - if (secdesc->sec->dacl->ace[i].info.mask == - PRINTER_ACE_FULL_CONTROL) { - secdesc->sec->dacl->ace[i].info.mask = - PRINTER_ACE_MANAGE_DOCUMENTS | - PRINTER_ACE_PRINT; - } - } - } - + if ((result = se_access_check(secdesc->sec, user, required_access, &access_granted, &status))) { goto done; |