diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/printing/nt_printing.c | 17 | ||||
-rw-r--r-- | source3/rpc_server/srv_spoolss_nt.c | 6 |
2 files changed, 18 insertions, 5 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index a72f63009a..a7513030bd 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -5034,6 +5034,11 @@ void map_printer_permissions(SEC_DESC *sd) print_job_delete, print_job_pause, print_job_resume, print_queue_purge + Try access control in the following order (for performance reasons): + 1) root ans SE_PRINT_OPERATOR can do anything (easy check) + 2) check security descriptor (bit comparisons in memory) + 3) "printer admins" (may result in numerous calls to winbind) + ****************************************************************************/ BOOL print_access_check(struct current_user *user, int snum, int access_type) { @@ -5050,10 +5055,9 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) if (!user) user = ¤t_user; - /* Always allow root or printer admins to do anything */ + /* Always allow root or SE_PRINT_OPERATROR to do anything */ - if (user->uid == 0 || - user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups)) { + if ( user->uid == 0 || user_has_privilege(user->nt_user_token, SE_PRINT_OPERATOR) ) { return True; } @@ -5102,6 +5106,13 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE")); + /* see if we need to try the printer admin list */ + + if ( access_granted == 0 ) { + if ( user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups) ) + return True; + } + talloc_destroy(mem_ctx); if (!result) diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index a3424fe73b..ba3ee4706c 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -1689,10 +1689,12 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, return WERR_ACCESS_DENIED; } - /* if the user is not root and not a printer admin, then fail */ + /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, + and not a printer admin, then fail */ if ( user.uid != 0 - && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) ) + && !user_has_privilege( user.nt_user_token, SE_PRINT_OPERATOR ) + && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) ) { close_printer_handle(p, handle); return WERR_ACCESS_DENIED; |