From fbc780b60478bb8b30927beacdf65a9a766b2ca1 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 5 May 2008 16:24:52 -0700 Subject: Try and fix bug #5095, "Manage Documents privilege is not functional". Should map the created sd to printer jobs, not printer. Jerry please test and I'll add to 3.2 if it passes. Thanks, Jeremy. (This used to be commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc) --- source3/include/rpc_spoolss.h | 9 +++++---- source3/printing/nt_printing.c | 35 ++++++++++++++++++++++++----------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/source3/include/rpc_spoolss.h b/source3/include/rpc_spoolss.h index aff0bba444..98f6110f7a 100644 --- a/source3/include/rpc_spoolss.h +++ b/source3/include/rpc_spoolss.h @@ -164,6 +164,7 @@ #define PRINTER_ACCESS_ADMINISTER 0x00000004 #define PRINTER_ACCESS_USE 0x00000008 #define JOB_ACCESS_ADMINISTER 0x00000010 +#define JOB_ACCESS_READ 0x00000020 /* JOB status codes. */ @@ -193,10 +194,10 @@ #define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE /* Access rights for jobs */ -#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE +#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ +#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE +#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE /* ACE masks for the various print permissions */ diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index c31a48c585..a66b1e5c5f 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = { SERVER_ALL_ACCESS }; +/* Map generic permissions to job object specific permissions */ + +const struct generic_mapping job_generic_mapping = { + JOB_READ, + JOB_WRITE, + JOB_EXECUTE, + JOB_ALL_ACCESS +}; + /* We need one default form to support our default printer. Msoft adds the forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an array index). Letter is always first, so (for the current code) additions @@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd) } } +void map_job_permissions(SEC_DESC *sd) +{ + int i; + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + se_map_generic(&sd->dacl->aces[i].access_mask, + &job_generic_mapping); + } +} + + /**************************************************************************** Check a user has permissions to perform the given operation. We use the permission constants defined in include/rpc_spoolss.h to check the various @@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type) return False; } - /* Now this is the bit that really confuses me. The access - type needs to be changed from JOB_ACCESS_ADMINISTER to - PRINTER_ACCESS_ADMINISTER for this to work. Something - to do with the child (job) object becoming like a - printer?? -tpot */ - - access_type = PRINTER_ACCESS_ADMINISTER; + map_job_permissions(secdesc->sd); + } else { + map_printer_permissions(secdesc->sd); } - - /* Check access */ - - map_printer_permissions(secdesc->sd); + /* Check access */ result = se_access_check(secdesc->sd, user->nt_user_token, access_type, &access_granted, &status); -- cgit