From fea03cef2be825037b0c610964ca6e296ed6e33d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 15 Apr 2002 03:49:53 +0000 Subject: Merge of print server permission handling fixes from HEAD. (This used to be commit 62ee1f8c3fbcf83641bed881143a1a8c70f836ba) --- source3/printing/nt_printing.c | 16 +++++++++++ source3/rpc_server/srv_spoolss_nt.c | 53 ++++++++++++++++++++++++++++--------- 2 files changed, 57 insertions(+), 12 deletions(-) (limited to 'source3') diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 907c3fd8e6..29bc185a6d 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -56,6 +56,22 @@ STANDARD_MAPPING printer_std_mapping = { PRINTER_ALL_ACCESS }; +/* Map generic permissions to print server object specific permissions */ + +GENERIC_MAPPING printserver_generic_mapping = { + SERVER_READ, + SERVER_WRITE, + SERVER_EXECUTE, + SERVER_ALL_ACCESS +}; + +STANDARD_MAPPING printserver_std_mapping = { + SERVER_READ, + SERVER_WRITE, + SERVER_EXECUTE, + SERVER_ALL_ACCESS +}; + /* We need one default form to support our default printer. Msoft adds the forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an array index). Letter is always first, so (for the current code) additions diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 3bc91c2472..80bfd74b47 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -92,7 +92,8 @@ static uint32 smb_connections=0; /* in printing/nt_printing.c */ -extern STANDARD_MAPPING printer_std_mapping; + +extern STANDARD_MAPPING printer_std_mapping, printserver_std_mapping; #define OUR_HANDLE(hnd) (((hnd)==NULL)?"NULL":(IVAL((hnd)->data5,4)==(uint32)sys_getpid()?"OURS":"OTHER")), \ ((unsigned int)IVAL((hnd)->data5,4)),((unsigned int)sys_getpid()) @@ -959,26 +960,54 @@ Can't find printer handle we created for printer %s\n", name )); get_current_user(&user, p); if (Printer->printer_type == PRINTER_HANDLE_IS_PRINTSERVER) { - if (printer_default->access_required == 0) { - return WERR_OK; + + /* Printserver handles use global struct... */ + + snum = -1; + + /* Map standard access rights to object specific access + rights */ + + se_map_standard(&printer_default->access_required, + &printserver_std_mapping); + + /* Deny any object specific bits that don't apply to print + servers (i.e printer and job specific bits) */ + + printer_default->access_required &= SPECIFIC_RIGHTS_MASK; + + if (printer_default->access_required & + ~(SERVER_ACCESS_ADMINISTER | SERVER_ACCESS_ENUMERATE)) { + DEBUG(3, ("access DENIED for non-printserver bits")); + close_printer_handle(p, handle); + return WERR_ACCESS_DENIED; } - else if ((printer_default->access_required & SERVER_ACCESS_ADMINISTER ) == SERVER_ACCESS_ADMINISTER) { - /* Printserver handles use global struct... */ - snum = -1; + /* Allow admin access */ + + if (printer_default->access_required & + SERVER_ACCESS_ADMINISTER) { if (!lp_ms_add_printer_wizard()) { close_printer_handle(p, handle); return WERR_ACCESS_DENIED; } - else if (user.uid == 0 || user_in_list(uidtoname(user.uid), lp_printer_admin(snum))) { + + if (user.uid == 0 || + user_in_list(uidtoname(user.uid), + lp_printer_admin(snum))) return WERR_OK; - } - else { - close_printer_handle(p, handle); - return WERR_ACCESS_DENIED; - } + + DEBUG(0, ("** denied 0x%08x to user %s\n", + printer_default->access_required, + uidtoname(user.uid))); + + close_printer_handle(p, handle); + return WERR_ACCESS_DENIED; } + + /* We fall through to return WERR_OK */ + } else { -- cgit