sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code

r4740: allow SE_PRINT_OPERATORS to have printer admin access

Browse Source
This commit is contained in:
Gerald Carter 2005-01-14 21:24:15 +00:00 committed by Gerald (Jerry) Carter
parent e8b4cedc20
commit 85731706c9
2 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source/printing/nt_printing.c
View File

@ -5034,6 +5034,11 @@ void map_printer_permissions(SEC_DESC *sd)
print_job_delete, print_job_pause, print_job_resume, print_job_delete, print_job_pause, print_job_resume,
print_queue_purge print_queue_purge
Try access control in the following order (for performance reasons):
1) root ans SE_PRINT_OPERATOR can do anything (easy check)
2) check security descriptor (bit comparisons in memory)
3) "printer admins" (may result in numerous calls to winbind)
****************************************************************************/ ****************************************************************************/
BOOL print_access_check(struct current_user *user, int snum, int access_type) BOOL print_access_check(struct current_user *user, int snum, int access_type)
{ {
@ -5050,10 +5055,9 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
if (!user) if (!user)
user = &current_user; user = &current_user;
/* Always allow root or printer admins to do anything */ /* Always allow root or SE_PRINT_OPERATROR to do anything */
if (user->uid == 0 || if ( user->uid == 0 || user_has_privilege(user->nt_user_token, SE_PRINT_OPERATOR) ) {
user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups)) {
return True; return True;
} }
@ -5102,6 +5106,13 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE")); DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
/* see if we need to try the printer admin list */
if ( access_granted == 0 ) {
if ( user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups) )
return True;
}
talloc_destroy(mem_ctx); talloc_destroy(mem_ctx);
if (!result) if (!result)

6
source/rpc_server/srv_spoolss_nt.c
View File

@ -1689,10 +1689,12 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u,
return WERR_ACCESS_DENIED; return WERR_ACCESS_DENIED;
} }
/* if the user is not root and not a printer admin, then fail */ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
if ( user.uid != 0 if ( user.uid != 0
&& !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) ) && !user_has_privilege( user.nt_user_token, SE_PRINT_OPERATOR )
&& !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
{ {
close_printer_handle(p, handle); close_printer_handle(p, handle);
return WERR_ACCESS_DENIED; return WERR_ACCESS_DENIED;