[PATCH] Printing; job vs printer administration
Roel van Meer
rolek at alt001.com
Wed Jan 30 17:05:44 GMT 2008
Hi list,
I'm using samba as a print server for windows clients. Theoretically, users
which are granted 'Manage Documents' rights on a printer from a Windows
security dialog should be able to cancel or pause print jobs, but this
doesn't work.
It seems that in nt_printing.c, a check for JOB_ACCESS_ADMINISTER privileges
is changed to a check for PRINTER_ACCESS_ADMINISTER privs. The comments
preceding this statement are:
/* Now this is the bit that really confuses me. The access
type needs to be changed from JOB_ACCESS_ADMINISTER to
PRINTER_ACCESS_ADMINISTER for this to work. Something
to do with the child (job) object becoming like a
printer?? */
However, when the access type is left as JOB_ACCESS_ADMINISTER, managing
print jobs works as expected. The attached small patch does this.
I don't have enough knowledge of samba internals to be able to say whether
or not it is allowed to do this from a security or functionality point of
view. Could one of you have a quick look at it?
It's been filed as bug 5095.
Regards,
roel
-------------- next part --------------
diff -ruN source.orig/printing/nt_printing.c source/printing/nt_printing.c
--- source.orig/printing/nt_printing.c 2007-11-15 04:15:04.000000000 +0100
+++ source/printing/nt_printing.c 2007-11-20 17:15:53.000000000 +0100
@@ -5511,7 +5511,9 @@
to do with the child (job) object becoming like a
printer?? -tpot */
- access_type = PRINTER_ACCESS_ADMINISTER;
+ /* This seems to break job administration for users or groups who do not
+ * have the SePrintOperatorPrivilege privilege. */
+ /* access_type = PRINTER_ACCESS_ADMINISTER; */
}
/* Check access */
More information about the samba-technical
mailing list