Samba printing patches
Jeremy Allison
jra at samba.org
Mon May 5 22:38:36 GMT 2008
On Mon, May 05, 2008 at 11:44:47AM +0200, Roel van Meer wrote:
> Jeremy Allison writes:
>
> >Actually printing is very important to us, and we're planning
> >to address these problems in the next release.
>
> Would it be possible that you have a look at this patch as well? It fixes
> Job Administration access that can be set for a printer from a windows
> access dialog. It is a small but annoying issue, filed in bugzilla under
> https://bugzilla.samba.org/show_bug.cgi?id=5095 .
Sure, I took a close look but I don't think that patch is correct.
Thanks for pointing it out though, as it pointed out where the
real bug was.
I understand much more about the printer system now, and I think
the patch attached may be a better fix.
Can you try this out and test it for me in your environment ?
Thanks,
Jeremy.
-------------- next part --------------
diff --git a/source/include/rpc_spoolss.h b/source/include/rpc_spoolss.h
index aff0bba..98f6110 100644
--- a/source/include/rpc_spoolss.h
+++ b/source/include/rpc_spoolss.h
@@ -164,6 +164,7 @@
#define PRINTER_ACCESS_ADMINISTER 0x00000004
#define PRINTER_ACCESS_USE 0x00000008
#define JOB_ACCESS_ADMINISTER 0x00000010
+#define JOB_ACCESS_READ 0x00000020
/* JOB status codes. */
@@ -193,10 +194,10 @@
#define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
/* Access rights for jobs */
-#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
+#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE
+#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ
+#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
+#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
/* ACE masks for the various print permissions */
diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c
index c31a48c..a66b1e5 100644
--- a/source/printing/nt_printing.c
+++ b/source/printing/nt_printing.c
@@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = {
SERVER_ALL_ACCESS
};
+/* Map generic permissions to job object specific permissions */
+
+const struct generic_mapping job_generic_mapping = {
+ JOB_READ,
+ JOB_WRITE,
+ JOB_EXECUTE,
+ JOB_ALL_ACCESS
+};
+
/* We need one default form to support our default printer. Msoft adds the
forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an
array index). Letter is always first, so (for the current code) additions
@@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd)
}
}
+void map_job_permissions(SEC_DESC *sd)
+{
+ int i;
+
+ for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
+ se_map_generic(&sd->dacl->aces[i].access_mask,
+ &job_generic_mapping);
+ }
+}
+
+
/****************************************************************************
Check a user has permissions to perform the given operation. We use the
permission constants defined in include/rpc_spoolss.h to check the various
@@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type)
return False;
}
- /* Now this is the bit that really confuses me. The access
- type needs to be changed from JOB_ACCESS_ADMINISTER to
- PRINTER_ACCESS_ADMINISTER for this to work. Something
- to do with the child (job) object becoming like a
- printer?? -tpot */
-
- access_type = PRINTER_ACCESS_ADMINISTER;
+ map_job_permissions(secdesc->sd);
+ } else {
+ map_printer_permissions(secdesc->sd);
}
-
- /* Check access */
-
- map_printer_permissions(secdesc->sd);
+ /* Check access */
result = se_access_check(secdesc->sd, user->nt_user_token, access_type,
&access_granted, &status);
More information about the samba-technical
mailing list