svn commit: samba r4740 - in branches/SAMBA_3_0/source: printing rpc_server

[jerry at samba.org]

Author: jerry
Date: 2005-01-14 21:24:15 +0000 (Fri, 14 Jan 2005)
New Revision: 4740

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4740

Log:
allow SE_PRINT_OPERATORS to have printer admin access
Modified:
   branches/SAMBA_3_0/source/printing/nt_printing.c
   branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c


Changeset:
Modified: branches/SAMBA_3_0/source/printing/nt_printing.c
===================================================================
--- branches/SAMBA_3_0/source/printing/nt_printing.c	2005-01-14 21:05:54 UTC (rev 4739)
+++ branches/SAMBA_3_0/source/printing/nt_printing.c	2005-01-14 21:24:15 UTC (rev 4740)
@@ -5034,6 +5034,11 @@
        print_job_delete, print_job_pause, print_job_resume,
        print_queue_purge
 
+  Try access control in the following order (for performance reasons):
+    1)  root ans SE_PRINT_OPERATOR can do anything (easy check) 
+    2)  check security descriptor (bit comparisons in memory)
+    3)  "printer admins" (may result in numerous calls to winbind)
+
  ****************************************************************************/
 BOOL print_access_check(struct current_user *user, int snum, int access_type)
 {
@@ -5050,10 +5055,9 @@
 	if (!user)
 		user = &current_user;
 
-	/* Always allow root or printer admins to do anything */
+	/* Always allow root or SE_PRINT_OPERATROR to do anything */
 
-	if (user->uid == 0 ||
-	    user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups)) {
+	if ( user->uid == 0 || user_has_privilege(user->nt_user_token, SE_PRINT_OPERATOR) ) {
 		return True;
 	}
 
@@ -5102,6 +5106,13 @@
 
 	DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
 
+        /* see if we need to try the printer admin list */
+
+        if ( access_granted == 0 ) {
+                if ( user_in_list(uidtoname(user->uid), lp_printer_admin(snum), user->groups, user->ngroups) )
+                        return True;
+        }
+
 	talloc_destroy(mem_ctx);
 	
 	if (!result)

Modified: branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c	2005-01-14 21:05:54 UTC (rev 4739)
+++ branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c	2005-01-14 21:24:15 UTC (rev 4740)
@@ -1689,10 +1689,12 @@
 				return WERR_ACCESS_DENIED;
 			}
 
-			/* if the user is not root and not a printer admin, then fail */
+			/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+			   and not a printer admin, then fail */
 			
 			if ( user.uid != 0
-			     && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
+				&& !user_has_privilege( user.nt_user_token, SE_PRINT_OPERATOR )
+				&& !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) )
 			{
 				close_printer_handle(p, handle);
 				return WERR_ACCESS_DENIED;