svn commit: samba r13547 - branches/SAMBA_3_0/source/printing
branches/SAMBA_3_0/source/rpc_server trunk/source/printing
trunk/source/rpc_server
jerry at samba.org
jerry at samba.org
Fri Feb 17 21:07:30 GMT 2006
Author: jerry
Date: 2006-02-17 21:07:26 +0000 (Fri, 17 Feb 2006)
New Revision: 13547
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13547
Log:
add earlier checks to deny deleting a printer driver. The previous
code relied upon file permissions alone. Now we check that
the user is a printer administrator and that the share has not been
marked read only for that user.
Modified:
branches/SAMBA_3_0/source/printing/nt_printing.c
branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c
trunk/source/printing/nt_printing.c
trunk/source/rpc_server/srv_spoolss_nt.c
Changeset:
Modified: branches/SAMBA_3_0/source/printing/nt_printing.c
===================================================================
--- branches/SAMBA_3_0/source/printing/nt_printing.c 2006-02-17 19:19:25 UTC (rev 13546)
+++ branches/SAMBA_3_0/source/printing/nt_printing.c 2006-02-17 21:07:26 UTC (rev 13547)
@@ -4783,6 +4783,11 @@
return False;
}
+ if ( !CAN_WRITE(conn) ) {
+ DEBUG(3,("delete_driver_files: Cannot delete print driver when [print$] is read-only\n"));
+ return False;
+ }
+
/* Save who we are - we are temporarily becoming the connection user. */
if ( !become_user(conn, conn->vuid) ) {
Modified: branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c 2006-02-17 19:19:25 UTC (rev 13546)
+++ branches/SAMBA_3_0/source/rpc_server/srv_spoolss_nt.c 2006-02-17 21:07:26 UTC (rev 13547)
@@ -1973,9 +1973,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(&user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+ && !user_has_privileges(user.nt_user_token, &se_printop )
+ && !token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, &q_u->driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, &q_u->arch, sizeof(arch)-1 );
@@ -2059,9 +2071,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(&user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+ && !user_has_privileges(user.nt_user_token, &se_printop )
+ && !token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, &q_u->driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, &q_u->arch, sizeof(arch)-1 );
Modified: trunk/source/printing/nt_printing.c
===================================================================
--- trunk/source/printing/nt_printing.c 2006-02-17 19:19:25 UTC (rev 13546)
+++ trunk/source/printing/nt_printing.c 2006-02-17 21:07:26 UTC (rev 13547)
@@ -4783,6 +4783,11 @@
return False;
}
+ if ( !CAN_WRITE(conn) ) {
+ DEBUG(3,("delete_driver_files: Cannot delete print driver when [print$] is read-only\n"));
+ return False;
+ }
+
/* Save who we are - we are temporarily becoming the connection user. */
if ( !become_user(conn, conn->vuid) ) {
Modified: trunk/source/rpc_server/srv_spoolss_nt.c
===================================================================
--- trunk/source/rpc_server/srv_spoolss_nt.c 2006-02-17 19:19:25 UTC (rev 13546)
+++ trunk/source/rpc_server/srv_spoolss_nt.c 2006-02-17 21:07:26 UTC (rev 13547)
@@ -1973,9 +1973,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(&user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+ && !user_has_privileges(user.nt_user_token, &se_printop )
+ && !token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, &q_u->driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, &q_u->arch, sizeof(arch)-1 );
@@ -2059,9 +2071,21 @@
struct current_user user;
WERROR status;
WERROR status_win2k = WERR_ACCESS_DENIED;
+ SE_PRIV se_printop = SE_PRINT_OPERATOR;
get_current_user(&user, p);
+ /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
+ and not a printer admin, then fail */
+
+ if ( (user.ut.uid != 0)
+ && !user_has_privileges(user.nt_user_token, &se_printop )
+ && !token_contains_name_in_list( uidtoname(user.ut.uid),
+ NULL, user.nt_user_token, lp_printer_admin(-1)) )
+ {
+ return WERR_ACCESS_DENIED;
+ }
+
unistr2_to_ascii(driver, &q_u->driver, sizeof(driver)-1 );
unistr2_to_ascii(arch, &q_u->arch, sizeof(arch)-1 );
More information about the samba-cvs
mailing list