[PATCH] Printing; job vs printer administration

Wed Jan 30 17:05:44 GMT 2008

Hi list,

I'm using samba as a print server for windows clients. Theoretically, users 
which are granted 'Manage Documents' rights on a printer from a Windows 
security dialog should be able to cancel or pause print jobs, but this 
doesn't work.

It seems that in nt_printing.c, a check for JOB_ACCESS_ADMINISTER privileges 
is changed to a check for PRINTER_ACCESS_ADMINISTER privs. The comments 
preceding this statement are:

        /* Now this is the bit that really confuses me.  The access
           type needs to be changed from JOB_ACCESS_ADMINISTER to
           PRINTER_ACCESS_ADMINISTER for this to work.  Something
           to do with the child (job) object becoming like a
           printer?? */

However, when the access type is left as JOB_ACCESS_ADMINISTER, managing
print jobs works as expected. The attached small patch does this.

I don't have enough knowledge of samba internals to be able to say whether 
or not it is allowed to do this from a security or functionality point of 
view. Could one of you have a quick look at it?

It's been filed as bug 5095.

Regards,

roel
-------------- next part --------------
diff -ruN source.orig/printing/nt_printing.c source/printing/nt_printing.c

--- source.orig/printing/nt_printing.c	2007-11-15 04:15:04.000000000 +0100
+++ source/printing/nt_printing.c	2007-11-20 17:15:53.000000000 +0100
@@ -5511,7 +5511,9 @@
 		   to do with the child (job) object becoming like a
 		   printer??  -tpot */
 
-		access_type = PRINTER_ACCESS_ADMINISTER;
+		/* This seems to break job administration for users or groups who do not
+		 * have the SePrintOperatorPrivilege privilege. */
+		/* access_type = PRINTER_ACCESS_ADMINISTER; */
 	}
 	
 	/* Check access */
