[PATCH 1/6] printing: return WERROR from print_access_check

David Disseldorp ddiss at samba.org
Tue Nov 19 16:48:49 MST 2013


print_access_check() currently returns a bool based on whether access is
granted or denied. Errno is set on failure, but none of the callers use
it.
This change converts print_access_check() to return a WERROR.

Signed-off-by: David Disseldorp <ddiss at samba.org>
---
 source3/include/nt_printing.h               |  6 +--
 source3/printing/nt_printing.c              | 31 +++++--------
 source3/printing/printing.c                 | 72 ++++++++++++++---------------
 source3/rpc_server/spoolss/srv_spoolss_nt.c | 16 +++----
 4 files changed, 58 insertions(+), 67 deletions(-)

diff --git a/source3/include/nt_printing.h b/source3/include/nt_printing.h
index 2a0e883..4af44d7 100644
--- a/source3/include/nt_printing.h
+++ b/source3/include/nt_printing.h
@@ -128,9 +128,9 @@ bool nt_printing_init(struct messaging_context *msg_ctx);
 
 const char *get_short_archi(const char *long_archi);
 
-bool print_access_check(const struct auth_session_info *server_info,
-			struct messaging_context *msg_ctx, int snum,
-			int access_type);
+WERROR print_access_check(const struct auth_session_info *server_info,
+			  struct messaging_context *msg_ctx, int snum,
+			  int access_type);
 
 WERROR nt_printer_guid_get(TALLOC_CTX *mem_ctx,
 			   const struct auth_session_info *session_info,
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 7a1f365..73c4cf7 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -1765,9 +1765,9 @@ void map_job_permissions(struct security_descriptor *sd)
     3)  "printer admins" (may result in numerous calls to winbind)
 
  ****************************************************************************/
-bool print_access_check(const struct auth_session_info *session_info,
-			struct messaging_context *msg_ctx, int snum,
-			int access_type)
+WERROR print_access_check(const struct auth_session_info *session_info,
+			  struct messaging_context *msg_ctx, int snum,
+			  int access_type)
 {
 	struct spoolss_security_descriptor *secdesc = NULL;
 	uint32 access_granted;
@@ -1781,9 +1781,10 @@ bool print_access_check(const struct auth_session_info *session_info,
 
 	/* Always allow root or SE_PRINT_OPERATROR to do anything */
 
-	if (session_info->unix_token->uid == sec_initial_uid()
-	    || security_token_has_privilege(session_info->security_token, SEC_PRIV_PRINT_OPERATOR)) {
-		return True;
+	if ((session_info->unix_token->uid == sec_initial_uid())
+	    || security_token_has_privilege(session_info->security_token,
+					    SEC_PRIV_PRINT_OPERATOR)) {
+		return WERR_OK;
 	}
 
 	/* Get printer name */
@@ -1791,15 +1792,13 @@ bool print_access_check(const struct auth_session_info *session_info,
 	pname = lp_printername(talloc_tos(), snum);
 
 	if (!pname || !*pname) {
-		errno = EACCES;
-		return False;
+		return WERR_ACCESS_DENIED;
 	}
 
 	/* Get printer security descriptor */
 
 	if(!(mem_ctx = talloc_init("print_access_check"))) {
-		errno = ENOMEM;
-		return False;
+		return WERR_NOMEM;
 	}
 
 	result = winreg_get_printer_secdesc_internal(mem_ctx,
@@ -1809,8 +1808,7 @@ bool print_access_check(const struct auth_session_info *session_info,
 					    &secdesc);
 	if (!W_ERROR_IS_OK(result)) {
 		talloc_destroy(mem_ctx);
-		errno = ENOMEM;
-		return False;
+		return WERR_NOMEM;
 	}
 
 	if (access_type == JOB_ACCESS_ADMINISTER) {
@@ -1828,8 +1826,7 @@ bool print_access_check(const struct auth_session_info *session_info,
 						 false);
 		if (!NT_STATUS_IS_OK(status)) {
 			talloc_destroy(mem_ctx);
-			errno = map_errno_from_nt_status(status);
-			return False;
+			return ntstatus_to_werror(status);
 		}
 
 		map_job_permissions(secdesc);
@@ -1845,11 +1842,7 @@ bool print_access_check(const struct auth_session_info *session_info,
 
 	talloc_destroy(mem_ctx);
 
-	if (!NT_STATUS_IS_OK(status)) {
-		errno = EACCES;
-	}
-
-	return NT_STATUS_IS_OK(status);
+	return ntstatus_to_werror(status);
 }
 
 /****************************************************************************
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index b126bd5..a989d81 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -2226,17 +2226,16 @@ WERROR print_job_delete(const struct auth_session_info *server_info,
 	   owns their job. */
 
 	if (!owner &&
-	    !print_access_check(server_info, msg_ctx, snum,
-				JOB_ACCESS_ADMINISTER)) {
+	    !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      JOB_ACCESS_ADMINISTER))) {
 		DEBUG(3, ("delete denied by security descriptor\n"));
 
-		/* BEGIN_ADMIN_LOG */
-		sys_adminlog( LOG_ERR,
-			      "Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
-			      uidtoname(server_info->unix_token->uid),
-			      lp_printername(talloc_tos(), snum) );
-		/* END_ADMIN_LOG */
+		sys_adminlog(LOG_ERR,
+			     "Permission denied-- user not allowed to delete, "
+			     "pause, or resume print job. User name: %s. "
+			     "Printer name: %s.",
+			     uidtoname(server_info->unix_token->uid),
+			     lp_printername(tmp_ctx, snum) );
 
 		werr = WERR_ACCESS_DENIED;
 		goto err_out;
@@ -2316,17 +2315,16 @@ WERROR print_job_pause(const struct auth_session_info *server_info,
 	}
 
 	if (!is_owner(server_info, lp_const_servicename(snum), jobid) &&
-	    !print_access_check(server_info, msg_ctx, snum,
-				JOB_ACCESS_ADMINISTER)) {
+	    !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      JOB_ACCESS_ADMINISTER))) {
 		DEBUG(3, ("pause denied by security descriptor\n"));
 
-		/* BEGIN_ADMIN_LOG */
-		sys_adminlog( LOG_ERR,
-			"Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
-			      uidtoname(server_info->unix_token->uid),
-			      lp_printername(talloc_tos(), snum) );
-		/* END_ADMIN_LOG */
+		sys_adminlog(LOG_ERR,
+			     "Permission denied-- user not allowed to delete, "
+			     "pause, or resume print job. User name: %s. "
+			     "Printer name: %s.",
+			     uidtoname(server_info->unix_token->uid),
+			     lp_printername(tmp_ctx, snum) );
 
 		werr = WERR_ACCESS_DENIED;
 		goto err_out;
@@ -2388,17 +2386,17 @@ WERROR print_job_resume(const struct auth_session_info *server_info,
 	}
 
 	if (!is_owner(server_info, lp_const_servicename(snum), jobid) &&
-	    !print_access_check(server_info, msg_ctx, snum,
-				JOB_ACCESS_ADMINISTER)) {
+	    !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      JOB_ACCESS_ADMINISTER))) {
 		DEBUG(3, ("resume denied by security descriptor\n"));
 
-		/* BEGIN_ADMIN_LOG */
-		sys_adminlog( LOG_ERR,
-			 "Permission denied-- user not allowed to delete, \
-pause, or resume print job. User name: %s. Printer name: %s.",
-			      uidtoname(server_info->unix_token->uid),
-			      lp_printername(talloc_tos(), snum) );
-		/* END_ADMIN_LOG */
+		sys_adminlog(LOG_ERR,
+			     "Permission denied-- user not allowed to delete, "
+			     "pause, or resume print job. User name: %s. "
+			     "Printer name: %s.",
+			     uidtoname(server_info->unix_token->uid),
+			     lp_printername(tmp_ctx, snum));
+
 		werr = WERR_ACCESS_DENIED;
 		goto err_out;
 	}
@@ -2654,8 +2652,8 @@ static WERROR print_job_checks(const struct auth_session_info *server_info,
 	uint64_t minspace;
 	int ret;
 
-	if (!print_access_check(server_info, msg_ctx, snum,
-				PRINTER_ACCESS_USE)) {
+	if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      PRINTER_ACCESS_USE))) {
 		DEBUG(3, ("print_job_checks: "
 			  "job start denied by security descriptor\n"));
 		return WERR_ACCESS_DENIED;
@@ -3285,8 +3283,8 @@ WERROR print_queue_pause(const struct auth_session_info *server_info,
 	int ret;
 	struct printif *current_printif = get_printer_fns( snum );
 
-	if (!print_access_check(server_info, msg_ctx, snum,
-				PRINTER_ACCESS_ADMINISTER)) {
+	if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      PRINTER_ACCESS_ADMINISTER))) {
 		return WERR_ACCESS_DENIED;
 	}
 
@@ -3322,8 +3320,8 @@ WERROR print_queue_resume(const struct auth_session_info *server_info,
 	int ret;
 	struct printif *current_printif = get_printer_fns( snum );
 
-	if (!print_access_check(server_info, msg_ctx, snum,
-				PRINTER_ACCESS_ADMINISTER)) {
+	if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum,
+					      PRINTER_ACCESS_ADMINISTER))) {
 		return WERR_ACCESS_DENIED;
 	}
 
@@ -3364,10 +3362,10 @@ WERROR print_queue_purge(const struct auth_session_info *server_info,
 	/* Force and update so the count is accurate (i.e. not a cached count) */
 	print_queue_update(msg_ctx, snum, True);
 
-	can_job_admin = print_access_check(server_info,
-					   msg_ctx,
-					   snum,
-					   JOB_ACCESS_ADMINISTER);
+	can_job_admin = W_ERROR_IS_OK(print_access_check(server_info,
+							 msg_ctx,
+							 snum,
+							JOB_ACCESS_ADMINISTER));
 	njobs = print_queue_status(msg_ctx, snum, &queue, &status);
 
 	if ( can_job_admin )
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index a6201d4..7154cb4 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -1897,10 +1897,10 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
 
 		if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL,
 				   p->session_info->security_token, snum) ||
-		    !print_access_check(p->session_info,
-					p->msg_ctx,
-					snum,
-					r->in.access_mask)) {
+		    !W_ERROR_IS_OK(print_access_check(p->session_info,
+						      p->msg_ctx,
+						      snum,
+						      r->in.access_mask))) {
 			DEBUG(3, ("access DENIED for printer open\n"));
 			close_printer_handle(p, r->out.handle);
 			ZERO_STRUCTP(r->out.handle);
@@ -8153,10 +8153,10 @@ static WERROR spoolss_addprinterex_level_2(struct pipes_struct *p,
 	}
 
 	/* you must be a printer admin to add a new printer */
-	if (!print_access_check(p->session_info,
-				p->msg_ctx,
-				snum,
-				PRINTER_ACCESS_ADMINISTER)) {
+	if (!W_ERROR_IS_OK(print_access_check(p->session_info,
+					      p->msg_ctx,
+					      snum,
+					      PRINTER_ACCESS_ADMINISTER))) {
 		return WERR_ACCESS_DENIED;
 	}
 
-- 
1.8.1.4



More information about the samba-technical mailing list