[Samba] Printing; privileges separation (follow up:
Roel van Meer
rolek at alt001.com
Tue Nov 13 09:35:07 GMT 2007
Roel van Meer writes:
> I'm using samba 3.0.26a with cups as printing backend, which are both
> working fine. However, I would like to grant all users access to all print
> jobs, but without granting them the right to add or modify printers and
> printer settings.
> When I grant users the SePrintOperatorPrivilege privilege, they can indeed
> cancel other people's jobs, but then they can also rename printers on the
> server (which breaks things).
> Does anyone know if it is possible to separate access to these two
> operations, or to grant normal users the right to remove other people's jobs
> without them having the SePrintOperatorPrivilege priv?
I received a very helpful suggestion from Dale Schroeder on this. He said it
was possible to grant users or groups the 'Manage Documents' privilege from
a Windows client. However, when I do this, users are still not allowed to
cancel other users' print jobs. Some debugging of the samba code showed that
the request is denied in print_access_check() in printing/nt_printing.c.
The code I see there does something I do not understand. When canceling a
job you need JOB_ACCESS_ADMINISTER privileges, but the code modifies this to
check for PRINTER_ACCESS_ADMINISTER privs. The comments preceding this
/* Now this is the bit that really confuses me. The access
type needs to be changed from JOB_ACCESS_ADMINISTER to
PRINTER_ACCESS_ADMINISTER for this to work. Something
to do with the child (job) object becoming like a
printer?? -tpot */
When I comment the line changing the access_type (line 5514), canceling
print jobs works as expected.
Does anyone know why I would need PRINTER_ACCESS_ADMINISTER instead of
JOB_ACCESS_ADMINISTER? Does changing it introduce security problems?
I can file a bug report if necessary.
More information about the samba