[Samba] Printing; privileges separation (follow up: printing/nt_printing.c)

Roel van Meer rolek at alt001.com
Tue Nov 13 09:35:07 GMT 2007

Roel van Meer writes:

> I'm using samba 3.0.26a with cups as printing backend, which are both 
> working fine. However, I would like to grant all users access to all print 
> jobs, but without granting them the right to add or modify printers and 
> printer settings.
> When I grant users the SePrintOperatorPrivilege privilege, they can indeed 
> cancel other people's jobs, but then they can also rename printers on the 
> server (which breaks things).
> Does anyone know if it is possible to separate access to these two 
> operations, or to grant normal users the right to remove other people's jobs 
> without them having the SePrintOperatorPrivilege priv?

I received a very helpful suggestion from Dale Schroeder on this. He said it 
was possible to grant users or groups the 'Manage Documents' privilege from 
a Windows client. However, when I do this, users are still not allowed to 
cancel other users' print jobs. Some debugging of the samba code showed that 
the request is denied in print_access_check() in printing/nt_printing.c.

The code I see there does something I do not understand. When canceling a 
job you need JOB_ACCESS_ADMINISTER privileges, but the code modifies this to 
check for PRINTER_ACCESS_ADMINISTER privs. The comments preceding this 
statement are:

        /* Now this is the bit that really confuses me.  The access
           type needs to be changed from JOB_ACCESS_ADMINISTER to
           PRINTER_ACCESS_ADMINISTER for this to work.  Something
           to do with the child (job) object becoming like a
           printer??  -tpot */

When I comment the line changing the access_type (line 5514), canceling 
print jobs works as expected.

Does anyone know why I would need PRINTER_ACCESS_ADMINISTER instead of 
JOB_ACCESS_ADMINISTER? Does changing it introduce security problems?

I can file a bug report if necessary.



More information about the samba mailing list