diff options
| author | Jeremy Allison <jra@samba.org> | 2008-05-06 09:24:23 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2008-05-06 09:24:23 -0700 |
| commit | ab055abf5fb43057baeaf5751a0a9ca5abc0b927 (patch) | |
| tree | b0a3d24f47408f683f8964dc171f955199193f25 | |
| parent | 4134b9b214bc56bcaaf789716532470da754bcc2 (diff) | |
| download | samba-ab055abf5fb43057baeaf5751a0a9ca5abc0b927.tar.gz | |
Fix bug #5095, "Manage Documents privilege is not functional".
Should map the created sd to printer jobs, not printer.
Jeremy.
| -rwxr-xr-x | source/include/rpc_spoolss.h | 9 | ||||
| -rw-r--r-- | source/printing/nt_printing.c | 35 |
2 files changed, 29 insertions, 15 deletions
diff --git a/source/include/rpc_spoolss.h b/source/include/rpc_spoolss.h index baa120445eb..fd853fc7d20 100755 --- a/source/include/rpc_spoolss.h +++ b/source/include/rpc_spoolss.h @@ -165,6 +165,7 @@ #define PRINTER_ACCESS_ADMINISTER 0x00000004 #define PRINTER_ACCESS_USE 0x00000008 #define JOB_ACCESS_ADMINISTER 0x00000010 +#define JOB_ACCESS_READ 0x00000020 /* JOB status codes. */ @@ -194,10 +195,10 @@ #define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE /* Access rights for jobs */ -#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE +#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ +#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE +#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE /* ACE masks for the various print permissions */ diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c index 4356cd95932..7d58a937da9 100644 --- a/source/printing/nt_printing.c +++ b/source/printing/nt_printing.c @@ -73,6 +73,15 @@ STANDARD_MAPPING printserver_std_mapping = { SERVER_ALL_ACCESS }; +/* Map generic permissions to job object specific permissions */ + +const struct generic_mapping job_generic_mapping = { + JOB_READ, + JOB_WRITE, + JOB_EXECUTE, + JOB_ALL_ACCESS +}; + /* We need one default form to support our default printer. Msoft adds the forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an array index). Letter is always first, so (for the current code) additions @@ -5450,6 +5459,17 @@ void map_printer_permissions(SEC_DESC *sd) } } +void map_job_permissions(SEC_DESC *sd) +{ + int i; + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + se_map_generic(&sd->dacl->aces[i].access_mask, + &job_generic_mapping); + } +} + + /**************************************************************************** Check a user has permissions to perform the given operation. We use the permission constants defined in include/rpc_spoolss.h to check the various @@ -5531,19 +5551,12 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type) return False; } - /* Now this is the bit that really confuses me. The access - type needs to be changed from JOB_ACCESS_ADMINISTER to - PRINTER_ACCESS_ADMINISTER for this to work. Something - to do with the child (job) object becoming like a - printer?? -tpot */ - - access_type = PRINTER_ACCESS_ADMINISTER; + map_job_permissions(secdesc->sec); + } else { + map_printer_permissions(secdesc->sec); } - - /* Check access */ - - map_printer_permissions(secdesc->sec); + /* Check access */ result = se_access_check(secdesc->sec, user->nt_user_token, access_type, &access_granted, &status); |