From f620182ac41eaf659cf53842df1089ce1f823654 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 6 May 2008 09:23:00 -0700 Subject: [PATCH] Fix bug #5095, "Manage Documents privilege is not functional". Should map the created sd to printer jobs, not printer. Confirmed fix by the reporter. Karolin please pull for 3.2-stable. Jeremy. --- source/include/rpc_spoolss.h | 9 +++++---- source/printing/nt_printing.c | 35 ++++++++++++++++++++++++----------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/source/include/rpc_spoolss.h b/source/include/rpc_spoolss.h index aff0bba4445..98f6110f7a2 100644 --- a/source/include/rpc_spoolss.h +++ b/source/include/rpc_spoolss.h @@ -164,6 +164,7 @@ #define PRINTER_ACCESS_ADMINISTER 0x00000004 #define PRINTER_ACCESS_USE 0x00000008 #define JOB_ACCESS_ADMINISTER 0x00000010 +#define JOB_ACCESS_READ 0x00000020 /* JOB status codes. */ @@ -193,10 +194,10 @@ #define PRINTER_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE /* Access rights for jobs */ -#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER -#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER +#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE +#define JOB_READ STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ +#define JOB_WRITE STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE +#define JOB_EXECUTE STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE /* ACE masks for the various print permissions */ diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c index c31a48c5859..a66b1e5c5f6 100644 --- a/source/printing/nt_printing.c +++ b/source/printing/nt_printing.c @@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = { SERVER_ALL_ACCESS }; +/* Map generic permissions to job object specific permissions */ + +const struct generic_mapping job_generic_mapping = { + JOB_READ, + JOB_WRITE, + JOB_EXECUTE, + JOB_ALL_ACCESS +}; + /* We need one default form to support our default printer. Msoft adds the forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an array index). Letter is always first, so (for the current code) additions @@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd) } } +void map_job_permissions(SEC_DESC *sd) +{ + int i; + + for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) { + se_map_generic(&sd->dacl->aces[i].access_mask, + &job_generic_mapping); + } +} + + /**************************************************************************** Check a user has permissions to perform the given operation. We use the permission constants defined in include/rpc_spoolss.h to check the various @@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int snum, int access_type) return False; } - /* Now this is the bit that really confuses me. The access - type needs to be changed from JOB_ACCESS_ADMINISTER to - PRINTER_ACCESS_ADMINISTER for this to work. Something - to do with the child (job) object becoming like a - printer?? -tpot */ - - access_type = PRINTER_ACCESS_ADMINISTER; + map_job_permissions(secdesc->sd); + } else { + map_printer_permissions(secdesc->sd); } - - /* Check access */ - - map_printer_permissions(secdesc->sd); + /* Check access */ result = se_access_check(secdesc->sd, user->nt_user_token, access_type, &access_granted, &status); -- 2.11.4.GIT