[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-2296-gbb8f098

Jeremy Allison Mon, 05 May 2008 16:29:55 -0700

The branch, v3-3-test has been updated
       via  bb8f098cdfd902bbb36426df2c4f8532881b3fcd (commit)
       via  0a1fe8d6013d925ab6695f6b7f189b731ec42ccc (commit)
      from  425ca59cce886daed0d6c63fe4382aee140c9518 (commit)


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit bb8f098cdfd902bbb36426df2c4f8532881b3fcd
Merge: 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc 
425ca59cce886daed0d6c63fe4382aee140c9518
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date:   Mon May 5 16:29:21 2008 -0700

    Merge branch 'v3-3-test' of ssh://[EMAIL PROTECTED]/data/git/samba into 
v3-3-test

commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date:   Mon May 5 16:24:52 2008 -0700

    Try and fix bug #5095, "Manage Documents privilege is not functional".
    Should map the created sd to printer jobs, not printer.
    Jerry please test and I'll add to 3.2 if it passes. Thanks,
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/include/rpc_spoolss.h  |    9 +++++----
 source/printing/nt_printing.c |   35 ++++++++++++++++++++++++-----------
 2 files changed, 29 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/rpc_spoolss.h b/source/include/rpc_spoolss.h
index aff0bba..98f6110 100644
--- a/source/include/rpc_spoolss.h
+++ b/source/include/rpc_spoolss.h
@@ -164,6 +164,7 @@
 #define PRINTER_ACCESS_ADMINISTER      0x00000004
 #define PRINTER_ACCESS_USE             0x00000008
 #define JOB_ACCESS_ADMINISTER          0x00000010
+#define JOB_ACCESS_READ                        0x00000020
 
 /* JOB status codes. */
 
@@ -193,10 +194,10 @@
 #define PRINTER_EXECUTE       STANDARD_RIGHTS_EXECUTE_ACCESS|PRINTER_ACCESS_USE
 
 /* Access rights for jobs */
-#define JOB_ALL_ACCESS STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_READ       STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_WRITE      STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
-#define JOB_EXECUTE    STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
+#define JOB_ALL_ACCESS 
STANDARD_RIGHTS_REQUIRED_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ|PRINTER_ACCESS_USE
+#define JOB_READ       
STANDARD_RIGHTS_READ_ACCESS|JOB_ACCESS_ADMINISTER|JOB_ACCESS_READ
+#define JOB_WRITE      
STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
+#define JOB_EXECUTE    
STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER|PRINTER_ACCESS_USE
 
 /* ACE masks for the various print permissions */
 
diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c
index c31a48c..a66b1e5 100644
--- a/source/printing/nt_printing.c
+++ b/source/printing/nt_printing.c
@@ -72,6 +72,15 @@ const struct generic_mapping printserver_std_mapping = {
        SERVER_ALL_ACCESS
 };
 
+/* Map generic permissions to job object specific permissions */
+
+const struct generic_mapping job_generic_mapping = {
+       JOB_READ,
+       JOB_WRITE,
+       JOB_EXECUTE,
+       JOB_ALL_ACCESS
+};
+
 /* We need one default form to support our default printer. Msoft adds the
 forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an
 array index). Letter is always first, so (for the current code) additions
@@ -5719,6 +5728,17 @@ void map_printer_permissions(SEC_DESC *sd)
        }
 }
 
+void map_job_permissions(SEC_DESC *sd)
+{
+       int i;
+
+       for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
+               se_map_generic(&sd->dacl->aces[i].access_mask,
+                              &job_generic_mapping);
+       }
+}
+
+
 /****************************************************************************
  Check a user has permissions to perform the given operation.  We use the
  permission constants defined in include/rpc_spoolss.h to check the various
@@ -5800,19 +5820,12 @@ bool print_access_check(struct current_user *user, int 
snum, int access_type)
                        return False;
                }
 
-               /* Now this is the bit that really confuses me.  The access
-                  type needs to be changed from JOB_ACCESS_ADMINISTER to
-                  PRINTER_ACCESS_ADMINISTER for this to work.  Something
-                  to do with the child (job) object becoming like a
-                  printer??  -tpot */
-
-               access_type = PRINTER_ACCESS_ADMINISTER;
+               map_job_permissions(secdesc->sd);
+       } else {
+               map_printer_permissions(secdesc->sd);
        }
-       
-       /* Check access */
-       
-       map_printer_permissions(secdesc->sd);
 
+       /* Check access */
        result = se_access_check(secdesc->sd, user->nt_user_token, access_type,
                                 &access_granted, &status);
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-2296-gbb8f098

Reply via email to