Roel van Meer writes:
I'm using samba 3.0.26a with cups as printing backend, which are both
working fine. However, I would like to grant all users access to all print
jobs, but without granting them the right to add or modify printers and
printer settings.
When I grant users the SePrintOperatorPrivilege privilege, they can indeed
cancel other people's jobs, but then they can also rename printers on the
server (which breaks things).
Does anyone know if it is possible to separate access to these two
operations, or to grant normal users the right to remove other people's jobs
without them having the SePrintOperatorPrivilege priv?
I received a very helpful suggestion from Dale Schroeder on this. He said it
was possible to grant users or groups the 'Manage Documents' privilege from
a Windows client. However, when I do this, users are still not allowed to
cancel other users' print jobs. Some debugging of the samba code showed that
the request is denied in print_access_check() in printing/nt_printing.c.
The code I see there does something I do not understand. When canceling a
job you need JOB_ACCESS_ADMINISTER privileges, but the code modifies this to
check for PRINTER_ACCESS_ADMINISTER privs. The comments preceding this
statement are:
/* Now this is the bit that really confuses me. The access
type needs to be changed from JOB_ACCESS_ADMINISTER to
PRINTER_ACCESS_ADMINISTER for this to work. Something
to do with the child (job) object becoming like a
printer?? -tpot */
When I comment the line changing the access_type (line 5514), canceling
print jobs works as expected.
Does anyone know why I would need PRINTER_ACCESS_ADMINISTER instead of
JOB_ACCESS_ADMINISTER? Does changing it introduce security problems?
I can file a bug report if necessary.
Regards,
roel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
