From d4a3a326f259dc129124d6c3811d904be96e8418 Mon Sep 17 00:00:00 2001 From: Karolin Seeger Date: Fri, 20 Nov 2009 10:09:31 +0100 Subject: [PATCH] s3-printing: Remove deprecated printer admin parameter. Use SePrinterOperator privilege instead. Karolin --- source3/include/proto.h | 1 - source3/param/loadparm.c | 12 -------- source3/printing/nt_printing.c | 11 -------- source3/rpc_server/srv_spoolss_nt.c | 48 ++++++++-------------------------- 4 files changed, 12 insertions(+), 60 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index cad8651..89a203b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4168,7 +4168,6 @@ char *lp_force_user(int ); char *lp_force_group(int ); const char **lp_readlist(int ); const char **lp_writelist(int ); -const char **lp_printer_admin(int ); char *lp_fstype(int ); const char **lp_vfs_objects(int ); char *lp_msdfs_proxy(int ); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c024603..5fb53b5 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -405,7 +405,6 @@ struct service { char *force_group; char **readlist; char **writelist; - char **printer_admin; char *volume; char *fstype; char **szVfsObjects; @@ -548,7 +547,6 @@ static struct service sDefault = { NULL, /* force group */ NULL, /* readlist */ NULL, /* writelist */ - NULL, /* printer admin */ NULL, /* volume */ NULL, /* fstype */ NULL, /* vfs objects */ @@ -1450,15 +1448,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, }, { - .label = "printer admin", - .type = P_LIST, - .p_class = P_LOCAL, - .ptr = &sDefault.printer_admin, - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_PRINT | FLAG_DEPRECATED, - }, - { .label = "force user", .type = P_STRING, .p_class = P_LOCAL, @@ -5576,7 +5565,6 @@ FN_LOCAL_STRING(lp_force_user, force_user) FN_LOCAL_STRING(lp_force_group, force_group) FN_LOCAL_LIST(lp_readlist, readlist) FN_LOCAL_LIST(lp_writelist, writelist) -FN_LOCAL_LIST(lp_printer_admin, printer_admin) FN_LOCAL_STRING(lp_fstype, fstype) FN_LOCAL_LIST(lp_vfs_objects, szVfsObjects) FN_LOCAL_STRING(lp_msdfs_proxy, szMSDfsProxy) diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 9995dfe..a22d7cf 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -5687,7 +5687,6 @@ void map_job_permissions(SEC_DESC *sd) Try access control in the following order (for performance reasons): 1) root and SE_PRINT_OPERATOR can do anything (easy check) 2) check security descriptor (bit comparisons in memory) - 3) "printer admins" (may result in numerous calls to winbind) ****************************************************************************/ bool print_access_check(struct auth_serversupplied_info *server_info, int snum, @@ -5757,16 +5756,6 @@ bool print_access_check(struct auth_serversupplied_info *server_info, int snum, DEBUG(4, ("access check was %s\n", NT_STATUS_IS_OK(status) ? "SUCCESS" : "FAILURE")); - /* see if we need to try the printer admin list */ - - if ((access_granted == 0) && - (token_contains_name_in_list(uidtoname(server_info->utok.uid), - NULL, NULL, server_info->ptok, - lp_printer_admin(snum)))) { - talloc_destroy(mem_ctx); - return True; - } - talloc_destroy(mem_ctx); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 682a59b..2315122 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -1633,16 +1633,11 @@ WERROR _spoolss_OpenPrinterEx(pipes_struct *p, } /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, - and not a printer admin, then fail */ + then fail */ if ((p->server_info->utok.uid != sec_initial_uid()) && !user_has_privileges(p->server_info->ptok, - &se_printop ) && - !token_contains_name_in_list( - uidtoname(p->server_info->utok.uid), - NULL, NULL, - p->server_info->ptok, - lp_printer_admin(snum))) { + &se_printop )) { close_printer_handle(p, r->out.handle); ZERO_STRUCTP(r->out.handle); return WERR_ACCESS_DENIED; @@ -2097,14 +2092,10 @@ WERROR _spoolss_DeletePrinterDriver(pipes_struct *p, SE_PRIV se_printop = SE_PRINT_OPERATOR; /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, - and not a printer admin, then fail */ + then fail */ if ( (p->server_info->utok.uid != sec_initial_uid()) - && !user_has_privileges(p->server_info->ptok, &se_printop ) - && !token_contains_name_in_list( - uidtoname(p->server_info->utok.uid), NULL, - NULL, p->server_info->ptok, - lp_printer_admin(-1)) ) + && !user_has_privileges(p->server_info->ptok, &se_printop )) { return WERR_ACCESS_DENIED; } @@ -2197,13 +2188,10 @@ WERROR _spoolss_DeletePrinterDriverEx(pipes_struct *p, SE_PRIV se_printop = SE_PRINT_OPERATOR; /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, - and not a printer admin, then fail */ + then fail */ if ( (p->server_info->utok.uid != sec_initial_uid()) - && !user_has_privileges(p->server_info->ptok, &se_printop ) - && !token_contains_name_in_list( - uidtoname(p->server_info->utok.uid), NULL, NULL, - p->server_info->ptok, lp_printer_admin(-1)) ) + && !user_has_privileges(p->server_info->ptok, &se_printop )) { return WERR_ACCESS_DENIED; } @@ -7581,7 +7569,7 @@ static WERROR spoolss_addprinterex_level_2(pipes_struct *p, return WERR_ACCESS_DENIED; } - /* you must be a printer admin to add a new printer */ + /* you must have the SePrintOperator privilege add a new printer */ if (!print_access_check(p->server_info, snum, PRINTER_ACCESS_ADMINISTER)) { free_a_printer(&printer,2); return WERR_ACCESS_DENIED; @@ -8362,14 +8350,10 @@ WERROR _spoolss_AddForm(pipes_struct *p, } /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, - and not a printer admin, then fail */ + then fail */ if ((p->server_info->utok.uid != sec_initial_uid()) && - !user_has_privileges(p->server_info->ptok, &se_printop) && - !token_contains_name_in_list(uidtoname(p->server_info->utok.uid), - NULL, NULL, - p->server_info->ptok, - lp_printer_admin(snum))) { + !user_has_privileges(p->server_info->ptok, &se_printop)) { DEBUG(2,("_spoolss_Addform: denied by insufficient permissions.\n")); return WERR_ACCESS_DENIED; } @@ -8446,11 +8430,7 @@ WERROR _spoolss_DeleteForm(pipes_struct *p, } if ((p->server_info->utok.uid != sec_initial_uid()) && - !user_has_privileges(p->server_info->ptok, &se_printop) && - !token_contains_name_in_list(uidtoname(p->server_info->utok.uid), - NULL, NULL, - p->server_info->ptok, - lp_printer_admin(snum))) { + !user_has_privileges(p->server_info->ptok, &se_printop)) { DEBUG(2,("_spoolss_DeleteForm: denied by insufficient permissions.\n")); return WERR_ACCESS_DENIED; } @@ -8526,14 +8506,10 @@ WERROR _spoolss_SetForm(pipes_struct *p, } /* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege, - and not a printer admin, then fail */ + then fail */ if ((p->server_info->utok.uid != sec_initial_uid()) && - !user_has_privileges(p->server_info->ptok, &se_printop) && - !token_contains_name_in_list(uidtoname(p->server_info->utok.uid), - NULL, NULL, - p->server_info->ptok, - lp_printer_admin(snum))) { + !user_has_privileges(p->server_info->ptok, &se_printop)) { DEBUG(2,("_spoolss_Setform: denied by insufficient permissions.\n")); return WERR_ACCESS_DENIED; } -- 1.6.4.2