Bug 5095 - Manage Documents privilege is not functional
Summary: Manage Documents privilege is not functional
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Printing (show other bugs)
Version: 3.0.27
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-11-20 10:23 UTC by Roel van Meer
Modified: 2008-05-06 12:06 UTC (History)
0 users

See Also:

Patch to fix JOB_ACCESS_ADMINISTER privileges (574 bytes, patch)
2007-11-20 10:25 UTC, Roel van Meer
no flags Details
Patch (3.10 KB, patch)
2008-05-05 17:52 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2007-11-20 10:23:06 UTC
When users or groups have 'Manage Documents' rights on a printer, they cannot do things that should be possible with these access rights (like canceling other users' print jobs). This seems to be possible only for users or groups with the SePrintOperatorPrivilege privilege.

Problem seems to be in print_access_check() in printing/nt_printing.c. When checking for JOB_ACCESS_ADMINISTER privileges, the code changes this and checks for PRINTER_ACCESS_ADMINISTER privs instead.
Comment 1 Roel van Meer 2007-11-20 10:25:54 UTC
Created attachment 2988 [details]
Patch to fix JOB_ACCESS_ADMINISTER privileges

This patch disables the modification of JOB_ACCESS_ADMINISTER into PRINTER_ACCESS_ADMINISTER privileges. This seems to fix the described problem. However, I'm not sure if it introduces security issues.
Comment 2 Jeremy Allison 2008-05-05 17:52:29 UTC
Created attachment 3275 [details]

Sure, I took a close look but I don't think that patch is correct.
Thanks for pointing it out though, as it pointed out where the
real bug was.

I understand much more about the printer system now, and I think
the patch attached may be a better fix.
Comment 3 Roel van Meer 2008-05-06 03:13:17 UTC
I've tested the patch (applied to 3.0.28a) and it fixes the problem as far as I can see. Thanks!

One thing: when compiling, I noticed the following warning. I reckon it is caused by the const definition of the job_generic_mapping struct.

printing/nt_printing.c: In function `map_job_permissions':
printing/nt_printing.c:5442: warning: passing arg 2 of `se_map_generic' discards qualifiers from pointer target type
Comment 4 Jeremy Allison 2008-05-06 12:06:19 UTC
Fixed in 3.0.28a or above. Thanks for testing !