7921 – driver upload permissions problems with print$ force user/group

Bug 7921 - driver upload permissions problems with print$ force user/group

Summary: driver upload permissions problems with print$ force user/group

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	Printing (show other bugs)
Version:	unspecified
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	7976
Blocks:
	Show dependency tree / graph

Reported:	2011-01-16 14:08 UTC by David Disseldorp
Modified:	2011-12-05 19:55 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Disseldorp 2011-01-16 14:08:54 UTC

consider a print$ share with the following settings:
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = $DRIVER_UPLOAD_USER
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

moose:~ # ls -ld /var/lib/samba/drivers/W32X86/
drwxrwxr-x 3 root ntadmin 4096 2011-01-14 19:06 /var/lib/samba/drivers/W32X86/

With the above configuration it would be reasonable to expect W32X86 printer driver upload/add attempts by $DRIVER_UPLOAD_USER (granted SePrintOperatorPrivilege) to be permitted - the print$ share settings force connections to the ntadmin group, which is granted write permission to the driver upload path.
Currently if $DRIVER_UPLOAD_USER is not a member of the ntadmin group, the driver upload/add fails, this is explained by how the driver upload/add takes place:

- the client connects to the [print$] share and uploads all driver
  files to the (/var/lib/samba/drivers/W32X86) directory.

- This is permitted, as the /var/lib/samba/drivers/W32X86 is owned
  by group ntadmin, and the "force group = ntadmin" takes effect
  for the [print$] session.

- Once all files are uploaded, the client connects to the [ipc$]
  share and issues an AddPrinterDriverEx spoolss request.

- In handling this request move_driver_to_download_area() is called,
  which attempts to create the directory
  /var/lib/samba/drivers/W32X86/3

- The create directory fails, as it is done as the user connected to
  the [ipc$] share. The [print$] "force group = ntadmin" has no
  effect.

This is a regression from previous behaviour. Prior to the commit
783ab0480b7c1454a95cdb414d3277a8fa543e9a, move_driver_to_download_area() would call become_user() for the print$ share.

Comment 1 David Disseldorp 2011-01-18 04:46:17 UTC

What makes this bug even more confusing from a users perspective is that the error returned to the client is WERR_UNKNOWN_PRINTER_DRIVER.

This is due to the missing and otherwise completely broken error paths in move_driver_to_download_area():
- the create_directory() call, which is where the initial access denied
  failure occurs, is not checked for error.
- WERR_ACCESS_DENIED errors returned by move_driver_file_to_download_area()
  are changed to WERR_UNKNOWN_PRINTER_DRIVER.
- move_driver_to_download_area() returns *the same* error status values to
  the caller via the *perr argument as well as the return value.
  _spoolss_AddPrinterDriver() uses the following invocation:
  err = move_driver_to_download_area(p, driver, level, &err)

Comment 2 David Disseldorp 2011-12-05 14:11:27 UTC

fixed in master with:
61bf4699f0f8b353272c060b8309f339ed2a0f88
s3-printing: follow force user/group for driver IO

Comment 3 Jeremy Allison 2011-12-05 19:55:51 UTC

Actually it's commit 2a791861462977a82b33ad57a4d5203dc9270aff in v3-6-test that will be the change that releases the fix :-).

Jeremy.