Bug 7921 - driver upload permissions problems with print$ force user/group
Summary: driver upload permissions problems with print$ force user/group
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Printing (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on: 7976
  Show dependency treegraph
Reported: 2011-01-16 14:08 UTC by David Disseldorp
Modified: 2011-12-05 19:55 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Disseldorp 2011-01-16 14:08:54 UTC
consider a print$ share with the following settings:
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = $DRIVER_UPLOAD_USER
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

moose:~ # ls -ld /var/lib/samba/drivers/W32X86/
drwxrwxr-x 3 root ntadmin 4096 2011-01-14 19:06 /var/lib/samba/drivers/W32X86/

With the above configuration it would be reasonable to expect W32X86 printer driver upload/add attempts by $DRIVER_UPLOAD_USER (granted SePrintOperatorPrivilege) to be permitted - the print$ share settings force connections to the ntadmin group, which is granted write permission to the driver upload path.
Currently if $DRIVER_UPLOAD_USER is not a member of the ntadmin group, the driver upload/add fails, this is explained by how the driver upload/add takes place:

- the client connects to the [print$] share and uploads all driver
  files to the (/var/lib/samba/drivers/W32X86) directory.

- This is permitted, as the /var/lib/samba/drivers/W32X86 is owned
  by group ntadmin, and the "force group = ntadmin" takes effect
  for the [print$] session.

- Once all files are uploaded, the client connects to the [ipc$]
  share and issues an AddPrinterDriverEx spoolss request.

- In handling this request move_driver_to_download_area() is called,
  which attempts to create the directory

- The create directory fails, as it is done as the user connected to
  the [ipc$] share. The [print$] "force group = ntadmin" has no

This is a regression from previous behaviour. Prior to the commit
783ab0480b7c1454a95cdb414d3277a8fa543e9a, move_driver_to_download_area() would call become_user() for the print$ share.
Comment 1 David Disseldorp 2011-01-18 04:46:17 UTC
What makes this bug even more confusing from a users perspective is that the error returned to the client is WERR_UNKNOWN_PRINTER_DRIVER.

This is due to the missing and otherwise completely broken error paths in move_driver_to_download_area():
- the create_directory() call, which is where the initial access denied
  failure occurs, is not checked for error.
- WERR_ACCESS_DENIED errors returned by move_driver_file_to_download_area()
- move_driver_to_download_area() returns *the same* error status values to
  the caller via the *perr argument as well as the return value.
  _spoolss_AddPrinterDriver() uses the following invocation:
  err = move_driver_to_download_area(p, driver, level, &err)
Comment 2 David Disseldorp 2011-12-05 14:11:27 UTC
fixed in master with:
s3-printing: follow force user/group for driver IO
Comment 3 Jeremy Allison 2011-12-05 19:55:51 UTC
Actually it's commit 2a791861462977a82b33ad57a4d5203dc9270aff in v3-6-test that will be the change that releases the fix :-).