Hi list, I'm using samba 3.0.26a with cups as printing backend, which are both working fine. However, I would like to grant all users access to all print jobs, but without granting them the right to add or modify printers and printer settings. When I grant users the SePrintOperatorPrivilege privilege, they can indeed cancel other people's jobs, but then they can also rename printers on the server (which breaks things). Does anyone know if it is possible to separate access to these two operations, or to grant normal users the right to remove other people's jobs without them having the SePrintOperatorPrivilege priv? Thanks in advance for any input, roel
Roel van Meer
2007-Nov-13 09:35 UTC
[Samba] Printing; privileges separation (follow up: printing/nt_printing.c)
Roel van Meer writes:> I'm using samba 3.0.26a with cups as printing backend, which are both > working fine. However, I would like to grant all users access to all print > jobs, but without granting them the right to add or modify printers and > printer settings. > > When I grant users the SePrintOperatorPrivilege privilege, they can indeed > cancel other people's jobs, but then they can also rename printers on the > server (which breaks things). > > Does anyone know if it is possible to separate access to these two > operations, or to grant normal users the right to remove other people's jobs > without them having the SePrintOperatorPrivilege priv?I received a very helpful suggestion from Dale Schroeder on this. He said it was possible to grant users or groups the 'Manage Documents' privilege from a Windows client. However, when I do this, users are still not allowed to cancel other users' print jobs. Some debugging of the samba code showed that the request is denied in print_access_check() in printing/nt_printing.c. The code I see there does something I do not understand. When canceling a job you need JOB_ACCESS_ADMINISTER privileges, but the code modifies this to check for PRINTER_ACCESS_ADMINISTER privs. The comments preceding this statement are: /* Now this is the bit that really confuses me. The access type needs to be changed from JOB_ACCESS_ADMINISTER to PRINTER_ACCESS_ADMINISTER for this to work. Something to do with the child (job) object becoming like a printer?? -tpot */ When I comment the line changing the access_type (line 5514), canceling print jobs works as expected. Does anyone know why I would need PRINTER_ACCESS_ADMINISTER instead of JOB_ACCESS_ADMINISTER? Does changing it introduce security problems? I can file a bug report if necessary. Regards, roel