s3-spoolss: make sure members of "BUILTIN\Print Operators" can open printers
[ira/wip.git] / source3 / rpc_server / srv_spoolss_nt.c
index 755d8fc473c0ba035d282d51c056ee724574f5ee..01b4a7508376108e3046d295a9f145dde1323ae0 100644 (file)
@@ -1791,6 +1791,7 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
 
                        if ((p->server_info->utok.uid != sec_initial_uid()) &&
                            !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+                           !nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->server_info->ptok) &&
                            !token_contains_name_in_list(
                                    uidtoname(p->server_info->utok.uid),
                                    p->server_info->info3->base.domain.string,
@@ -1800,7 +1801,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
                                close_printer_handle(p, r->out.handle);
                                ZERO_STRUCTP(r->out.handle);
                                DEBUG(3,("access DENIED as user is not root, "
-                                       "has no printoperator privilege and "
+                                       "has no printoperator privilege, "
+                                       "not a member of the printoperater builtin group and "
                                        "is not in printer admin list"));
                                return WERR_ACCESS_DENIED;
                        }