From 956a4552f2c66cfe61493de772b5986d95511135 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Thu, 26 Sep 2013 13:24:15 +0200 Subject: [PATCH] printing: return WERROR from print_access_check print_access_check() currently returns a bool based on whether access is granted or denied. Errno is set on failure, but none of the callers use it. This change converts print_access_check() to return a WERROR. Signed-off-by: David Disseldorp Reviewed-by: Guenther Deschner --- source3/include/nt_printing.h | 6 +- source3/printing/nt_printing.c | 31 ++++----- source3/printing/printing.c | 72 ++++++++++----------- source3/rpc_server/spoolss/srv_spoolss_nt.c | 16 ++--- 4 files changed, 58 insertions(+), 67 deletions(-) diff --git a/source3/include/nt_printing.h b/source3/include/nt_printing.h index 2a0e8835dfb..4af44d75d91 100644 --- a/source3/include/nt_printing.h +++ b/source3/include/nt_printing.h @@ -128,9 +128,9 @@ bool nt_printing_init(struct messaging_context *msg_ctx); const char *get_short_archi(const char *long_archi); -bool print_access_check(const struct auth_session_info *server_info, - struct messaging_context *msg_ctx, int snum, - int access_type); +WERROR print_access_check(const struct auth_session_info *server_info, + struct messaging_context *msg_ctx, int snum, + int access_type); WERROR nt_printer_guid_get(TALLOC_CTX *mem_ctx, const struct auth_session_info *session_info, diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 7a1f36549fe..73c4cf76ee1 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -1765,9 +1765,9 @@ void map_job_permissions(struct security_descriptor *sd) 3) "printer admins" (may result in numerous calls to winbind) ****************************************************************************/ -bool print_access_check(const struct auth_session_info *session_info, - struct messaging_context *msg_ctx, int snum, - int access_type) +WERROR print_access_check(const struct auth_session_info *session_info, + struct messaging_context *msg_ctx, int snum, + int access_type) { struct spoolss_security_descriptor *secdesc = NULL; uint32 access_granted; @@ -1781,9 +1781,10 @@ bool print_access_check(const struct auth_session_info *session_info, /* Always allow root or SE_PRINT_OPERATROR to do anything */ - if (session_info->unix_token->uid == sec_initial_uid() - || security_token_has_privilege(session_info->security_token, SEC_PRIV_PRINT_OPERATOR)) { - return True; + if ((session_info->unix_token->uid == sec_initial_uid()) + || security_token_has_privilege(session_info->security_token, + SEC_PRIV_PRINT_OPERATOR)) { + return WERR_OK; } /* Get printer name */ @@ -1791,15 +1792,13 @@ bool print_access_check(const struct auth_session_info *session_info, pname = lp_printername(talloc_tos(), snum); if (!pname || !*pname) { - errno = EACCES; - return False; + return WERR_ACCESS_DENIED; } /* Get printer security descriptor */ if(!(mem_ctx = talloc_init("print_access_check"))) { - errno = ENOMEM; - return False; + return WERR_NOMEM; } result = winreg_get_printer_secdesc_internal(mem_ctx, @@ -1809,8 +1808,7 @@ bool print_access_check(const struct auth_session_info *session_info, &secdesc); if (!W_ERROR_IS_OK(result)) { talloc_destroy(mem_ctx); - errno = ENOMEM; - return False; + return WERR_NOMEM; } if (access_type == JOB_ACCESS_ADMINISTER) { @@ -1828,8 +1826,7 @@ bool print_access_check(const struct auth_session_info *session_info, false); if (!NT_STATUS_IS_OK(status)) { talloc_destroy(mem_ctx); - errno = map_errno_from_nt_status(status); - return False; + return ntstatus_to_werror(status); } map_job_permissions(secdesc); @@ -1845,11 +1842,7 @@ bool print_access_check(const struct auth_session_info *session_info, talloc_destroy(mem_ctx); - if (!NT_STATUS_IS_OK(status)) { - errno = EACCES; - } - - return NT_STATUS_IS_OK(status); + return ntstatus_to_werror(status); } /**************************************************************************** diff --git a/source3/printing/printing.c b/source3/printing/printing.c index b126bd5cbaf..a989d816632 100644 --- a/source3/printing/printing.c +++ b/source3/printing/printing.c @@ -2226,17 +2226,16 @@ WERROR print_job_delete(const struct auth_session_info *server_info, owns their job. */ if (!owner && - !print_access_check(server_info, msg_ctx, snum, - JOB_ACCESS_ADMINISTER)) { + !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + JOB_ACCESS_ADMINISTER))) { DEBUG(3, ("delete denied by security descriptor\n")); - /* BEGIN_ADMIN_LOG */ - sys_adminlog( LOG_ERR, - "Permission denied-- user not allowed to delete, \ -pause, or resume print job. User name: %s. Printer name: %s.", - uidtoname(server_info->unix_token->uid), - lp_printername(talloc_tos(), snum) ); - /* END_ADMIN_LOG */ + sys_adminlog(LOG_ERR, + "Permission denied-- user not allowed to delete, " + "pause, or resume print job. User name: %s. " + "Printer name: %s.", + uidtoname(server_info->unix_token->uid), + lp_printername(tmp_ctx, snum) ); werr = WERR_ACCESS_DENIED; goto err_out; @@ -2316,17 +2315,16 @@ WERROR print_job_pause(const struct auth_session_info *server_info, } if (!is_owner(server_info, lp_const_servicename(snum), jobid) && - !print_access_check(server_info, msg_ctx, snum, - JOB_ACCESS_ADMINISTER)) { + !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + JOB_ACCESS_ADMINISTER))) { DEBUG(3, ("pause denied by security descriptor\n")); - /* BEGIN_ADMIN_LOG */ - sys_adminlog( LOG_ERR, - "Permission denied-- user not allowed to delete, \ -pause, or resume print job. User name: %s. Printer name: %s.", - uidtoname(server_info->unix_token->uid), - lp_printername(talloc_tos(), snum) ); - /* END_ADMIN_LOG */ + sys_adminlog(LOG_ERR, + "Permission denied-- user not allowed to delete, " + "pause, or resume print job. User name: %s. " + "Printer name: %s.", + uidtoname(server_info->unix_token->uid), + lp_printername(tmp_ctx, snum) ); werr = WERR_ACCESS_DENIED; goto err_out; @@ -2388,17 +2386,17 @@ WERROR print_job_resume(const struct auth_session_info *server_info, } if (!is_owner(server_info, lp_const_servicename(snum), jobid) && - !print_access_check(server_info, msg_ctx, snum, - JOB_ACCESS_ADMINISTER)) { + !W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + JOB_ACCESS_ADMINISTER))) { DEBUG(3, ("resume denied by security descriptor\n")); - /* BEGIN_ADMIN_LOG */ - sys_adminlog( LOG_ERR, - "Permission denied-- user not allowed to delete, \ -pause, or resume print job. User name: %s. Printer name: %s.", - uidtoname(server_info->unix_token->uid), - lp_printername(talloc_tos(), snum) ); - /* END_ADMIN_LOG */ + sys_adminlog(LOG_ERR, + "Permission denied-- user not allowed to delete, " + "pause, or resume print job. User name: %s. " + "Printer name: %s.", + uidtoname(server_info->unix_token->uid), + lp_printername(tmp_ctx, snum)); + werr = WERR_ACCESS_DENIED; goto err_out; } @@ -2654,8 +2652,8 @@ static WERROR print_job_checks(const struct auth_session_info *server_info, uint64_t minspace; int ret; - if (!print_access_check(server_info, msg_ctx, snum, - PRINTER_ACCESS_USE)) { + if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + PRINTER_ACCESS_USE))) { DEBUG(3, ("print_job_checks: " "job start denied by security descriptor\n")); return WERR_ACCESS_DENIED; @@ -3285,8 +3283,8 @@ WERROR print_queue_pause(const struct auth_session_info *server_info, int ret; struct printif *current_printif = get_printer_fns( snum ); - if (!print_access_check(server_info, msg_ctx, snum, - PRINTER_ACCESS_ADMINISTER)) { + if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + PRINTER_ACCESS_ADMINISTER))) { return WERR_ACCESS_DENIED; } @@ -3322,8 +3320,8 @@ WERROR print_queue_resume(const struct auth_session_info *server_info, int ret; struct printif *current_printif = get_printer_fns( snum ); - if (!print_access_check(server_info, msg_ctx, snum, - PRINTER_ACCESS_ADMINISTER)) { + if (!W_ERROR_IS_OK(print_access_check(server_info, msg_ctx, snum, + PRINTER_ACCESS_ADMINISTER))) { return WERR_ACCESS_DENIED; } @@ -3364,10 +3362,10 @@ WERROR print_queue_purge(const struct auth_session_info *server_info, /* Force and update so the count is accurate (i.e. not a cached count) */ print_queue_update(msg_ctx, snum, True); - can_job_admin = print_access_check(server_info, - msg_ctx, - snum, - JOB_ACCESS_ADMINISTER); + can_job_admin = W_ERROR_IS_OK(print_access_check(server_info, + msg_ctx, + snum, + JOB_ACCESS_ADMINISTER)); njobs = print_queue_status(msg_ctx, snum, &queue, &status); if ( can_job_admin ) diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index a6201d4f55e..7154cb44199 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -1897,10 +1897,10 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p, if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL, p->session_info->security_token, snum) || - !print_access_check(p->session_info, - p->msg_ctx, - snum, - r->in.access_mask)) { + !W_ERROR_IS_OK(print_access_check(p->session_info, + p->msg_ctx, + snum, + r->in.access_mask))) { DEBUG(3, ("access DENIED for printer open\n")); close_printer_handle(p, r->out.handle); ZERO_STRUCTP(r->out.handle); @@ -8153,10 +8153,10 @@ static WERROR spoolss_addprinterex_level_2(struct pipes_struct *p, } /* you must be a printer admin to add a new printer */ - if (!print_access_check(p->session_info, - p->msg_ctx, - snum, - PRINTER_ACCESS_ADMINISTER)) { + if (!W_ERROR_IS_OK(print_access_check(p->session_info, + p->msg_ctx, + snum, + PRINTER_ACCESS_ADMINISTER))) { return WERR_ACCESS_DENIED; } -- 2.34.1