summaryrefslogtreecommitdiffstats
path: root/source3/smbd
diff options
context:
space:
mode:
authorDavid Disseldorp <ddiss@suse.de>2011-03-02 14:34:28 +0100
committerAndreas Schneider <asn@samba.org>2011-03-04 15:46:14 +0100
commit61bf4699f0f8b353272c060b8309f339ed2a0f88 (patch)
tree12a22e9df8b0b99ad6db4539ef04565c7ba9db4b /source3/smbd
parentb0c6899973d3e0e5d4dbd2590157f7200c20f8ff (diff)
downloadsamba-61bf4699f0f8b353272c060b8309f339ed2a0f88.tar.gz
samba-61bf4699f0f8b353272c060b8309f339ed2a0f88.tar.xz
samba-61bf4699f0f8b353272c060b8309f339ed2a0f88.zip
s3-printing: follow force user/group for driver IO
Configuring force user/group settings for the print$ share currently has unexpected results, this is explained by how the driver upload/add process takes place. Consider the following example: [print$] path = /print-drv write list = $DRIVER_UPLOAD_USER force group = ntadmin - the client connects to the [print$] share and uploads all driver files to the /print-drv/W32X86 directory. - This is permitted, as /print-drv/W32X86 is owned by group ntadmin, and the "force group = ntadmin" takes effect for the [print$] session. - Once all files are uploaded, the client connects to the [ipc$] share and issues an AddPrinterDriverEx spoolss request. - In handling this request move_driver_to_download_area() is called, which attempts to create the directory /print-drv/W32X86/3 - The create directory fails, as it is done as the user connected to the [ipc$] share which does not have permission to write to the driver directory. The [print$] "force group = ntadmin" has no effect. This is a regression from previous behaviour prior to the commit: 783ab04 Convert move_driver_to_download_area to use create_conn_struct. https://bugzilla.samba.org/show_bug.cgi?id=7921 Signed-off-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/service.c127
1 files changed, 71 insertions, 56 deletions
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index e713b7132e9..00b5294be66 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -659,6 +659,72 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
return NT_STATUS_ACCESS_DENIED;
}
+/****************************************************************************
+ set relavent user and group settings corresponding to force user/group
+ configuration for the given snum.
+****************************************************************************/
+
+NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
+{
+ NTSTATUS status;
+
+ if (*lp_force_user(snum)) {
+
+ /*
+ * Replace conn->session_info with a completely faked up one
+ * from the username we are forced into :-)
+ */
+
+ char *fuser;
+ struct auth_serversupplied_info *forced_serverinfo;
+
+ fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
+ lp_const_servicename(snum));
+ if (fuser == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = make_serverinfo_from_username(
+ conn, fuser, conn->session_info->guest,
+ &forced_serverinfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ TALLOC_FREE(conn->session_info);
+ conn->session_info = forced_serverinfo;
+
+ conn->force_user = true;
+ DEBUG(3,("Forced user %s\n", fuser));
+ }
+
+ /*
+ * If force group is true, then override
+ * any groupid stored for the connecting user.
+ */
+
+ if (*lp_force_group(snum)) {
+
+ status = find_forced_group(
+ conn->force_user, snum, conn->session_info->unix_name,
+ &conn->session_info->security_token->sids[1],
+ &conn->session_info->utok.gid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * We need to cache this gid, to use within
+ * change_to_user() separately from the conn->session_info
+ * struct. We only use conn->session_info directly if
+ * "force_user" was set.
+ */
+ conn->force_group_gid = conn->session_info->utok.gid;
+ }
+
+ return NT_STATUS_OK;
+}
/****************************************************************************
Make a connection, given the snum to connect to, and the vuser of the
@@ -742,62 +808,11 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->read_only = lp_readonly(SNUM(conn));
- if (*lp_force_user(snum)) {
-
- /*
- * Replace conn->session_info with a completely faked up one
- * from the username we are forced into :-)
- */
-
- char *fuser;
- struct auth_serversupplied_info *forced_serverinfo;
-
- fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
- lp_servicename(snum));
- if (fuser == NULL) {
- *pstatus = NT_STATUS_NO_MEMORY;
- goto err_root_exit;
- }
-
- status = make_serverinfo_from_username(
- conn, fuser, conn->session_info->guest,
- &forced_serverinfo);
- if (!NT_STATUS_IS_OK(status)) {
- *pstatus = status;
- goto err_root_exit;
- }
-
- TALLOC_FREE(conn->session_info);
- conn->session_info = forced_serverinfo;
-
- conn->force_user = True;
- DEBUG(3,("Forced user %s\n", fuser));
- }
-
- /*
- * If force group is true, then override
- * any groupid stored for the connecting user.
- */
-
- if (*lp_force_group(snum)) {
-
- status = find_forced_group(
- conn->force_user, snum, conn->session_info->unix_name,
- &conn->session_info->security_token->sids[1],
- &conn->session_info->utok.gid);
-
- if (!NT_STATUS_IS_OK(status)) {
- *pstatus = status;
- goto err_root_exit;
- }
-
- /*
- * We need to cache this gid, to use within
- * change_to_user() separately from the conn->session_info
- * struct. We only use conn->session_info directly if
- * "force_user" was set.
- */
- conn->force_group_gid = conn->session_info->utok.gid;
+ status = set_conn_force_user_group(conn, snum);
+ if (!NT_STATUS_IS_OK(status)) {
+ conn_free(conn);
+ *pstatus = status;
+ return NULL;
}
conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;