Bug 50776 - Deleting a printdriver as non Administrator is not possible
Deleting a printdriver as non Administrator is not possible
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Print services
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-04 15:51 CET by Christina Scheinig
Modified: 2020-02-04 15:51 CET (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.011
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020012221000746
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-02-04 15:51:08 CET
In a school environment a customer complains that it is not possible to delete an already uploaded driver.

Scenario:
A school slave with printservicer installed.
A user which is added to the Printer-Admins group
A driver was uploaded via Windows and is not  linked to the printer.

I reproduced this issue:

rpcclient -Ucscheini -c 'enumdrivers' localhost
Enter SCHEIN\cscheini's password:

[Windows x64]

Printer Driver Info 1:
        Driver Name: [Epson ESC/P Standard 5 V4 Class Driver]
---------------------------------------------------------------------------------------------------------------------------------------
root@slave-sun:/var/lib/samba/drivers# rpcclient -Ucscheini -c 'deldriver "Epson ESC/P Standard 5 V4 Class Driver"' localhost
Enter SCHEIN\cscheini's password:
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows 4.0] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT x86] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT x86] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT R4000] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT Alpha_AXP] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows NT PowerPC] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows IA64] - error WERR_ACCESS_DENIED!
Failed to remove driver Epson ESC/P Standard 5 V4 Class Driver for arch [Windows x64] - error WERR_ACCESS_DENIED!
result was WERR_ACCESS_DENIED
root@slave-sun:/var/lib/samba/drivers# rpcclient -UAdministrator -c 'deldriver "Epson ESC/P Standard 5 V4 Class Driver"' localhost
Enter SCHEIN\Administrator's password: 
Driver Epson ESC/P Standard 5 V4 Class Driver removed for arch [Windows x64].
---------------------------------------------------------------------------------------------------------------------------------------
root@slave-sun:/var/lib/samba/drivers# getfacl x64
# file: x64
# owner: root
# group: Printer-Admins
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:Printer-Admins:rwx
default:mask::rwx
default:other::r-x
---------------------------------------------------------------------------------------------------------------------------------------
univention-ldapsearch cn=Printer-Admins sambaSID

# Printer-Admins, groups, schein.me
dn: cn=Printer-Admins,cn=groups,dc=schein,dc=me
sambaSID: S-1-5-32-550
---------------------------------------------------------------------------------------------------------------------------------------
univention-s4search cn=printer-admins
→ is not a group in samba
---------------------------------------------------------------------------------------------------------------------------------------
samba-tool ntacl get x64 |less
    security_descriptor: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x8004 (32772)
               0: SEC_DESC_OWNER_DEFAULTED
               0: SEC_DESC_GROUP_DEFAULTED
               1: SEC_DESC_DACL_PRESENT
               0: SEC_DESC_DACL_DEFAULTED
               0: SEC_DESC_SACL_PRESENT
               0: SEC_DESC_SACL_DEFAULTED
               0: SEC_DESC_DACL_TRUSTED
               0: SEC_DESC_SERVER_SECURITY
               0: SEC_DESC_DACL_AUTO_INHERIT_REQ
               0: SEC_DESC_SACL_AUTO_INHERIT_REQ
               0: SEC_DESC_DACL_AUTO_INHERITED
               0: SEC_DESC_SACL_AUTO_INHERITED
               0: SEC_DESC_DACL_PROTECTED
               0: SEC_DESC_SACL_PROTECTED
               0: SEC_DESC_RM_CONTROL_VALID
               1: SEC_DESC_SELF_RELATIVE
        owner_sid                : *   
            owner_sid                : S-1-22-1-0
        group_sid                : *   
            group_sid                : S-1-5-32-550
        sacl                     : NULL
        dacl                     : *   
[...]
---------------------------------------------------------------------------------------------------------------------------------------
# id cscheini
uid=2040(cscheini) gid=5023(Domain Users sun) Gruppen=5023(Domain Users sun),5016(Printer-Admins),5020(schueler-sun),5031(schueler-moon),5034(Domain Users moon),5100(sun-1a)

---------------------------------------------------------------------------------------------------------------------------------------
I could not find any hints in the samba logfiles.