Bug 35076 - Control of print share access via computer room module is not working properly (Samba4)
Control of print share access via computer room module is not working properl...
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Computer room
UCS@school 3.2 R2
Other Linux
: P5 normal with 2 votes (vote)
: UCS@school 4.3 v4
Assigned To: Ole Schwiegert
Sönke Schwardt-Krummrich
:
Depends on: 43227
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-06 16:11 CEST by Michel Smidt
Modified: 2018-07-04 18:08 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
This patch removes the "Free printing" option (1.51 KB, patch)
2017-01-06 12:43 CET, Richard Ulmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt univentionstaff 2014-06-06 16:11:58 CEST
Related to 30331
Control of print share access via computer room module is not working properly (Samba4)

System UCS@school 3.2 R2
Temporary deactivate printing: 
1. "Allow all users." access to print share in "Access control"-TAB.
2. Test-Student has access to print share and can print. -> ok
3. "Change settings" in "Computer room"-Modul to "Printing deactivated"
4. Connection to print share is forbidden for Test-Student -> ok
Reactivate printing:
5. "Change settings" in "Computer room"-Modul to "Free printing"
6. Connection to print share is forbidden for Test-Student -> not ok
7. "Change settings" in "Computer room"-Modul to "Default (global settings)"
8. Connection to print share is forbidden for Test-Student -> not ok
9. Restart Samba
10. Connection to print share is allowed for Test-Student -> ok

Temporary activate printing:
1. "Deny choosen users/groups." (schueler-schule) access to print share in "Access control"-TAB.
2. Test-Student has no access to print share and can't print. -> ok
3. "Change settings" in "Computer room"-Modul to "Free printing"
4. Connection to print share is forbidden for Test-Student -> not ok
5. Restart of Samba doesn't help.
6. Waited "some time (1-4 min)" just as it was written in the comment 11 on #30331. 

/etc/samba/local.config.d/printer.brother.local.config.conf
[brother]    
invalid users = @schueler-schule
hosts deny = ""    
hosts allow = 10.1.0.45 10.1.0.44

/etc/samba/printers.conf.d/brother
[brother] 
printer name = brother           
path = /tmp                           
guest ok = yes  
printable = yes
invalid users =  @schueler-schule  

The "invalid users = @schueler-schule" seems to override the "hosts allow = 10.1.0.45 10.1.0.44"
Comment 1 Florian Best univentionstaff 2016-10-04 18:35:18 CEST
Still reproducible in UCS@school 4.1R2?
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2016-12-19 12:00:32 CET
@Richard: as a first step please try to reprocude Michels findings with a current UCS@school 4.1 R2 v9 with UCS 4.1-4
Comment 3 Richard Ulmer univentionstaff 2017-01-05 14:12:32 CET
I've tried to replicate Michel's findings on a UCS@school 4.1R2 system and identified three problems:

1. Changes of a printer's access-control in the "Computer room"-module won't get applied immediately. When I waited ~2min between the steps Michel's first test scenario caused no trouble.

2. The "invalid users" entry won't automatically be removed from /etc/samba/local.config.d/printer.$PRINTER.local.config.conf when it gets removed from /etc/samba/printers.conf.d/$PRINTER . I've opened Bug #43227 for this.

3. The problem in Michel's second test scenario seems to be that the "invalid users" entry (created when modifying access in a printer's "Access control"-tab) in a printer's config file has priority over the "hosts allow" entry (created when modifying access in the "Computer room"-module).
According to "$ man smb.conf" of the current samba version this is the wanted behavior (on "invalid users"): "This is really a paranoid check to absolutely ensure an improper setting does not breach your security."
Comment 4 Richard Ulmer univentionstaff 2017-01-06 12:43:28 CET
Created attachment 8340 [details]
This patch removes the "Free printing" option

To solve problem 3 from Comment #3 I would suggest removing the "Free printing" option in the "Computer room"-module.
Comment 5 Florian Best univentionstaff 2017-06-28 14:56:32 CEST
There is a Customer ID set so I set the flag "School Customer affected".
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-04-18 10:00:27 CEST
Regarding comment 3: Please check if all 3 point are still reproducible.

If the last point is still reproducible, please check and apply the attached patch.
Comment 7 Ole Schwiegert univentionstaff 2018-04-25 13:03:52 CEST
To 1. I cannot reproduce that (correct) behavior. When I have a printer with allowed for all and I deactivate it in the room module I can still print. (The deny host entry is present though). I also restarted samba service to be sure.

To 2. I can still reproduce it as well

To3. I can still reproduce, patch will be applied.
Comment 8 Ole Schwiegert univentionstaff 2018-04-26 11:21:22 CEST
Correction to 1: I must have made some mistake. I restested again today and Number 1 works as expected
Comment 9 Ole Schwiegert univentionstaff 2018-04-26 13:46:15 CEST
Package: ucs-school-umc-computerroom
Version: 10.0.2-1A~4.3.0.201804261344
Comment 10 Jürn Brodersen univentionstaff 2018-06-14 16:27:44 CEST
[4.3 3a9090d29] Bug #35076: Remove print mode 'all' from test
Comment 11 Jürn Brodersen univentionstaff 2018-06-15 10:15:12 CEST
[4.3 fc0371284] Bug #35076: Remove print mode 'all' from test (2)
Comment 12 Sönke Schwardt-Krummrich univentionstaff 2018-06-22 16:11:59 CEST
For completeness: Ole removed the printMode "all" that in the past allowed the teacher to allow all users of this room to use all printers, even if the printers ACLs would have refused to use the printer.

Since samba does no longer provide a sinple solution to override, the item "all" has been removed.

OK: code change
OK: functional change
FIXED: tests (All test steps were executed, but only if the last test step
              failed was the script terminated with an error code.)
OK: changelog entry
FIXED: advisory
OK: package built and installable

I think a backport to UCS@school 4.2 is not required.

Package: ucs-test-ucsschool
Version: 5.0.2-67A~4.3.0.201806221609
Branch: ucs_4.3-0
Scope: ucs-school-4.3
Comment 13 Sönke Schwardt-Krummrich univentionstaff 2018-07-04 18:08:43 CEST
UCS@school 4.3 v4 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.3v4-de.html

If this error occurs again, please clone this bug.