Univention Bugzilla – Full Text Bug Listing |
Summary: | Control of print share access via computer room module is not working properly (Samba4) | ||
---|---|---|---|
Product: | UCS@school | Reporter: | Michel Smidt <michelsmidt> |
Component: | UMC - Computer room | Assignee: | Ole Schwiegert <schwiegert> |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, gohmann, schwardt |
Version: | UCS@school 3.2 R2 | ||
Target Milestone: | UCS@school 4.3 v4 | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=30331 https://forge.univention.org/bugzilla/show_bug.cgi?id=43227 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.137 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 43227 | ||
Bug Blocks: | |||
Attachments: | This patch removes the "Free printing" option |
Description
Michel Smidt
2014-06-06 16:11:58 CEST
Still reproducible in UCS@school 4.1R2? @Richard: as a first step please try to reprocude Michels findings with a current UCS@school 4.1 R2 v9 with UCS 4.1-4 I've tried to replicate Michel's findings on a UCS@school 4.1R2 system and identified three problems: 1. Changes of a printer's access-control in the "Computer room"-module won't get applied immediately. When I waited ~2min between the steps Michel's first test scenario caused no trouble. 2. The "invalid users" entry won't automatically be removed from /etc/samba/local.config.d/printer.$PRINTER.local.config.conf when it gets removed from /etc/samba/printers.conf.d/$PRINTER . I've opened Bug #43227 for this. 3. The problem in Michel's second test scenario seems to be that the "invalid users" entry (created when modifying access in a printer's "Access control"-tab) in a printer's config file has priority over the "hosts allow" entry (created when modifying access in the "Computer room"-module). According to "$ man smb.conf" of the current samba version this is the wanted behavior (on "invalid users"): "This is really a paranoid check to absolutely ensure an improper setting does not breach your security." Created attachment 8340 [details] This patch removes the "Free printing" option To solve problem 3 from Comment #3 I would suggest removing the "Free printing" option in the "Computer room"-module. There is a Customer ID set so I set the flag "School Customer affected". Regarding comment 3: Please check if all 3 point are still reproducible. If the last point is still reproducible, please check and apply the attached patch. To 1. I cannot reproduce that (correct) behavior. When I have a printer with allowed for all and I deactivate it in the room module I can still print. (The deny host entry is present though). I also restarted samba service to be sure. To 2. I can still reproduce it as well To3. I can still reproduce, patch will be applied. Correction to 1: I must have made some mistake. I restested again today and Number 1 works as expected Package: ucs-school-umc-computerroom Version: 10.0.2-1A~4.3.0.201804261344 [4.3 3a9090d29] Bug #35076: Remove print mode 'all' from test [4.3 fc0371284] Bug #35076: Remove print mode 'all' from test (2) For completeness: Ole removed the printMode "all" that in the past allowed the teacher to allow all users of this room to use all printers, even if the printers ACLs would have refused to use the printer. Since samba does no longer provide a sinple solution to override, the item "all" has been removed. OK: code change OK: functional change FIXED: tests (All test steps were executed, but only if the last test step failed was the script terminated with an error code.) OK: changelog entry FIXED: advisory OK: package built and installable I think a backport to UCS@school 4.2 is not required. Package: ucs-test-ucsschool Version: 5.0.2-67A~4.3.0.201806221609 Branch: ucs_4.3-0 Scope: ucs-school-4.3 UCS@school 4.3 v4 has been released. https://docs.software-univention.de/changelog-ucsschool-4.3v4-de.html If this error occurs again, please clone this bug. |