How to authorize/deny write access to a directory on Windows using Python? -
i able authorize or deny write access specific directory on windows xp , more.
i tried following, , don't work:
os.chmod(): file read-only attribute can specified, see python's doc win32api.setfileattribute() file_attribute_readonly: file read-only. [...] attribute not honored on directories, see msdn's setfileattribute it looks alternative have access , update "security info" of directory, i've tried several hours done without much success (i'm unfamiliar win32 api).
any ideas on how that?
this challenging thing do. i've started this great answer helps similar thing.
you can start listing acls directory, done using code:
class="lang-python prettyprint-override">import win32security import ntsecuritycon con filename = r'd:\tmp\acc_test' sd = win32security.getfilesecurity(filename, win32security.dacl_security_information) dacl = sd.getsecuritydescriptordacl() ace_count = dacl.getacecount() print('ace count:', ace_count) in range(0, ace_count): rev, access, usersid = dacl.getace(i) user, group, type = win32security.lookupaccountsid('', usersid) print('user: {}/{}'.format(group, user), rev, access) you can find method pyacl.getacecount() returns number of aces.
the getace(i) function returns access_allowed_ace header tuple:
ace_header - 2 integers acetype, aceflags - trial , error showed me aceflags set 11 meant inherit privileges , 3 not inherited access_mask - detailed list here or in ntsecuritycon.py sid now able read old aces , deleting old ones quite simple:
class="lang-python prettyprint-override">for in range(0, ace_count): dacl.deleteace(0) and after can add together privileges calling addaccessallowedaceex() [msdn]:
userx, domain, type = win32security.lookupaccountname ("", "your.user") usery, domain, type = win32security.lookupaccountname ("", "other.user") dacl.addaccessallowedaceex(win32security.acl_revision, 3, 2032127, userx) # total command dacl.addaccessallowedaceex(win32security.acl_revision, 3, 1179785, usery) # read sd.setsecuritydescriptordacl(1, dacl, 0) # may not necessary win32security.setfilesecurity(filename, win32security.dacl_security_information, sd) i've taken numbers 3, 2032127 , 1179785 listing in first half of script (before running script i've set privileges in explorer->right click->properties->security->advanced):
just illustrative image borrowed http://technet.microsoft.com/
class="lang-none prettyprint-override">user: domain/user (0, 3) 2032127 user: domain/user2 (0, 3) 1179785 but corresponds to:
3 ->object_inherit_ace|container_inherit_ace 2032127 -> file_all_access (well, con.file_all_access = 2032639, 1 time apply on file , read you'll 2032127; difference 512 - 0x0200 - constant haven't found in ntsecuritycon.py/file security permissions) 1179785 -> file_generic_read you can remove access, alter or remove should solid start you.
tl;dr - codes class="lang-python prettyprint-override">import win32security import ntsecuritycon con filename = r'd:\tmp\acc_test' userx, domain, type = win32security.lookupaccountname ("", "your.user") usery, domain, type = win32security.lookupaccountname ("", "other.user") sd = win32security.getfilesecurity(filename, win32security.dacl_security_information) dacl = sd.getsecuritydescriptordacl() ace_count = dacl.getacecount() print('ace count:', ace_count) # listing in range(0, ace_count): rev, access, usersid = dacl.getace(i) user, group, type = win32security.lookupaccountsid('', usersid) print('user: {}/{}'.format(group, user), rev, access) # removing old ones in range(0, ace_count): dacl.deleteace(0) # add together total command user x dacl.addaccessallowedaceex(win32security.acl_revision, con.object_inherit_ace|con.container_inherit_ace, con.file_all_access, userx) # add together read access user y dacl.addaccessallowedaceex(win32security.acl_revision, con.object_inherit_ace|con.container_inherit_ace, con.file_generic_read, usery) sd.setsecuritydescriptordacl(1, dacl, 0) # may not necessary win32security.setfilesecurity(filename, win32security.dacl_security_information, sd) mini utility finish ace listing i wrote little script parsing file aces:
class="lang-python prettyprint-override">import win32security import ntsecuritycon con import sys # list of file masks interesting access_masks = ['file_read_data', 'file_list_directory', 'file_write_data', 'file_add_file', 'file_append_data', 'file_add_subdirectory', 'file_create_pipe_instance', 'file_read_ea', 'file_write_ea', 'file_execute', 'file_traverse', 'file_delete_child', 'file_read_attributes', 'file_write_attributes', 'file_all_access', 'file_generic_read', 'file_generic_write', 'file_generic_execute'] # list of inheritance flags ace_flags = ['object_inherit_ace', 'container_inherit_ace', 'no_propagate_inherit_ace', 'inherit_only_ace'] # list of ace types ace_types = ['access_min_ms_ace_type', 'access_allowed_ace_type', 'access_denied_ace_type', 'system_audit_ace_type', 'system_alarm_ace_type', 'access_max_ms_v2_ace_type', 'access_allowed_compound_ace_type', 'access_max_ms_v3_ace_type', 'access_min_ms_object_ace_type', 'access_allowed_object_ace_type', 'access_denied_object_ace_type', 'system_audit_object_ace_type', 'system_alarm_object_ace_type', 'access_max_ms_object_ace_type', 'access_max_ms_v4_ace_type', 'access_max_ms_ace_type', 'access_allowed_callback_ace_type', 'access_denied_callback_ace_type', 'access_allowed_callback_object_ace_type', 'access_denied_callback_object_ace_type', 'system_audit_callback_ace_type', 'system_alarm_callback_ace_type', 'system_audit_callback_object_ace_type', 'system_alarm_callback_object_ace_type', 'system_mandatory_label_ace_type', 'access_max_ms_v5_ace_type'] ################################################################################ def get_ace_types_str(ace_type): ''' yields matching ace types strings ''' t in ace_types: if getattr(con, t) == ace_type: yield t ################################################################################ def get_ace_flags_str(ace_flag): ''' yields matching ace flags strings ''' t in ace_flags: attr = getattr(con, t) if (attr & ace_flag) == attr: yield t ################################################################################ def get_access_mask_str(access_mask): ''' yields matching ace flags strings ''' t in access_masks: attr = getattr(con, t) if (attr & access_mask) == attr: yield t ################################################################################ def list_file_ace(filename): ''' method listing of file aces ''' # load info sd = win32security.getfilesecurity(filename, win32security.dacl_security_information) dacl = sd.getsecuritydescriptordacl() # print ace count ace_count = dacl.getacecount() print('file', filename, 'has', ace_count, 'aces') # go trough individual aces in range(0, ace_count): (ace_type, ace_flag), access_mask, usersid = dacl.getace(i) user, group, usertype = win32security.lookupaccountsid('', usersid) print('\tuser: {}\\{}'.format(group, user)) print('\t\tace type ({}):'.format(ace_type), '; '.join(get_ace_types_str(ace_type))) print('\t\tace flags ({}):'.format(ace_flag), ' | '.join(get_ace_flags_str(ace_flag))) print('\t\taccess mask ({}):'.format(access_mask), ' | '.join(get_access_mask_str(access_mask))) print() ################################################################################ # execute defaults if __name__ == '__main__': filename in sys.argv[1:]: list_file_ace(filename) print() it prints out strings this:
class="lang-none prettyprint-override">d:\tmp>acc_list.py d:\tmp d:\tmp\main.bat file d:\tmp has 8 aces user: builtin\administrators ace type (0): access_min_ms_ace_type; access_allowed_ace_type ace flags (0): access mask (2032127): file_read_data | file_list_directory | file_write_data | file_add_file | file_append_data | file_add_subdirectory | file_create_pipe_instance | file_read_ea | file_write_ea | file_execute | file_traverse | file_delete_child | file_read_attributes | file_write_attributes | file_generic_read | file_generic_write | file_generic_execute ... python windows winapi authorization
No comments:
Post a Comment