You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
59 lines
3.0 KiB
59 lines
3.0 KiB
import win32security,win32file,win32api,ntsecuritycon,win32con, os
|
|
from win32security import ACL_REVISION_DS, CONTAINER_INHERIT_ACE, OBJECT_INHERIT_ACE, \
|
|
PROTECTED_DACL_SECURITY_INFORMATION, DACL_SECURITY_INFORMATION, SACL_SECURITY_INFORMATION, \
|
|
OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION, SE_FILE_OBJECT
|
|
|
|
## SE_SECURITY_NAME needed to access SACL, SE_RESTORE_NAME needed to change owner to someone other than yourself
|
|
new_privs = ((win32security.LookupPrivilegeValue('',ntsecuritycon.SE_SECURITY_NAME),win32con.SE_PRIVILEGE_ENABLED),
|
|
(win32security.LookupPrivilegeValue('',ntsecuritycon.SE_RESTORE_NAME),win32con.SE_PRIVILEGE_ENABLED),
|
|
)
|
|
ph = win32api.GetCurrentProcess()
|
|
th = win32security.OpenProcessToken(ph,win32security.TOKEN_ALL_ACCESS|win32con.TOKEN_ADJUST_PRIVILEGES)
|
|
modified_privs=win32security.AdjustTokenPrivileges(th,0,new_privs)
|
|
|
|
## look up a few sids that should be available on most systems
|
|
my_sid = win32security.GetTokenInformation(th,ntsecuritycon.TokenUser)[0]
|
|
pwr_sid = win32security.LookupAccountName('','Power Users')[0]
|
|
admin_sid = win32security.LookupAccountName('','Administrators')[0]
|
|
everyone_sid=win32security.LookupAccountName('','EveryOne')[0]
|
|
|
|
## create a dir and set security so Everyone has read permissions, and all files and subdirs inherit its ACLs
|
|
temp_dir=win32api.GetTempPath()
|
|
dir_name=win32api.GetTempFileName(temp_dir,'sfa')[0]
|
|
os.remove(dir_name)
|
|
os.mkdir(dir_name)
|
|
dir_dacl=win32security.ACL()
|
|
dir_dacl.AddAccessAllowedAceEx(ACL_REVISION_DS, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE, win32con.GENERIC_READ, everyone_sid)
|
|
## make sure current user has permissions on dir
|
|
dir_dacl.AddAccessAllowedAceEx(ACL_REVISION_DS, CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE, win32con.GENERIC_ALL, my_sid)
|
|
## keep dir from inheriting any permissions so it only has ACEs explicitely set here
|
|
win32security.SetNamedSecurityInfo(dir_name, SE_FILE_OBJECT,
|
|
OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,
|
|
pwr_sid, pwr_sid, dir_dacl, None)
|
|
|
|
## Create a file in the dir and add some specific permissions to it
|
|
fname=win32api.GetTempFileName(dir_name,'sfa')[0]
|
|
print(fname)
|
|
file_sd=win32security.GetNamedSecurityInfo(fname, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION)
|
|
file_dacl=file_sd.GetSecurityDescriptorDacl()
|
|
file_sacl=file_sd.GetSecurityDescriptorSacl()
|
|
|
|
if file_dacl is None:
|
|
file_dacl=win32security.ACL()
|
|
if file_sacl is None:
|
|
file_sacl=win32security.ACL()
|
|
|
|
file_dacl.AddAccessDeniedAce(file_dacl.GetAclRevision(),win32con.DELETE,admin_sid)
|
|
file_dacl.AddAccessDeniedAce(file_dacl.GetAclRevision(),win32con.DELETE,my_sid)
|
|
file_dacl.AddAccessAllowedAce(file_dacl.GetAclRevision(),win32con.GENERIC_ALL,pwr_sid)
|
|
file_sacl.AddAuditAccessAce(file_dacl.GetAclRevision(),win32con.GENERIC_ALL,my_sid,True,True)
|
|
|
|
win32security.SetNamedSecurityInfo(fname, SE_FILE_OBJECT,
|
|
DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION,
|
|
None, None, file_dacl, file_sacl)
|
|
|
|
win32security.AdjustTokenPrivileges(th, 0, modified_privs)
|
|
|
|
|
|
|