Changing directory ACLs

[Mark Hammond]

"Albert Hopkins" <ahopkins at ahopkins.dynacare.com> wrote in message
news:slrn8kv94e.44t.ahopkins at ahopkins.dynacare.com...

> Check the win32security module.  I've never used it, but it appears to
> have what you're looking for.

Yes, Im confident that win32security, plus the pywintypes module for
direct access to security objects will do what you want.

The "problem" is that Python makes no attempt to make it easier than it is
in C/C++.  There is a fair bit of magic to weave, involving a number of
steps to successfully create the ACLs, ACEs and SDs!  Getting the code
wrong can cause a few problems ;-)

There are no "nice" wrappers around this stuff simply because I personally
dont have the experience with them.  The few times I need to do security
related things I search MSDN for C sample code, and translate it to the
relevant win32security/pywintypes calls.

As an example of the verbosity required, below is some code from the book
examples <plug>Chapter 16 - Windows NT Administration</plug> that simply
creates a security descriptor ready to be applied to the necessary object.
(In fact, this is probably a reasonable percentage of what you need)

Mark.

# A utility function that creates an NT security object for a user.
def CreateUserSecurityDescriptor(userName):
    sidUser = win32security.LookupAccountName(serverName, userName)[0]
    sd = win32security.SECURITY_DESCRIPTOR()

    # Create the "well known" SID for the administrators group
    subAuths = ntsecuritycon.SECURITY_BUILTIN_DOMAIN_RID, \
               ntsecuritycon.DOMAIN_ALIAS_RID_ADMINS
    sidAdmins = win32security.SID(ntsecuritycon.SECURITY_NT_AUTHORITY,
subAuths)

    # Now set the ACL, giving user and admin full access.
    acl = win32security.ACL(128)
    acl.AddAccessAllowedAce(win32file.FILE_ALL_ACCESS, sidUser)
    acl.AddAccessAllowedAce(win32file.FILE_ALL_ACCESS, sidAdmins)

    sd.SetSecurityDescriptorDacl(1, acl, 0)
    return sd