Some win32security questions

Mark Hammond mhammond at skippinet.com.au
Sun Feb 9 16:58:57 EST 2003


Dmitry Bely wrote:
> I am trying to write a script to set some file ACLs. This seems to be
> surprisingly complicated when compared, say, to Perl or Visual Basic. I
> realize that Python libraries are direct wrappers to WIN32 API -- this is
> not a problem, I simply cannot find the way to do some things. Maybe I am
> missing something?
> 
> 1. I would like to get the SID of "Domain Admins" group in my domain. As
> "Domain Admins" has predefined RID (DOMAIN_GROUP_RID_ADMINS), I would think
> there is a way to combine it with domain's SID to get resulting SID --
> something like this:
> 
> sidAdmins = win32security.LookupAccountName(None,"mydomain")[0]
> sidUser.SetSubAuthority(4, ntsecuritycon.DOMAIN_GROUP_RID_ADMINS)
> 
> Unfortunately, this does not work ("The index is out of range"). Is it
> possible to *append* SubAuthority to the existing SID?
> 
> 2. Python has AddAccessAllowedAce()/AddAccessDeniedAce() function wrappers,
> but not their *Ex() variants. So I cannot specify inheritance flags
> (CONTAINER_INHERIT_ACE etc.). Why *Ex() variants are not implemented?

Unfortunately, the reality is that no one who knows much about Win32 
security has had any input into these wrappers.  I know SFA about this 
API, and have used it about 3 times, each time directly copying some 
sample C++ code.

If you have the energy and inclination, mail me and we could come up 
with a list of what is missing and the best way to tackle it.

Mark.





More information about the Python-list mailing list