[python-win32] Unexpected feature in win32security?

Roger Upole rwupole at msn.com
Tue Feb 3 12:34:26 CET 2009 

Tim Golden wrote:
>I *think* this is a bug (or at least an unfortunate effect)
> but I'll post here first for a sanity check.
>
> I'm looking at Windows security: descriptors, ACLs, etc. The
> conventional wisdom is that a DACL (or an SACL but less commonly)
> can be one of three things within a security descriptor:
>
> 1) Not there
> 2) There but NULL
> 3) There and a (possibly empty) list of ACEs
>
> When calling the GetSecurityDescriptorDacl Win32 API, the first
> and second situations are distinguished by the lpbDaclPresent
> parameter which receives 0 or 1. From that result, the pDacl
> parameter is either meaningless or NULL/pointer to a list.
>
> Within the win32security module, the GetSecurityDescriptorDacl
> method of the PySECURITY_DESCRIPTOR object returns None in
> both of the first two cases and I can't see any other way to
> distinguish the cases without dropping down to ctypes or a
> hand-built extension.
>

In practice, cases 1 and 2 are functionally identical . Once a security 
descriptor has
been applied to an object, the SE_DACL_PRESENT flag is always set.  If for
some reason you really need this info, you can call 
GetSecurityDescriptorControl
and check for presence of the SE_DACL_PRESENT flag.

> The offending code is in PySECURITY_DESCRIPTOR.cpp:
>
> <snippet>
> // get Dacl from SD
> if (!::GetSecurityDescriptorDacl(psd, &bDaclPresent, &pdacl, 
> &bDaclDefaulted))
> return PyWin_SetAPIError("GetSecurityDescriptorDacl");
>
> if (!bDaclPresent || pdacl == NULL)
> {
> Py_INCREF(Py_None);
> return Py_None;
> }
>
> return new PyACL(pdacl);
>
> </snippet>
>
> which returns None, as you see, in either case. The equivalent code
> for SACL does the same thing.
>
>
> I've not got an easy workaround. In general, it's very unlikely that
> a DACL isn't present at all; and it's equally unlikely (I'm not sure
> it's even meaningful) to have a NULL SACL. So I can fudge around things
> a bit. But I'd prefer something more robust. However, it's difficult to
> see what change to suggest without breaking the interface. The only
> possibility I could come up with would be a separate pair of functions
> whose only job would be to report the presence of the ACL in the SD.
> Have I missed anything?
>

It's quite common for either of these to be NULL.
Most often files don't specify their own security, and just inherit from
the parent directory.  SACL's are often NULL also, although they
don't show a difference in behaviour between NULL and empty as
DACL's do.

         Roger

More information about the python-win32 mailing list