[python-win32] python-win32 Digest, Vol 162, Issue 4

eryk sun eryksun at gmail.com
Fri Sep 23 10:54:19 EDT 2016 

On Fri, Sep 23, 2016 at 2:12 PM, eryk sun <eryksun at gmail.com> wrote:
> Each kernel object type has a GENERIC_MAPPING that maps generic rights
> to sets of standard and object-specific rights. Before doing an
> AccessCheck, generic rights have to be mapped to specific rights via
> MapGenericMask.
>
> For the File type this generic mapping consists of the following values:
>
>         FILE_GENERIC_READ
>         FILE_GENERIC_WRITE
>         FILE_GENERIC_EXECUTE
>         FILE_ALL_ACCESS
>
> If you deny GENERIC_WRITE for a File, that's the same as denying the 6
> rights in FILE_GENERIC_WRITE, which includes the standard SYNCHRONIZE
> and READ_CONTROL rights. You need to mask the value to filter out
> rights that shouldn't be denied. Use the constant SPECIFIC_RIGHTS_ALL,
> which is defined as 0xFFFF (i.e. the lower 16 bits of an access mask
> are reserved for object-specific rights). For example:

For reference, here's an access mask diagram:

     3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
     1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
    +---------------+---------------+-------------------------------+
    |G|G|G|G|Resvd|A| StandardRights|         SpecificRights        |
    |R|W|E|A|     |S|               |                               |
    +-+-------------+---------------+-------------------------------+

    Generic Read
    Generic Write
    Generic Execute
    Generic All
    Reserved: 3
    Access SACL
    Standard Rights: 8
    Specific Rights: 16

The four most significant bits are the generic rights. Before
evaluating an AccessCheck, the system maps generic rights in access
masks to the corresponding standard and specific rights.

Only 5 of the 8 possible standard rights have been assigned:
SYNCHRONIZE (bit 20), WRITE_OWNER, WRITE_DAC, READ_CONTROL, and DELETE
(bit 16).

The File type assigns 9 out of 16 possible specific rights, from
FILE_WRITE_ATTRIBUTES (bit 8) down to FILE_READ_DATA (bit 0). Some
bits have multiple meanings depending on whether the object is a
directory, data file, or named pipe. For example, bit 2 can mean
FILE_ADD_SUBDIRECTORY, FILE_APPEND_DATA, or FILE_CREATE_PIPE_INSTANCE.

More information about the python-win32 mailing list