[python-win32] Replace all child permissions
eryk sun
eryksun at gmail.com
Mon Mar 20 17:46:18 EDT 2017
On Mon, Mar 20, 2017 at 3:13 PM, Goku Balu <tfa.signup.test1 at gmail.com> wrote:
>
> Is there anyway to do "Replace all child object permissions with inheritable
> permissions from this object" programatically using PyWin32. I found out
> that this resets the permissions for all the sub-folders and files deep-down
> even though the permissions are set separately.
>
> def remove_permission(path):
> sd = win32security.GetFileSecurity(path,
> win32security.DACL_SECURITY_INFORMATION)
> dacl = sd.GetSecurityDescriptorDacl() # instead of dacl =
> win32security.ACL()
> win32security.SetNamedSecurityInfo(path, win32security.SE_FILE_OBJECT,
> win32security.DACL_SECURITY_INFORMATION |
> win32security.UNPROTECTED_DACL_SECURITY_INFORMATION, None, None, dacl, None)
>
> I tried this on a folder. But didn't work.
The docs for SetNamedSecurityInfo state the following:
If you are setting the discretionary access control list (DACL)
or any elements in the system access control list (SACL) of an
object, the system automatically propagates any inheritable
access control entries (ACEs) to existing child objects,
according to the rules of inheritance.
It works for me when I add an inheritable ACE that denies execute
access to files under a given directory, e.g.
dacl.AddAccessDeniedAceEx(
win32security.ACL_REVISION_DS,
win32security.INHERIT_ONLY_ACE |
win32security.OBJECT_INHERIT_ACE,
ntsecuritycon.FILE_EXECUTE,
win32security.LookupAccountName(None, name)[0])
SetNamedSecurityInfo propagates the ACE to a file that's in a
subdirectory of the target path.
More information about the python-win32
mailing list