[python-win32] Replace all child permissions
Goku Balu
tfa.signup.test1 at gmail.com
Tue Mar 21 05:57:51 EDT 2017
Hi Eryk,
Thanks for responding. Here's my use case. I deny Write, Delete and
Delete_Child permissions for all folders and files under a particular
folder to make it read-only.
When the user uninstalls our application, we remove the Deny ACE for all
the sub-folders and files under it by iterating the folder.
However in the UI, this can be easily achieved by removing the Deny ACE for
top-most parent and checking "Replace all child object permissions with
inheritable permissions from this object" and clicking Yes in the warning
dialog. I wonder if this could be done programatically?
Regards,
Goku
On Tue, Mar 21, 2017 at 3:16 AM, eryk sun <eryksun at gmail.com> wrote:
> On Mon, Mar 20, 2017 at 3:13 PM, Goku Balu <tfa.signup.test1 at gmail.com>
> wrote:
> >
> > Is there anyway to do "Replace all child object permissions with
> inheritable
> > permissions from this object" programatically using PyWin32. I found out
> > that this resets the permissions for all the sub-folders and files
> deep-down
> > even though the permissions are set separately.
> >
> > def remove_permission(path):
> > sd = win32security.GetFileSecurity(path,
> > win32security.DACL_SECURITY_INFORMATION)
> > dacl = sd.GetSecurityDescriptorDacl() # instead of dacl =
> > win32security.ACL()
> > win32security.SetNamedSecurityInfo(path,
> win32security.SE_FILE_OBJECT,
> > win32security.DACL_SECURITY_INFORMATION |
> > win32security.UNPROTECTED_DACL_SECURITY_INFORMATION, None, None, dacl,
> None)
> >
> > I tried this on a folder. But didn't work.
>
> The docs for SetNamedSecurityInfo state the following:
>
> If you are setting the discretionary access control list (DACL)
> or any elements in the system access control list (SACL) of an
> object, the system automatically propagates any inheritable
> access control entries (ACEs) to existing child objects,
> according to the rules of inheritance.
>
> It works for me when I add an inheritable ACE that denies execute
> access to files under a given directory, e.g.
>
> dacl.AddAccessDeniedAceEx(
> win32security.ACL_REVISION_DS,
> win32security.INHERIT_ONLY_ACE |
> win32security.OBJECT_INHERIT_ACE,
> ntsecuritycon.FILE_EXECUTE,
> win32security.LookupAccountName(None, name)[0])
>
> SetNamedSecurityInfo propagates the ACE to a file that's in a
> subdirectory of the target path.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-win32/attachments/20170321/7afb39d0/attachment-0001.html>
More information about the python-win32
mailing list