[python-win32] Replace all child permissions

Goku Balu tfa.signup.test1 at gmail.com
Tue Mar 21 05:57:51 EDT 2017 

Hi Eryk,

Thanks for responding. Here's my use case. I deny Write, Delete and
Delete_Child permissions for all folders and files under a particular
folder to make it read-only.

When the user uninstalls our application, we remove the Deny ACE for all
the sub-folders and files under it by iterating the folder.

However in the UI, this can be easily achieved by removing the Deny ACE for
top-most parent and checking "Replace all child object permissions with
inheritable permissions from this object" and clicking Yes in the warning
dialog. I wonder if this could be done programatically?

Regards,
Goku


On Tue, Mar 21, 2017 at 3:16 AM, eryk sun <eryksun at gmail.com> wrote:

> On Mon, Mar 20, 2017 at 3:13 PM, Goku Balu <tfa.signup.test1 at gmail.com>
> wrote:
> >
> > Is there anyway to do "Replace all child object permissions with
> inheritable
> > permissions from this object" programatically using PyWin32. I found out
> > that this resets the permissions for all the sub-folders and files
> deep-down
> > even though the permissions are set separately.
> >
> > def remove_permission(path):
> >     sd = win32security.GetFileSecurity(path,
> > win32security.DACL_SECURITY_INFORMATION)
> >     dacl = sd.GetSecurityDescriptorDacl()   # instead of dacl =
> > win32security.ACL()
> >     win32security.SetNamedSecurityInfo(path,
> win32security.SE_FILE_OBJECT,
> > win32security.DACL_SECURITY_INFORMATION |
> > win32security.UNPROTECTED_DACL_SECURITY_INFORMATION, None, None, dacl,
> None)
> >
> > I tried this on a folder. But didn't work.
>
> The docs for SetNamedSecurityInfo state the following:
>
>     If you are setting the discretionary access control list (DACL)
>     or any elements in the system access control list (SACL) of an
>     object, the system automatically propagates any inheritable
>     access control entries (ACEs) to existing child objects,
>     according to the rules of inheritance.
>
> It works for me when I add an inheritable ACE that denies execute
> access to files under a given directory, e.g.
>
>     dacl.AddAccessDeniedAceEx(
>         win32security.ACL_REVISION_DS,
>         win32security.INHERIT_ONLY_ACE |
>         win32security.OBJECT_INHERIT_ACE,
>         ntsecuritycon.FILE_EXECUTE,
>         win32security.LookupAccountName(None, name)[0])
>
> SetNamedSecurityInfo propagates the ACE to a file that's in a
> subdirectory of the target path.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-win32/attachments/20170321/7afb39d0/attachment-0001.html>

More information about the python-win32 mailing list