[python-win32] Issue with taking ownership
Tim Golden
mail at timgolden.me.uk
Tue Jan 21 20:45:26 CET 2014
On 21/01/2014 15:36, Joseph L. Casale wrote:
> I have a scenario where I have a directory owned by localhost\Administrators with
> that group and SYSTEM set to full control without inheritance propagated.
>
> Under this, I have a folder owned by another account with only that account granted
> full control.
>
> If I elevate my token and run:
>
> win32security.SetNamedSecurityInfo(
> path,
> win32security.SE_FILE_OBJECT,
> win32security.OWNER_SECURITY_INFORMATION,
> owner.sid,
> None,
> None,
> None
> )
>
> from the account that has full control (and originally owned it), I can view the new owner.
Just by way of a slightly cheeky plug, this is how you'd take ownership
using Winsys [1] (from an elevated prompt for simplicity's sake):
<code>
from winsys import fs
fs.dir("c:/temp/ownership").take_ownership()
</code>
The .dump() thing is just a convenience method to show what the security
looks like.
Even under the covers, that's just a shorthand for:
<code>
from winsys import fs, security
d = fs.dir("c:/temp/ownership")
with d.security(options=None) as s:
s.owner = security.me()
</code>
Having acquired ownership, to take full control:
<code>
from winsys import fs, security
fs.dir("c:/temp/ownership").take_control()
#
# shorthand for
#
#with dir("c:/temp/ownership").security(options="d") as s:
# s.dacl.append(("tim", "F", "allow"))
</code>
Note that all this could be knocked sideways by the newer
OWNER_SID-based ACEs which can deny even the Owner the possibility of
affecting DACLs.
TJG
[1] https://github.com/tjguk/winsys
(Why, yes, it hasn't been updated for well over a year, but I'm always
happy to have the excuse...)
More information about the python-win32
mailing list