[python-win32] How can I restrict users from changing ACE?
eryk sun
eryksun at gmail.com
Thu Oct 6 12:01:06 EDT 2016
On Thu, Oct 6, 2016 at 11:36 AM, Francoi Xavier <francoi.xa1 at gmail.com> wrote:
> I've just started learning about windows ACL and file permissions. The task
> here is to make a file/folder read-only and should get deleted/modified only
> through our client software. I've denied Write, Delete and other permissions
> for the Lookup Name Everyone which generally restricted users from changing
> the files/folders.
Don't forget to also deny FILE_DELETE_CHILD access on the directory.
Otherwise a user with that right can delete files even when the DACL
otherwise denies delete access.
> But the current user who also happens to be the creator/owner of the
> file/folder can delete the ACE which has been added and he can gain complete
> access rights. Is there a way to restrict this behaviour so that users
> cannot change the file access permissions?
In Vista and later (NT 6+) you can deny WRITE_DAC access to the "OWNER
RIGHTS" security principal. The owner of the object won't be able to
modify the permissions.
More information about the python-win32
mailing list