[python-win32] Replace all child permissions

[eryk sun]

On Tue, Mar 21, 2017 at 9:57 AM, Goku Balu <tfa.signup.test1 at gmail.com> wrote:
>
> Thanks for responding. Here's my use case. I deny Write, Delete and
> Delete_Child permissions for all folders and files under a particular folder
> to make it read-only.
>
> When the user uninstalls our application, we remove the Deny ACE for all the
> sub-folders and files under it by iterating the folder.
>
> However in the UI, this can be easily achieved by removing the Deny ACE for
> top-most parent and checking "Replace all child object permissions with
> inheritable permissions from this object" and clicking Yes in the warning
> dialog. I wonder if this could be done programatically?

I thought you wanted to propagate inheritable permissions, which
includes removing inherited permissions from subfolders and files. It
should suffice to get the DACL from the base folder via
GetNamedSecurityInfo; remove the inheritable ACEs that you no longer
want; and then call SetNamedSecurityInfo to set the modified DACL.

OTOH, if you need to remove explicitly set permissions, then you'll
have to reset each folder and file in the tree one at a time. One
approach would be to manually do a top-down walk over the tree, e.g.
using os.walk(). Modify the security on each file and directory by
writing an empty DACL, i.e. win32security.ACL(), and specifying
UNPROTECTED_DACL_SECURITY_INFORMATION. This will reset each file and
directory using only inherited permissions.

The authorization API has the function TreeSetNamedSecurityInfo to
implement this. But PyWin32's win32security module doesn't wrap it for
some reason. You may prefer this approach, in which case we can use
ctypes to call this function. I wrote a wrapper for this a few minutes
ago if you want it.