> I think I understand your setup, which I've simulated below: an
> "ownership" directory owned by Admins and with SYSTEM & Admins only
> having full control. No inheritance; no propagation. Then an
> "other-account" directory below it; again, no inheritance and owned by a
> different account which has full control.
Hi Tim,
Exactly.
> Although you don't show the code you're using to affect the
> newly-reowned DACL, I suspect the problem is that you're not specifying
> DACL-only access? In other words, your Ownership status gives you *just
> enough* permission to write to the DACL to give yourself more. (ie
> WRITE_DAC). Any attempt to access any other aspect of the security
> structure will almost certainly fail with access denied.
>
> Does that help?
Sure does, what's odd is the following:
The original setup as per the GUI:
"\\?\D:\A\sec_test",1,"O:S-1-5-21-1953591057-2569509234-2807485092-500
G:S-1-5-21-1078323535-3347378638-3728908043-513
D:PAI(A;OICI;FA;;;S-1-5-21-1078323535-3347378638-3728908043-1005)"
After Python takes ownership:
"\\?\D:\A\sec_test",1,"O:S-1-5-21-107832356020011426935-3347378638-3728908043-1005
G:S-1-5-21-1078323535-3347378638-3728908043-513
D:PAI(A;OICI;FA;;;S-1-5-21-1078323535-3347378638-3728908043-1005)"
This is just as I would expect, only the owner has changed.
Using takeown.exe:
"\\?\D:\A\sec_test",1,"O:LAG:S-1-5-21-1078323535-3347378638-3728908043-513
D:PAI(A;OICI;FA;;;S-1-5-21-1078323535-3347378638-3728908043-1005)"
It wiped the primary group? Also, the sid of the user returned by takeown (also
displayed in GUI) ends in 1005? 513 in a domain context has a different meaning
I'll adjust the access to the dacl and try to adjust the permissions as I was.
Thanks a ton for all the help.
jlc
_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32
