On 21/01/2014 15:36, Joseph L. Casale wrote:
I have a scenario where I have a directory owned by localhost\Administrators
with
that group and SYSTEM set to full control without inheritance propagated.
Under this, I have a folder owned by another account with only that account
granted
full control.
If I elevate my token and run:
win32security.SetNamedSecurityInfo(
path,
win32security.SE_FILE_OBJECT,
win32security.OWNER_SECURITY_INFORMATION,
owner.sid,
None,
None,
None
)
from the account that has full control (and originally owned it), I can view
the new owner.
Just by way of a slightly cheeky plug, this is how you'd take ownership
using Winsys [1] (from an elevated prompt for simplicity's sake):
<code>
from winsys import fs
fs.dir("c:/temp/ownership").take_ownership()
</code>
The .dump() thing is just a convenience method to show what the security
looks like.
Even under the covers, that's just a shorthand for:
<code>
from winsys import fs, security
d = fs.dir("c:/temp/ownership")
with d.security(options=None) as s:
s.owner = security.me()
</code>
Having acquired ownership, to take full control:
<code>
from winsys import fs, security
fs.dir("c:/temp/ownership").take_control()
#
# shorthand for
#
#with dir("c:/temp/ownership").security(options="d") as s:
# s.dacl.append(("tim", "F", "allow"))
</code>
Note that all this could be knocked sideways by the newer
OWNER_SID-based ACEs which can deny even the Owner the possibility of
affecting DACLs.
TJG
[1] https://github.com/tjguk/winsys
(Why, yes, it hasn't been updated for well over a year, but I'm always
happy to have the excuse...)
_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32
