Francoi Xavier wrote: > > I've just started learning about windows ACL and file permissions.
You have embarked on a twisted, complicated, and vine-encrusted path. Few things in the computing world are as convoluted as the Windows security model. > The task here is to make a file/folder read-only and should get > deleted/modified only through our client software. I've denied Write, > Delete and other permissions for the Lookup Name Everyone > which *generally* restricted users from changing the files/folders. > > But the current user who also happens to be the creator/owner of the > file/folder can delete the ACE which has been added and he can gain > complete access rights. Is there a way to restrict this behaviour so > that users cannot change the file access permissions? That depends on your definition of "user". A user with administrative rights can always elevate himself to take ownership of a file or folder. Once he has ownership, he can modify the permissions. Windows handles this by changing the owner. All of the Windows files and directories are owned by a special user called "TrustedInstaller". Regular users have read permission, but not write or control permission. However, it's still possible to become administrator and change the owner. That's the whole point of an administrative user -- you have control. You can certainly emulate that behavior, by creating a special user just for your software, and changing the file's owner to that user. Whether that's justified in your case is a judgment you'll have to make. Your budget for protection needs to be based on the likelihood of an attack and the cost of a compromise. There is NOTHING you can do that is fail-safe. Remember, Sony went so far as to install a file system filter driver to hide their DRM-related driver files. Even that protection wasn't foolproof. -- Tim Roberts, t...@probo.com Providenza & Boekelheide, Inc. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
