On Mon, Mar 20, 2017 at 3:13 PM, Goku Balu <tfa.signup.te...@gmail.com> wrote: > > Is there anyway to do "Replace all child object permissions with inheritable > permissions from this object" programatically using PyWin32. I found out > that this resets the permissions for all the sub-folders and files deep-down > even though the permissions are set separately. > > def remove_permission(path): > sd = win32security.GetFileSecurity(path, > win32security.DACL_SECURITY_INFORMATION) > dacl = sd.GetSecurityDescriptorDacl() # instead of dacl = > win32security.ACL() > win32security.SetNamedSecurityInfo(path, win32security.SE_FILE_OBJECT, > win32security.DACL_SECURITY_INFORMATION | > win32security.UNPROTECTED_DACL_SECURITY_INFORMATION, None, None, dacl, None) > > I tried this on a folder. But didn't work.
The docs for SetNamedSecurityInfo state the following: If you are setting the discretionary access control list (DACL) or any elements in the system access control list (SACL) of an object, the system automatically propagates any inheritable access control entries (ACEs) to existing child objects, according to the rules of inheritance. It works for me when I add an inheritable ACE that denies execute access to files under a given directory, e.g. dacl.AddAccessDeniedAceEx( win32security.ACL_REVISION_DS, win32security.INHERIT_ONLY_ACE | win32security.OBJECT_INHERIT_ACE, ntsecuritycon.FILE_EXECUTE, win32security.LookupAccountName(None, name)[0]) SetNamedSecurityInfo propagates the ACE to a file that's in a subdirectory of the target path. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32