Hi Eryk, Thanks for responding. Here's my use case. I deny Write, Delete and Delete_Child permissions for all folders and files under a particular folder to make it read-only.
When the user uninstalls our application, we remove the Deny ACE for all the sub-folders and files under it by iterating the folder. However in the UI, this can be easily achieved by removing the Deny ACE for top-most parent and checking "Replace all child object permissions with inheritable permissions from this object" and clicking Yes in the warning dialog. I wonder if this could be done programatically? Regards, Goku On Tue, Mar 21, 2017 at 3:16 AM, eryk sun <eryk...@gmail.com> wrote: > On Mon, Mar 20, 2017 at 3:13 PM, Goku Balu <tfa.signup.te...@gmail.com> > wrote: > > > > Is there anyway to do "Replace all child object permissions with > inheritable > > permissions from this object" programatically using PyWin32. I found out > > that this resets the permissions for all the sub-folders and files > deep-down > > even though the permissions are set separately. > > > > def remove_permission(path): > > sd = win32security.GetFileSecurity(path, > > win32security.DACL_SECURITY_INFORMATION) > > dacl = sd.GetSecurityDescriptorDacl() # instead of dacl = > > win32security.ACL() > > win32security.SetNamedSecurityInfo(path, > win32security.SE_FILE_OBJECT, > > win32security.DACL_SECURITY_INFORMATION | > > win32security.UNPROTECTED_DACL_SECURITY_INFORMATION, None, None, dacl, > None) > > > > I tried this on a folder. But didn't work. > > The docs for SetNamedSecurityInfo state the following: > > If you are setting the discretionary access control list (DACL) > or any elements in the system access control list (SACL) of an > object, the system automatically propagates any inheritable > access control entries (ACEs) to existing child objects, > according to the rules of inheritance. > > It works for me when I add an inheritable ACE that denies execute > access to files under a given directory, e.g. > > dacl.AddAccessDeniedAceEx( > win32security.ACL_REVISION_DS, > win32security.INHERIT_ONLY_ACE | > win32security.OBJECT_INHERIT_ACE, > ntsecuritycon.FILE_EXECUTE, > win32security.LookupAccountName(None, name)[0]) > > SetNamedSecurityInfo propagates the ACE to a file that's in a > subdirectory of the target path. >
_______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
