Thank you for this. I was sent a piece of code and I made it work. It is using win32security.GetFileSecurity
But now you brought up ADS (which I didn't cover) and opening files with backup semantics I m using Volume Shadow Copy atm but I don't know what are the benefits of using the backup flag I need to do some reading on this Momchil -----Original Message----- From: Eryk Sun <eryk...@gmail.com> Sent: Friday, November 13, 2020 10:54 PM To: python-win32@python.org Cc: momc...@bojinov.info Subject: Re: [python-win32] Help with PySECURITY_DESCRIPTOR On 10/27/20, momc...@bojinov.info <momc...@bojinov.info> wrote: > > I m trying to store file's acl along with the backup of the file and > then restore it on the same system Consider using BackupRead() and BackupWrite() from the win32file module. These functions support backup and restore of data streams (default and alternate data streams), attributes, extended attributes, reparse data, object ID, and security. GENERIC_READ access includes the READ_CONTROL access that's required for reading most file security, but GENERIC_WRITE access isn't sufficient for restoring file security. Writing discretionary access-control entries and resource attributes requires WRITE_DAC access. Writing the owner, group, and mandatory label requires WRITE_OWNER access. Reading and writing audit entries and writing central-access-policy identifier entries requires ACCESS_SYSTEM_SECURITY access, which requires enabling SeSecurityPrivilege. Typically use GENERIC_WRITE | WRITE_DAC | WRITE_OWNER. In general you should backup and restore files using an elevated administrator account. Enable SeBackupPrivilege and SeRestorePrivilege in the process access token via OpenProcessToken, LookupPrivilegeValue, and AdjustTokenPrivileges, found in the win32security module. Open files with FILE_FLAG_BACKUP_SEMANTICS. This ensures access in most cases when the backup and restore privileges are enabled. The restore privilege also allows setting the file owner to the arbitrary owner of the source file instead being limited to the current user. Using an elevated logon (high integrity level) also allows restoring a high integrity level mandatory label on the destination file in case the source file has mandatory access control that denies write-up, read-up, or execute-up access. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
