Re: [python-win32] Reg. taking folder ownership
On Tue, Aug 28, 2018 at 5:03 AM, Goku Balu wrote: >> Eryk wrote: >> This call will succeed even if one or more of the privileges wasn't >> modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED >> (1300). This will be the case if you try to enable the take-ownership >> and restore privileges for a UAC restricted token. > > Thanks Eryk for responding. Yes it failed with 1300 and I'm running the code > from another admin account. But I think it's not a restricted account. I > could run any exe with Admin elevated privilege by right clicking and > choosing the option from context menu. Under UAC, administrators get logged on with two tokens. The one that LSA returns is a limited token with medium integrity level, from which administrative privileges have been stripped and for which the administrators group is enabled only for deny access checks. This limited token is paired with an elevated token, which has high integrity, full administrative privileges, and the administrators group enabled for both allow and deny access checks. The elevated token can only be obtained by a user with SeTcbPrivilege, such as the SYSTEM account. Creating an elevated process is commonly handled by the Application Information service, which runs as SYSTEM. It displays the consent dialog on the secure (Winlogon) desktop, gets the elevated token, and creates the process via CreateProcessAsUser. Run Python elevated, enable SeRestorePrivilege, and use GetNamedSecurityInfo and SetNamedSecurityInfo. This will allow modifying the owner or DACL regardless of the current DACL, even if no access is specifically granted to administrators. ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
Re: [python-win32] Reg. taking folder ownership
> Eryk wrote: > This call will succeed even if one or more of the privileges wasn't > modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED > (1300). This will be the case if you try to enable the take-ownership > and restore privileges for a UAC restricted token. Thanks Eryk for responding. Yes it failed with 1300 and I'm running the code from another admin account. But I think it's not a restricted account. I could run any exe with Admin elevated privilege by right clicking and choosing the option from context menu. I tried with just Take ownership privilege for the current admin user. I've changed the SetFileSecurity API to SetNamedSecurityInfo as suggested. Below is the code I tried running. Getting (5, Access Denied) for SetNamedSecurityInfo. Am I missing something? def take_owner(path,account_name): owner_sid = win32security.LookupAccountName(None, account_name)[0] new_privs = ( (win32security.LookupPrivilegeValue( '', ntsecuritycon.SE_TAKE_OWNERSHIP_NAME), win32con.SE_PRIVILEGE_ENABLED),) flags = win32security.TOKEN_ALL_ACCESS\ | win32con.TOKEN_ADJUST_PRIVILEGES\ | win32con.TOKEN_IMPERSONATE try: thread = win32api.GetCurrentThread() handle = win32security.OpenThreadToken( thread, flags, False) except win32security.error as e: #if e.errno == 1008: handle = win32security.OpenProcessToken(win32api.GetCurrentProcess (), flags) win32security.AdjustTokenPrivileges(handle, 0, new_privs) lastError = win32api.GetLastError() print("last error=",lastError) # fs = win32security.GetNamedSecurityInfo(path, win32security.SE_FILE_OBJECT, win32security.OWNER_SECURITY_INFORMATION) # fs.SetSecurityDescriptorOwner(owner_sid, True) win32security.SetNamedSecurityInfo(path, win32security.SE_FILE_OBJECT, win32security.OWNER_SECURITY_INFORMATION, owner_sid, None, None, None) > Tim Wrote: > Admin1 can change the ACL to give Admin2 the right to change the ACL.? > In the file permission dialog, that's the "Change permissions" right.? > In code, it's the "WRITE_DAC" file permission. @Tim Thanks for the tip. Regards, Goku ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
Re: [python-win32] Reg. taking folder ownership
On Mon, Aug 27, 2018 at 6:23 AM, Goku Balu wrote: > > My use case is this. Folder1 is created by Admin1 and ACL is set by Admin1. > Now Admin2 wants to change the ACL. I think we have two options here > 1) Take folder ownership and the do the changes > 2) Take elevated privileges for Admin2 account and add/remove ACL entries If the current DACL doesn't grant Admin2 the right to change the owner or change the DACL (i.e. to acquire said right), then you'll need to either enable SeTakeOwnershipPrivilege or enable SeRestorePrivilege with backup semantics. Under UAC restriction, an administrator only has these privileges when elevated, so option (2) is your only choice. SeRestorePrivilege also allows setting the owner to an arbitrary user or group. Otherwise you can only set the owner to either the current user or any of the user's groups that have the group-owner flag (e.g. the administrators group). > win32security.AdjustTokenPrivileges(handle, 0, new_privs) This call will succeed even if one or more of the privileges wasn't modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED (1300). This will be the case if you try to enable the take-ownership and restore privileges for a UAC restricted token. > fs = win32security.GetFileSecurity( > path, win32security.OWNER_SECURITY_INFORMATION) > fs.SetSecurityDescriptorOwner(owner_sid, True) > > win32security.SetFileSecurity( > path, win32security.OWNER_SECURITY_INFORMATION, fs) Use GetNamedSecurityInfo and SetNamedSecurityInfo instead. These newer functions handle inheritance correctly. They also open the file with backup semantics. The I/O manager grants all requested modify access (including write-owner) if backup semantics is combined with SeRestorePrivilege. In this case you don't need SeTakeOwnershipPrivilege. ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
Re: [python-win32] Reg. taking folder ownership
Goku Balu wrote: My use case is this. Folder1 is created by Admin1 and ACL is set by Admin1. Now Admin2 wants to change the ACL. I think we have two options here 1) Take folder ownership and the do the changes 2) Take elevated privileges for Admin2 account and add/remove ACL entries (Similar to "Run as Administrator" and using icalcs in cmd) I'm trying to solve this with the first approach. After Googling around, here is the code I'm trying to run for taking ownership from Admin1 and assign it to Admin2. The Windows file permission ecosystem makes my head hurt, so I'm going to avoid answering your exact question, but I would point out that Admin1 can change the ACL to give Admin2 the right to change the ACL. In the file permission dialog, that's the "Change permissions" right. In code, it's the "WRITE_DAC" file permission. -- Tim Roberts, t...@probo.com Providenza & Boekelheide, Inc. smime.p7s Description: S/MIME Cryptographic Signature ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
[python-win32] Reg. taking folder ownership
Hi, My use case is this. Folder1 is created by Admin1 and ACL is set by Admin1. Now Admin2 wants to change the ACL. I think we have two options here 1) Take folder ownership and the do the changes 2) Take elevated privileges for Admin2 account and add/remove ACL entries (Similar to "Run as Administrator" and using icalcs in cmd) I'm trying to solve this with the first approach. After Googling around, here is the code I'm trying to run for taking ownership from Admin1 and assign it to Admin2. import win32api import win32con import win32security import ntsecuritycon def take_owner(path,account_name): #print("sid=",sid) owner_sid = win32security.LookupAccountName(None, account_name)[0] new_privs = ( (win32security.LookupPrivilegeValue( '', ntsecuritycon.SE_RESTORE_NAME), win32con.SE_PRIVILEGE_ENABLED), (win32security.LookupPrivilegeValue( '', ntsecuritycon.SE_TAKE_OWNERSHIP_NAME), win32con.SE_PRIVILEGE_ENABLED)) flags = win32security.TOKEN_ALL_ACCESS\ | win32con.TOKEN_ADJUST_PRIVILEGES\ | win32con.TOKEN_IMPERSONATE try: thread = win32api.GetCurrentThread() handle = win32security.OpenThreadToken( thread, flags, False) except win32security.error as e: if e.errno == 1008: handle = win32security.OpenProcessToken(win32api.GetCurrentProcess (), flags) win32security.AdjustTokenPrivileges(handle, 0, new_privs) fs = win32security.GetFileSecurity( path, win32security.OWNER_SECURITY_INFORMATION) fs.SetSecurityDescriptorOwner(owner_sid, True) win32security.SetFileSecurity( path, win32security.OWNER_SECURITY_INFORMATION, fs) FILENAME = "D:\\Test" account_name=win32api.GetUserNameEx (win32con.NameSamCompatible) sd = win32security.GetFileSecurity (FILENAME, win32security.OWNER_SECURITY_INFORMATION) owner_sid = sd.GetSecurityDescriptorOwner () name, domain, type = win32security.LookupAccountSid (None, owner_sid) file_owner = domain+"\\"+name if account_name != file_owner: print("Account name and file owner is different") take_owner(FILENAME,account_name) else: print("Account name and file owner is Same") I'm getting (5, Access Denied) in SetFileSecurity. Am I missing something? Also I would like to know is this the right way of doing things? Thanks - Goku ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32