Re: [python-win32] File access entries are incorrectly set

2016-09-27 Thread Goku Balu 
Thanks Eryk for being so thorough and for a great explanation. If this can
be solved differently, I tried with removing the rights such as
READ_CONTROL and SYNCHRONIZE from the FILE_GENERIC_WRITE mask and it worked
as well.

masks= ntsecuritycon.FILE_GENERIC_WRITE
masks=masks&~ntsecuritycon.READ_CONTROL
masks=masks&~ntsecuritycon.SYNCHRONIZE

Really appreciate the great community help.

Thanks,
Goku

On Fri, Sep 23, 2016 at 9:30 PM,  wrote:

> >> > That doesn't seem like a bug to me. GENERIC_WRITE represents several
> >> > permissions mashed together, including FILE_WRITE and read control.
> >> >
> >> > Perhaps try with just FILE_WRITE on its own?
> >>
> >> For a file or directory, GENERIC_WRITE (0x8000) gets mapped to
> >> FILE_GENERIC_WRITE, which includes the following standard rights
> >> (upper 16 bits):
> >>
> >> SYNCHRONIZE  = 0x0010
> >> READ_CONTROL = 0x0002
> >>
> >> and File-object specific rights (lower 16 bits):
> >>
> >> FILE_WRITE_ATTRIBUTES = 0x0100
> >> FILE_WRITE_EA = 0x0010
> >> FILE_APPEND_DATA  = 0x0004
> >> FILE_WRITE_DATA   = 0x0002
> >>
> >> The relevant access right that's being denied in this case is
> SYNCHRONIZE.
> >
> > So if we deny WRITE then SYNCHRONIZE will be denied which will in-turn
> > affect READ. Is there a way to deny WRITE alone without affecting
> > file/folder read?
>
> Each kernel object type has a GENERIC_MAPPING that maps generic rights
> to sets of standard and object-specific rights. Before doing an
> AccessCheck, generic rights have to be mapped to specific rights via
> MapGenericMask.
>
> For the File type this generic mapping consists of the following values:
>
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_GENERIC_EXECUTE
> FILE_ALL_ACCESS
>
> If you deny GENERIC_WRITE for a File, that's the same as denying the 6
> rights in FILE_GENERIC_WRITE, which includes the standard SYNCHRONIZE
> and READ_CONTROL rights. You need to mask the value to filter out
> rights that shouldn't be denied. Use the constant SPECIFIC_RIGHTS_ALL,
> which is defined as 0x (i.e. the lower 16 bits of an access mask
> are reserved for object-specific rights). For example:
>
> import win32security
> import ntsecuritycon
>
> WORLD = win32security.CreateWellKnownSid(win32security.WinWorldSid)
>
> FILE_WRITE = (ntsecuritycon.FILE_GENERIC_WRITE &
>   ntsecuritycon.SPECIFIC_RIGHTS_ALL)
>
> def deny_write(filename, account=None, ace_flags=0):
> sd = win32security.GetFileSecurity(
> filename, win32security.DACL_SECURITY_INFORMATION)
> sid = WORLD if account is None else (
> win32security.LookupAccountName(None, account)[0])
> dacl = sd.GetSecurityDescriptorDacl()
> dacl.AddAccessDeniedAceEx(
> win32security.ACL_REVISION_DS, ace_flags, FILE_WRITE, sid)
> sd.SetSecurityDescriptorDacl(1, dacl, 0)
> win32security.SetFileSecurity(
> filename, win32security.DACL_SECURITY_INFORMATION, sd)
>
> For a directory, generic write access entails the ability to write
> attributes and add files and subdirectories. Note that file delete
> rights are separately controlled by standard DELETE access and the
> specific directory right FILE_DELETE_CHILD, which is the right to
> delete files or subdirectories of a directory, even if the user is
> otherwise denied or not granted DELETE access.
>
> The ace_flags parameter allows controlling whether the ACE is
> inherited by subdirectories and files (CONTAINER_INHERIT_ACE,
> OBJECT_INHERIT_ACE) , whether the inheritance flags get propagated
> (NO_PROPAGATE_INHERIT_ACE), and whether the ACE applies only for
> inheritance (INHERIT_ONLY_ACE).
>
> For reference, here's an access mask diagram:
>
>  3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
>  1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
> +---+---+---+
> |G|G|G|G|Resvd|A| StandardRights| SpecificRights|
> |R|W|E|A| |S|   |   |
> +-+-+---+---+
>
> Generic Read
> Generic Write
> Generic Execute
> Generic All
> Reserved: 3
> Access SACL
> Standard Rights: 8
> Specific Rights: 16
>
> The four most significant bits are the generic rights. Before
> evaluating an AccessCheck, the system maps generic rights in access
> masks to the corresponding standard and specific rights.
>
> Only 5 of the 8 possible standard rights have been assigned:
> SYNCHRONIZE (bit 20), WRITE_OWNER, WRITE_DAC, READ_CONTROL, and DELETE
> (bit 16).
>
> The File type assigns 9 out of 16 possible specific rights, from
> FILE_WRITE_ATTRIBUTES (bit 8) down to FILE_READ_DATA (bit 0). Some
> bits have multiple meanings depending on whether the object is a
> directory, data file, or named pi

Re: [python-win32] File access entries are incorrectly set

2016-09-20 Thread Christopher Nilsson 
Awesome detail. Thanks eryk.

On Tue, 20 Sep 2016, 6:13 PM eryk sun  wrote:

> On Mon, Sep 19, 2016 at 10:21 PM, Christopher Nilsson 
> wrote:
> >
> > That doesn't seem like a bug to me. GENERIC_WRITE represents several
> > permissions mashed together, including FILE_WRITE and read control.
> >
> > Perhaps try with just FILE_WRITE on its own?
>
> For a file or directory, GENERIC_WRITE (0x8000) gets mapped to
> FILE_GENERIC_WRITE, which includes the following standard rights
> (upper 16 bits):
>
> SYNCHRONIZE  = 0x0010
> READ_CONTROL = 0x0002
>
> and File-object specific rights (lower 16 bits):
>
> FILE_WRITE_ATTRIBUTES = 0x0100
> FILE_WRITE_EA = 0x0010
> FILE_APPEND_DATA  = 0x0004
> FILE_WRITE_DATA   = 0x0002
>
> The relevant access right that's being denied in this case is SYNCHRONIZE.
>
> For example, SetCurrentDirectory uses a synchronous directory handle,
> i.e. it calls NtOpenfile with desired access SYNCHRONIZE |
> FILE_TRAVERSE and open option FILE_SYNCHRONOUS_IO_NONALERT. Similarly,
> for listing a directory, FindFirstFile uses a synchronous handle with
> SYNCHRONIZE | FILE_LIST_DIRECTORY access.
>
> The open option FILE_SYNCHRONOUS_IO_NONALERT is defined as follows:
>
> All operations on the file are performed synchronously.
> Waits in the system that synchronize I/O queuing and
> completion are not subject to alerts. This flag also
> causes the I/O system to maintain the file-position
> context. If this flag is set, the SYNCHRONIZE flag must
> be set in the DesiredAccess parameter.
>
> For example, when FindFirstFile calls NtQueryDirectoryFile
> (FileBothDirectoryInformation) to list the directory, the system call
> sees the handle is opened for synchronous access, so it waits to
> acquire the File object's Lock before calling the filesystem driver
> (e.g. NTFS). Then it waits again to complete the request.
> ___
> python-win32 mailing list
> python-win32@python.org
> https://mail.python.org/mailman/listinfo/python-win32
>
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] File access entries are incorrectly set

2016-09-20 Thread eryk sun 
On Mon, Sep 19, 2016 at 10:21 PM, Christopher Nilsson  wrote:
>
> That doesn't seem like a bug to me. GENERIC_WRITE represents several
> permissions mashed together, including FILE_WRITE and read control.
>
> Perhaps try with just FILE_WRITE on its own?

For a file or directory, GENERIC_WRITE (0x8000) gets mapped to
FILE_GENERIC_WRITE, which includes the following standard rights
(upper 16 bits):

SYNCHRONIZE  = 0x0010
READ_CONTROL = 0x0002

and File-object specific rights (lower 16 bits):

FILE_WRITE_ATTRIBUTES = 0x0100
FILE_WRITE_EA = 0x0010
FILE_APPEND_DATA  = 0x0004
FILE_WRITE_DATA   = 0x0002

The relevant access right that's being denied in this case is SYNCHRONIZE.

For example, SetCurrentDirectory uses a synchronous directory handle,
i.e. it calls NtOpenfile with desired access SYNCHRONIZE |
FILE_TRAVERSE and open option FILE_SYNCHRONOUS_IO_NONALERT. Similarly,
for listing a directory, FindFirstFile uses a synchronous handle with
SYNCHRONIZE | FILE_LIST_DIRECTORY access.

The open option FILE_SYNCHRONOUS_IO_NONALERT is defined as follows:

All operations on the file are performed synchronously.
Waits in the system that synchronize I/O queuing and
completion are not subject to alerts. This flag also
causes the I/O system to maintain the file-position
context. If this flag is set, the SYNCHRONIZE flag must
be set in the DesiredAccess parameter.

For example, when FindFirstFile calls NtQueryDirectoryFile
(FileBothDirectoryInformation) to list the directory, the system call
sees the handle is opened for synchronous access, so it waits to
acquire the File object's Lock before calling the filesystem driver
(e.g. NTFS). Then it waits again to complete the request.
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] File access entries are incorrectly set

2016-09-20 Thread Goku Balu 
Hi Christopher,

Thanks for responding. Forgot to mention that I did test this with
FILE_GENERIC_WRITE also but the result is the same. If this
is applied on a folder it leaves the folder unopenable. If it's applied on
a file(say a.txt file), Notepad shows warning informing "Access Denied" but
can be edited and can be saved in a different location.

FYI I'm using Python 3.2 with Pywin32 ver 219.

Thanks,
Jeba

On Tue, Sep 20, 2016 at 3:51 AM, Christopher Nilsson 
wrote:

> Hi Goku,
>
> That doesn't seem like a bug to me. GENERIC_WRITE represents several
> permissions mashed together, including FILE_WRITE and read control.
>
> Perhaps try with just FILE_WRITE on its own?
>
> On Tue, 20 Sep 2016, 8:03 AM Goku Balu  wrote:
>
>> If I deny GENERIC_WRITE it denies Rc as well (Rc - Read Control). I can't
>> even open the folder in explorer. Here is the sample code. Is this a bug?
>>
>> import win32security,win32api,win32con
>> import ntsecuritycon as con
>> import os
>>
>> def show_cacls (filename):
>> for line in os.popen ("Icacls %s" % filename).read ().splitlines ():
>> print(line)
>>
>> def denyWrite():
>> everyone, everyone_domain, everyone_type = 
>> win32security.LookupAccountName
>> ("", "Everyone")
>> print(everyone, everyone_domain, everyone_type)
>>
>> sd = win32security.GetFileSecurity(FILENAME,
>> win32security.DACL_SECURITY_INFORMATION)
>> dacl = sd.GetSecurityDescriptorDacl()
>>
>> masks=con.GENERIC_WRITE
>> dacl.AddAccessDeniedAce(win32security.ACL_REVISION_DS,masks,everyone)
>> sd.SetSecurityDescriptorDacl(1, dacl, 0)   # may not be necessary
>> win32security.SetFileSecurity(FILENAME, 
>> win32security.DACL_SECURITY_INFORMATION,
>> sd)
>> show_cacls (FILENAME)
>>
>>
>> try:
>>
>> FILENAME = "D:\\test"
>> denyWrite()
>>
>> Any help regarding this would be welcomed. Thanks
>> ___
>> python-win32 mailing list
>> python-win32@python.org
>> https://mail.python.org/mailman/listinfo/python-win32
>>
>
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] File access entries are incorrectly set

2016-09-20 Thread Christopher Nilsson 
I think file_generic_write will have the same problem.

You may want to check out:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx

Note they explicitly say you can't deny  generic_write without causing
problems.

Blocking access like this can get pretty fiddly. I can only suggest
starting by blocking the bare minimum that you can.  Check those consts on
msdn & avoid the generic ones.

On Tue, 20 Sep 2016, 4:42 PM Goku Balu  wrote:

> Hi Christopher,
>
> Thanks for responding. Forgot to mention that I did test this with
> FILE_GENERIC_WRITE also but the result is the same. If this
> is applied on a folder it leaves the folder unopenable. If it's applied on
> a file(say a.txt file), Notepad shows warning informing "Access Denied" but
> can be edited and can be saved in a different location.
>
> FYI I'm using Python 3.2 with Pywin32 ver 219.
>
> Thanks,
> Jeba
>
> On Tue, Sep 20, 2016 at 3:51 AM, Christopher Nilsson 
> wrote:
>
>> Hi Goku,
>>
>> That doesn't seem like a bug to me. GENERIC_WRITE represents several
>> permissions mashed together, including FILE_WRITE and read control.
>>
>> Perhaps try with just FILE_WRITE on its own?
>>
>> On Tue, 20 Sep 2016, 8:03 AM Goku Balu 
>> wrote:
>>
>>> If I deny GENERIC_WRITE it denies Rc as well (Rc - Read Control). I
>>> can't even open the folder in explorer. Here is the sample code. Is this a
>>> bug?
>>>
>>> import win32security,win32api,win32con
>>> import ntsecuritycon as con
>>> import os
>>>
>>> def show_cacls (filename):
>>> for line in os.popen ("Icacls %s" % filename).read ().splitlines ():
>>> print(line)
>>>
>>> def denyWrite():
>>> everyone, everyone_domain, everyone_type =
>>> win32security.LookupAccountName ("", "Everyone")
>>> print(everyone, everyone_domain, everyone_type)
>>>
>>> sd = win32security.GetFileSecurity(FILENAME,
>>> win32security.DACL_SECURITY_INFORMATION)
>>> dacl = sd.GetSecurityDescriptorDacl()
>>>
>>> masks=con.GENERIC_WRITE
>>> dacl.AddAccessDeniedAce(win32security.ACL_REVISION_DS,masks,everyone)
>>> sd.SetSecurityDescriptorDacl(1, dacl, 0)   # may not be necessary
>>> win32security.SetFileSecurity(FILENAME,
>>> win32security.DACL_SECURITY_INFORMATION, sd)
>>> show_cacls (FILENAME)
>>>
>>>
>>> try:
>>>
>>> FILENAME = "D:\\test"
>>> denyWrite()
>>>
>>> Any help regarding this would be welcomed. Thanks
>>> ___
>>> python-win32 mailing list
>>> python-win32@python.org
>>> https://mail.python.org/mailman/listinfo/python-win32
>>>
>>
>
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] File access entries are incorrectly set

2016-09-19 Thread Christopher Nilsson 
Hi Goku,

That doesn't seem like a bug to me. GENERIC_WRITE represents several
permissions mashed together, including FILE_WRITE and read control.

Perhaps try with just FILE_WRITE on its own?

On Tue, 20 Sep 2016, 8:03 AM Goku Balu  wrote:

> If I deny GENERIC_WRITE it denies Rc as well (Rc - Read Control). I can't
> even open the folder in explorer. Here is the sample code. Is this a bug?
>
> import win32security,win32api,win32con
> import ntsecuritycon as con
> import os
>
> def show_cacls (filename):
> for line in os.popen ("Icacls %s" % filename).read ().splitlines ():
> print(line)
>
> def denyWrite():
> everyone, everyone_domain, everyone_type =
> win32security.LookupAccountName ("", "Everyone")
> print(everyone, everyone_domain, everyone_type)
>
> sd = win32security.GetFileSecurity(FILENAME,
> win32security.DACL_SECURITY_INFORMATION)
> dacl = sd.GetSecurityDescriptorDacl()
>
> masks=con.GENERIC_WRITE
> dacl.AddAccessDeniedAce(win32security.ACL_REVISION_DS,masks,everyone)
> sd.SetSecurityDescriptorDacl(1, dacl, 0)   # may not be necessary
> win32security.SetFileSecurity(FILENAME,
> win32security.DACL_SECURITY_INFORMATION, sd)
> show_cacls (FILENAME)
>
>
> try:
>
> FILENAME = "D:\\test"
> denyWrite()
>
> Any help regarding this would be welcomed. Thanks
> ___
> python-win32 mailing list
> python-win32@python.org
> https://mail.python.org/mailman/listinfo/python-win32
>
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

[python-win32] File access entries are incorrectly set

2016-09-19 Thread Goku Balu 
If I deny GENERIC_WRITE it denies Rc as well (Rc - Read Control). I can't
even open the folder in explorer. Here is the sample code. Is this a bug?

import win32security,win32api,win32con
import ntsecuritycon as con
import os

def show_cacls (filename):
for line in os.popen ("Icacls %s" % filename).read ().splitlines ():
print(line)

def denyWrite():
everyone, everyone_domain, everyone_type =
win32security.LookupAccountName ("", "Everyone")
print(everyone, everyone_domain, everyone_type)

sd = win32security.GetFileSecurity(FILENAME,
win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()

masks=con.GENERIC_WRITE
dacl.AddAccessDeniedAce(win32security.ACL_REVISION_DS,masks,everyone)
sd.SetSecurityDescriptorDacl(1, dacl, 0)   # may not be necessary
win32security.SetFileSecurity(FILENAME,
win32security.DACL_SECURITY_INFORMATION, sd)
show_cacls (FILENAME)


try:

FILENAME = "D:\\test"
denyWrite()

Any help regarding this would be welcomed. Thanks
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32