I have used the following to grant access to a file. Courtesy of kindall
https://stackoverflow.com/a/12168268/740899
> import win32security
> import ntsecuritycon as con
>
> FILENAME = "whatever"
>
> userx, domain, type = win32security.LookupAccountName ("", "User X")
>
> sd = win32security.GetFileSecurity(FILENAME, win32security.DACL_SECURITY_INFORMATION)
> dacl = sd.GetSecurityDescriptorDacl() # instead of dacl = win32security.ACL()
>
> dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_GENERIC_READ | con.FILE_GENERIC_WRITE, userx)
>
> sd.SetSecurityDescriptorDacl(1, dacl, 0) # may not be necessary
> win32security.SetFileSecurity(FILENAME, win32security.DACL_SECURITY_INFORMATION, sd)
但是,访问权限必须是临时的。所以我使用dacl.AddAccessDeniedAce
代替上面显示的dacl.AddAccessAllowedAce
。但是,这会产生不良行为,因为我的用户将来需要再次进行临时访问。运行AddAccessDeniedAce
然后重新运行AddAccessAllowedAce
后,拒绝的控件仍然存在,我的用户仍然无法访问该文件。当用户不再需要访问权限时,我想完全删除它们。这可以通过Windows资源管理器中的属性菜单完成:
我无法找到支持此类任务的文档。有没有人知道如何通过操纵dacl来做到这一点?或者我是否必须通过Windows界面手动执行此操作?
答案 0 :(得分:0)
在此处找到解决方案:http://voices.canonical.com/tag/windows/
我不得不稍微调整一下,但它正在发挥作用。呼!
def remove_ace(path,usernames):
"""Remove the ace for the given users."""
if not os.path.exists(path):
raise WindowsError('Path %s could not be found.' % path)
total = 0
for x in usernames:
userx, domain, utype = win32security.LookupAccountName("", x)
sd = win32security.GetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()
num_delete = 0
for index in range(0, dacl.GetAceCount()):
ace = dacl.GetAce(index - num_delete)
if userx == ace[2]:
dacl.DeleteAce(index - num_delete)
num_delete += 1
total += 1
if num_delete > 0:
sd.SetSecurityDescriptorDacl(1, dacl, 0)
win32security.SetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION, sd)
if total > 0:
return True