使用Python在Windows上获取目录所有权导致"访问被拒绝"错误

时间:2016-12-10 23:06:40

标签: python windows security file-permissions ownership

我尝试使用以下代码获取目录的所有权:

sd = win32security.SECURITY_DESCRIPTOR()
sd.SetSecurityDescriptorOwner(curUser, False)
win32security.SetFileSecurity("C:/ProgramData/Test", 
    win32security.OWNER_SECURITY_INFORMATION, sd)

SetFileSecurity调用失败,其中"访问被拒绝"错误。

已从此目录中删除当前用户的访问权限。在Explorer中我可以看到它,但是当我尝试打开它时,我首先必须以管理员身份获得所有权。这在资源管理器中有效,但上面的代码是使用提升的权限执行的,并且由于某种原因它仍然失败。有什么建议吗?

2 个答案:

答案 0 :(得分:1)

您可以通过启用SeTakeOwnerShipPrivilege来强制取得所有权,但当然只有当您的访问令牌具有此权限时(例如,提升的管理员)。此外,您可以通过启用SYSTEM将所有权强制分配给其他安全主体,例如SeRestorePrivilege。如果没有后者,分配可能会失败,错误代码为ERROR_INVALID_OWNER

以下set_file_owner函数有一个force选项,试图暂时启用这两种权限。

import win32api
import win32security

def set_file_owner(path, sid=None, force=False):
    try:
        hToken = win32security.OpenThreadToken(win32api.GetCurrentThread(),
                    win32security.TOKEN_ALL_ACCESS, True)
    except win32security.error:
        hToken = win32security.OpenProcessToken(win32api.GetCurrentProcess(),
                    win32security.TOKEN_ALL_ACCESS)
    if sid is None:
        sid = win32security.GetTokenInformation(hToken,
                win32security.TokenOwner)
    prev_state = ()
    if force:
        new_state = [(win32security.LookupPrivilegeValue(None, name),
                      win32security.SE_PRIVILEGE_ENABLED)
                        for name in (win32security.SE_TAKE_OWNERSHIP_NAME,
                                     win32security.SE_RESTORE_NAME)]
        prev_state = win32security.AdjustTokenPrivileges(hToken, False,
                        new_state)
    try:
        sd = win32security.SECURITY_DESCRIPTOR()
        sd.SetSecurityDescriptorOwner(sid, False)
        win32security.SetFileSecurity(path, 
            win32security.OWNER_SECURITY_INFORMATION, sd)
    finally:
        if prev_state:
            win32security.AdjustTokenPrivileges(hToken, False, prev_state)

def get_file_owner(path):
    sd = win32security.GetFileSecurity(path,
            win32security.OWNER_SECURITY_INFORMATION)
    sid = sd.GetSecurityDescriptorOwner()
    return win32security.LookupAccountSid(None, sid)

示例 

if __name__ == '__main__':
    import os
    import tempfile
    import subprocess

    username = os.environ['UserName']
    test_path = tempfile.mkdtemp()
    print('Test path: {}'.format(test_path))
    subprocess.call(['icacls.exe', test_path, '/setowner', 'SYSTEM'],
                     creationflags=8)
    owner = get_file_owner(test_path)
    print('Initial owner: {}\\{}'.format(owner[1], owner[0]))
    try:
        print('Denying write owner access')
        subprocess.call(['icacls.exe', test_path, '/deny',
                         '{}:(WO)'.format(username)], creationflags=8)
        try:
            set_file_owner(test_path)
        except win32security.error:
            print('Trying with force=True')
            try:
                set_file_owner(test_path, force=True)
            except win32security.error:
                pass
    finally:
        owner = get_file_owner(test_path)
        print('Final owner: {}\\{}'.format(owner[1], owner[0]))
        os.rmdir(test_path)

<强>输出 

Test path: C:\Users\eryksun\AppData\Local\Temp\tmpizgemrdz
Initial owner: NT AUTHORITY\SYSTEM
Denying write owner access
Trying with force=True
Final owner: BUILTIN\Administrators

答案 1 :(得分:0)

我基于Eryk的工作,在Windows下为NTFS文件制作了完整的递归ACL和onwership处理路由: https://stackoverflow.com/a/61041460/2635443

相关问题
最新问题