def updateACL(handle, acl): # Create a new security descriptor for handle and set its DACL. new_security_desc = win32security.SECURITY_DESCRIPTOR() new_security_desc.SetSecurityDescriptorDacl(True, acl, False) # Set the new security descriptor for winsta. win32security.SetUserObjectSecurity(handle, win32con.DACL_SECURITY_INFORMATION, new_security_desc)
def set_user_perm(obj, perm, sid): ''' Set an object permission for the given user sid ''' info = (win32security.OWNER_SECURITY_INFORMATION | win32security.GROUP_SECURITY_INFORMATION | win32security.DACL_SECURITY_INFORMATION) sd = win32security.GetUserObjectSecurity(obj, info) dacl = sd.GetSecurityDescriptorDacl() ace_cnt = dacl.GetAceCount() found = False for idx in range(0, ace_cnt): (aceType, aceFlags), ace_mask, ace_sid = dacl.GetAce(idx) ace_exists = (aceType == ntsecuritycon.ACCESS_ALLOWED_ACE_TYPE and ace_mask == perm and ace_sid == sid) if ace_exists: # If the ace already exists, do nothing break else: dacl.AddAccessAllowedAce(dacl.GetAclRevision(), perm, sid) sd.SetSecurityDescriptorDacl(1, dacl, 0) win32security.SetUserObjectSecurity(obj, info, sd)
win32security.DACL_SECURITY_INFORMATION|win32security.SACL_SECURITY_INFORMATION info = win32security.OWNER_SECURITY_INFORMATION | win32security.GROUP_SECURITY_INFORMATION | win32security.DACL_SECURITY_INFORMATION ph = win32process.GetCurrentProcess() th = win32security.OpenProcessToken( ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES) win32security.AdjustTokenPrivileges(th, 0, new_privs) my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0] pwr_sid = win32security.LookupAccountName('', 'Power Users')[0] h = win32process.GetProcessWindowStation() sd = win32security.GetUserObjectSecurity(h, info) dacl = sd.GetSecurityDescriptorDacl() ace_cnt = dacl.GetAceCount() dacl.AddAccessAllowedAce(dacl.GetAclRevision(), win32con.ACCESS_SYSTEM_SECURITY | win32con.WRITE_DAC, my_sid) sd.SetSecurityDescriptorDacl(1, dacl, 0) sd.SetSecurityDescriptorGroup(pwr_sid, 0) sd.SetSecurityDescriptorOwner(pwr_sid, 0) win32security.SetUserObjectSecurity(h, info, sd) new_sd = win32security.GetUserObjectSecurity(h, info) assert new_sd.GetSecurityDescriptorDacl().GetAceCount( ) == ace_cnt + 1, 'Did not add an ace to the Dacl !!!!!!' assert win32security.LookupAccountSid('', new_sd.GetSecurityDescriptorOwner( ))[0] == 'Power Users', 'Owner not successfully set to Power Users !!!!!' assert win32security.LookupAccountSid('', new_sd.GetSecurityDescriptorGroup( ))[0] == 'Power Users', 'Group not successfully set to Power Users !!!!!'