def set_file_readable(filename): import win32api import win32security import ntsecuritycon as con WinBuiltinUsersSid = 27 # not exported by win32security. according to WELL_KNOWN_SID_TYPE enumeration from http://msdn.microsoft.com/en-us/library/windows/desktop/aa379650%28v=vs.85%29.aspx users = win32security.CreateWellKnownSid(WinBuiltinUsersSid) WinBuiltinAdministratorsSid = 26 # not exported by win32security. according to WELL_KNOWN_SID_TYPE enumeration from http://msdn.microsoft.com/en-us/library/windows/desktop/aa379650%28v=vs.85%29.aspx admins = win32security.CreateWellKnownSid(WinBuiltinAdministratorsSid) user, domain, type = win32security.LookupAccountName( "", win32api.GetUserName()) sd = win32security.GetFileSecurity(filename, win32security.DACL_SECURITY_INFORMATION) dacl = win32security.ACL() dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_ALL_ACCESS, users) dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_ALL_ACCESS, user) dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_ALL_ACCESS, admins) sd.SetSecurityDescriptorDacl(1, dacl, 0) win32security.SetFileSecurity(filename, win32security.DACL_SECURITY_INFORMATION, sd)
def win32_restrict_file_to_user(fname): """Secure a windows file to read-only access for the user. Follows guidance from win32 library creator: http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html This method should be executed against an already generated file which has no secrets written to it yet. Parameters ---------- fname : unicode The path to the file to secure """ import win32api import win32security import ntsecuritycon as con # everyone, _domain, _type = win32security.LookupAccountName("", "Everyone") admins = win32security.CreateWellKnownSid(win32security.WinBuiltinAdministratorsSid) user, _domain, _type = win32security.LookupAccountName("", win32api.GetUserName()) sd = win32security.GetFileSecurity(fname, win32security.DACL_SECURITY_INFORMATION) dacl = win32security.ACL() # dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_ALL_ACCESS, everyone) dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_GENERIC_READ | con.FILE_GENERIC_WRITE, user) dacl.AddAccessAllowedAce(win32security.ACL_REVISION, con.FILE_ALL_ACCESS, admins) sd.SetSecurityDescriptorDacl(1, dacl, 0) win32security.SetFileSecurity(fname, win32security.DACL_SECURITY_INFORMATION, sd)
def removeReadOnlyAccess(path=None): try: if os.path.exists(path): everyone = win32security.CreateWellKnownSid( win32security.WinWorldSid) #Delete ace sd = win32security.GetNamedSecurityInfo( path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION) dacl = sd.GetSecurityDescriptorDacl( ) # instead of dacl = win32security.ACL() #print("Ace count=",dacl.GetAceCount()) num_delete = 0 for index in range(0, dacl.GetAceCount()): ace = dacl.GetAce(index) for index in range(0, dacl.GetAceCount()): ace = dacl.GetAce(index - num_delete) if ace[2] == everyone: dacl.DeleteAce(index - num_delete) num_delete += 1 sd.SetSecurityDescriptorDacl(1, dacl, 0) win32security.SetNamedSecurityInfo( path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION, None, None, dacl, None) except Exception as err: print("exeption {}".format(str(err)))
def is_root(): """Gets whether the current user is root""" if os.name == 'nt': sid = win32security.CreateWellKnownSid(win32security.WinLocalSystemSid, None) return win32security.CheckTokenMembership(None, sid) else: return os.geteuid() == 0
def is_user_admin(): # import ctypes # return ctypes.windll.shell32.IsUserAnAdmin() != 0 import win32security WinBuiltinAdministratorsSid = 26 # not exported by win32security. according to WELL_KNOWN_SID_TYPE enumeration from http://msdn.microsoft.com/en-us/library/windows/desktop/aa379650%28v=vs.85%29.aspx admins = win32security.CreateWellKnownSid(WinBuiltinAdministratorsSid) return win32security.CheckTokenMembership(None, admins)
def is_admin(): """@return: True if the current user is an 'Admin' whatever that means (root on Unix), otherwise False. Warning: The inner function fails unless you have Windows XP SP2 or higher. The failure causes a traceback to be printed and this function to return False. """ import win32security # WARNING: requires Windows XP SP2 or higher! try: adminSid = win32security.CreateWellKnownSid( win32security.WinBuiltinAdministratorsSid, None) return win32security.CheckTokenMembership(None, adminSid) except: traceback.print_exc() print("Admin check failed, assuming not an admin.") return False
def isUserAdmin(): if os.name == 'nt': import ctypes import win32security # WARNING: requires Windows XP SP2 or higher! try: adminSid = win32security.CreateWellKnownSid( win32security.WinBuiltinAdministratorsSid, None) return win32security.CheckTokenMembership(None, adminSid) #return ctypes.windll.shell32.IsUserAnAdmin() except: traceback.print_exc() print("Admin check failed, assuming not an admin.") return False elif os.name == 'posix': # Check for root on Posix return os.getuid() == 0 else: raise RuntimeError("Unsupported operating system for this module: %s" % (os.name, ))
def __init__(self, WnfName=0): # generic stuff self.StateName = ctypes.c_ulonglong(0) self.internalName = WNF_STATE_NAME_INTERNAL() self.verbose = True if WnfName != 0: self.SetStateName(WnfName) # callback for the listener self.callback_type = ctypes.CFUNCTYPE(ctypes.c_ulonglong, ctypes.c_ulonglong, ctypes.c_ulong, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_ulong) self.callback = self.callback_type(self.NotifyCallback) # security descriptor used for creating the server part everyoneSid = win32security.CreateWellKnownSid(1, None) acl = win32security.ACL() acl.AddAccessAllowedAce(win32security.ACL_REVISION, GENERIC_ALL, everyoneSid) pySd = win32security.SECURITY_DESCRIPTOR() pySd.SetSecurityDescriptorDacl(True, acl, False) self.rawSd = ctypes.create_string_buffer(memoryview(pySd).tobytes())
def _server_pipe_handle(self, first): # Return a wrapper for a new pipe handle. try: if self.closed(): return None except AttributeError: if self._address is None: return None # Create a new SECURITY_ATTRIBUTES object to open up write permissions to non-elevated clients. # Get the SID of this process' owner to add to the new DACL owner_sid = win32security.GetTokenInformation( win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32security.TOKEN_QUERY), win32security.TokenOwner) # Build the new ACL -- SYSTEM, built-in Administrators and the Owner get full control (like default) acl = win32security.ACL() # Default buffer size of 64 OK acl.AddAccessAllowedAce( win32file.FILE_ALL_ACCESS, win32security.CreateWellKnownSid(win32security.WinLocalSystemSid)) acl.AddAccessAllowedAce( win32file.FILE_ALL_ACCESS, win32security.CreateWellKnownSid( win32security.WinBuiltinAdministratorsSid)) acl.AddAccessAllowedAce(win32file.FILE_ALL_ACCESS, owner_sid) # Allow all Users to both Read and Write to the pipe: # See http://stackoverflow.com/questions/29947524/c-let-user-process-write-to-local-system-named-pipe-custom-security-descrip acl.AddAccessAllowedAce( ntsecuritycon.FILE_GENERIC_READ | ntsecuritycon.FILE_WRITE_DATA, win32security.CreateWellKnownSid(win32security.WinBuiltinUsersSid)) # Construct new SECUIRTY_ATTRIBUTES AND SECURITY_DESCRIPTOR objects new_sa = win32security.SECURITY_ATTRIBUTES() new_sd = win32security.SECURITY_DESCRIPTOR() # Add the ACL to the SECURITY_DESCRIPTOR: new_sd.SetDacl(True, acl, False) # Add the SECURITY_DESCRIPTOR to the SECURITY_ATTRIBUTES object and set the Inheritance flag new_sa.SECURITY_DESCRIPTOR = new_sd new_sa.bInheritHandle = False PIPE_REJECT_REMOTE_CLIENTS = 0x8 flags = _winapi.PIPE_ACCESS_DUPLEX | _winapi.FILE_FLAG_OVERLAPPED if first: flags |= _winapi.FILE_FLAG_FIRST_PIPE_INSTANCE py_pipe = win32pipe.CreateNamedPipe( self._address, flags, win32pipe.PIPE_TYPE_MESSAGE | win32pipe.PIPE_READMODE_MESSAGE | win32pipe.PIPE_WAIT | PIPE_REJECT_REMOTE_CLIENTS, win32pipe.PIPE_UNLIMITED_INSTANCES, windows_utils.BUFSIZE, windows_utils.BUFSIZE, win32pipe.NMPWAIT_WAIT_FOREVER, new_sa) # Extract the handle number from the PyHandle Object and pass it the Aysncio PipeHandle constructor pipe = windows_utils.PipeHandle(py_pipe.handle) # IMPORTANT: Detach the handle from the PyHandle object so it is not auto-closed when py_pipe is destroyed! py_pipe.Detach() self._free_instances.add(pipe) return pipe