[英]How can I get effective file permissions?
I'm trying to get file effective permissions . 我正在尝试获取文件有效权限 。 What is the best way to do that? 最好的方法是什么?
I'm trying to use win32security
but GetEffectiveRightsFromAcl(trustee)
function needs the PyTRUSTEE
parameter. 我正在尝试使用win32security
但GetEffectiveRightsFromAcl(trustee)
函数需要PyTRUSTEE
参数。 And I don't know how to set it correctly. 而且我不知道如何正确设置它。
As a result, I need to get the same permissions as with Get-EffectiveAccess calling in PowerShell. 结果,我需要获得与在PowerShell中调用Get-EffectiveAccess相同的权限。
We were tried to use Authz.h
but in that case we got the Audit failure in Windows Event Viewer. 我们尝试使用Authz.h
但是在那种情况下,我们在Windows Event Viewer中遇到了Audit失败。
We also tried to use GetEffectiveRightsFromAcl
from Aclapi.h
but it can become a reason of server hangup in case when we have a lot of files. 我们还尝试使用Aclapi.h
GetEffectiveRightsFromAcl
,但是如果我们有很多文件,这可能会成为服务器挂起的原因。
python: 蟒蛇:
dacl = win32security.GetNamedSecurityInfo( FILENAME,
win32security.SE_FILE_OBJECT,
win32security.DACL_SECURITY_INFORMATION).GetSecurityDescriptorDacl()
mask = dacl.GetEffectiveRightsFromAcl( ??? )
Authz.h : Authz.h :
AuthzInitializeResourceManager(AUTHZ_RM_FLAG_NO_AUDIT, NULL, NULL, NULL, NULL, &hManager);
AuthzInitializeContextFromSid(0, psid, hManager, NULL, unusedId, NULL, &hAuthzClientContext);
AuthzFreeResourceManager(hManager);
accessRequest->DesiredAccess = MAXIMUM_ALLOWED;
accessRequest->PrincipalSelfSid = NULL;
accessRequest->ObjectTypeList = NULL;
accessRequest->ObjectTypeListLength = 0;
accessRequest->OptionalArguments = NULL;
RtlZeroMemory(Buffer, sizeof(Buffer));
accessReply->ResultListLength = 1;
accessReply->GrantedAccessMask = (PACCESS_MASK)LocalAlloc(LPTR, sizeof(ACCESS_MASK));
accessReply->Error = (PDWORD)(Buffer + sizeof(ACCESS_MASK));
AuthzAccessCheck(0, hAuthzClient, accessRequest, NULL, psd, NULL, 0, accessReply, NULL)
Aclapi.h 阿克拉皮
ACCESS_MASK accessRights;
TRUSTEE trustee;
BuildTrusteeWithName(&trustee, trav->user);
retcode = GetEffectiveRightsFromAcl( acl,&trustee,&accessRights);
I'm need to get something like that: 我需要得到这样的东西:
FILE_READ_DATA FILE_READ_DATA
FILE_WRITE_DATA FILE_WRITE_DATA
FILE_APPEND_DATA FILE_APPEND_DATA
FILE_READ_EA FILE_READ_EA
FILE_WRITE_EA FILE_WRITE_EA
FILE_EXECUTE FILE_EXECUTE
FILE_DELETE_CHILD FILE_DELETE_CHILD
FILE_READ_ATTRIBUTE FILE_READ_ATTRIBUTE
FILE_WRITE_ATTRIBUTE FILE_WRITE_ATTRIBUTE
DELETE 删除
READ_CONTROL READ_CONTROL
WRITE_DAC WRITE_DAC
WRITE_OWNER WRITE_OWNER
SYNCHRONIZE 同步
I got some result using @eryksun help. 使用@eryksun帮助我得到了一些结果。 Thanks. 谢谢。 Also I found this useful example . 我也发现了这个有用的例子 。
def print_permissions(mask):
print("PERMISSION:",
1 if bool(mask & 0x00000001) else 0,
1 if bool(mask & 0x00000002) else 0,
1 if bool(mask & 0x00000004) else 0,
1 if bool(mask & 0x00000008) else 0,
1 if bool(mask & 0x00000010) else 0,
1 if bool(mask & 0x00000020) else 0,
1 if bool(mask & 0x00000040) else 0,
1 if bool(mask & 0x00000080) else 0,
1 if bool(mask & 0x00000100) else 0,
1 if bool(mask & 0x00010000) else 0,
1 if bool(mask & 0x00020000) else 0,
1 if bool(mask & 0x00040000) else 0,
1 if bool(mask & 0x00080000) else 0,
1 if bool(mask & 0x00100000) else 0)
def get_permissions(dacl):
for n_ace in range(dacl.GetAceCount()):
ace = dacl.GetAce(n_ace)
(ace_type, ace_flags) = ace[0]
if ace_type in CONVENTIONAL_ACES:
mask, sid = ace[1:]
else:
mask, object_type, inherited_object_type, sid = ace[1:]
name, domain, type = win32security.LookupAccountSid(None, sid)
print("\nUSER:", name)
print_permissions(mask)
for f in files:
try:
dacl = win32security.GetNamedSecurityInfo(
f,
win32security.SE_FILE_OBJECT,
win32security.DACL_SECURITY_INFORMATION).GetSecurityDescriptorDacl()
except BaseException as ex:
winerror, funcname, strerror = ex.args
print("Error: ", winerror,"\n")
else:
get_permissions(dacl)
I don't use GetEffectiveRightsFromAcl
because it's contained in the ace. 我不使用GetEffectiveRightsFromAcl
因为它包含在ace中。
When I tried to create a token with Privilege Constants I also got the same Audit Failure
(in System Account case). 当我尝试使用权限常量创建令牌时,我也遇到了相同的Audit Failure
(在系统帐户的情况下)。 So I didn't found any result that will work without Audit Faulire
in both cases (System Account and Administrator) (except PowerShell). 因此,在这两种情况下(系统帐户和管理员)(PowerShell除外),我都没有找到没有Audit Faulire
任何结果都找不到。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.