![](/img/trans.png)
[英]“Error 403: access_denied” from Google authentication web api despite google account being owner
[英]CreateFileW for READ_CONTROL fails with “Access is denied” despite being owner of the file
在Windows上,即使任意ACL(DACL)為空,即沒有人對文件有權限,文件所有者也可以讀寫DACL( READ_CONTROL
和WRITE_DAC
訪問)。
所以我嘗試執行以下操作:
READ_CONTROL
文件的句柄GetSecurityInfo
和句柄獲取安全描述符但是,使用CreateFileW
獲取句柄失敗並出現Access is denied
錯誤。 令人驚訝的是, GetFileSecurity
相當於文件的GetSecurityInfo
,運行良好。 根據文檔, GetFileSecurity
需要READ_CONTROL
訪問權限。
為什么CreateFileW
在以下示例中失敗?
import sys
import win32security
import win32con
import win32file
import ntsecuritycon
import os
path = sys.argv[1]
with open(path, "w"):
pass # I am the owner of the file
print("Set empty ACL")
sd = win32security.GetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION)
dacl = win32security.ACL()
sd.SetSecurityDescriptorDacl(1, dacl, 0)
win32security.SetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION, sd)
try:
print("Ensure that ACL is empty with GetFileSecurity")
sd = win32security.GetFileSecurity(path, win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()
assert 0 == dacl.GetAceCount()
print("Try to ensure that ACL is empty using handle")
handle = win32file.CreateFileW(
path,
ntsecuritycon.READ_CONTROL,
0,
None, # security attributes
win32con.OPEN_EXISTING,
0,
None,
)
sd = win32security.GetSecurityInfo(handle, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl()
assert 0 == dacl.GetAceCount()
except Exception as e:
print("FAILURE:", e)
finally:
print("Restore inherited ACEs before removing file")
dacl = win32security.ACL()
win32security.SetNamedSecurityInfo(
path,
win32security.SE_FILE_OBJECT,
win32security.DACL_SECURITY_INFORMATION,
None,
None,
dacl,
None
)
os.unlink(path)
Output:
> python acl-test.py file
Set empty ACL
Ensure that ACL is empty with GetFileSecurity
Try to ensure that ACL is empty using handle
FAILURE: (5, 'CreateFileW', 'Access is denied.')
Restore inherited ACEs before removing file
CreateFileW
在內部調用NtCreateFile
,並將DesiredAccess
參數作為dwDesiredAccess | FILE_READ_ATTRIBUTES | SYNCHRONIZE
傳遞。 dwDesiredAccess | FILE_READ_ATTRIBUTES | SYNCHRONIZE
dwDesiredAccess | FILE_READ_ATTRIBUTES | SYNCHRONIZE
。 因此,如果您將dwDesiredAccess
作為READ_CONTROL
傳遞,那么它實際上會嘗試使用READ_CONTROL | FILE_READ_ATTRIBUTES | SYNCHRONIZE
打開文件。 READ_CONTROL | FILE_READ_ATTRIBUTES | SYNCHRONIZE
READ_CONTROL | FILE_READ_ATTRIBUTES | SYNCHRONIZE
訪問。 如果調用者對父文件夾具有FILE_LIST_DIRECTORY
訪問權限,則文件系統會隱式授予FILE_READ_ATTRIBUTES
訪問權限。 但是,如果文件具有空 DACL,則不會授予SYNCHRONIZE
訪問權限。
這里的一種解決方案是使用NtOpenFile
或NtCreateFile
來控制確切的請求訪問。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.