island: Add inheritance when setting Windows file or dir permissions

Add container and object inheritance to the ACE's security descriptor when setting Windows permissions
2021-06-18 20:11:33 +05:30 · 2021-06-18 20:11:33 +05:30 · 0ded39bb62
parent cfdf1183f5
commit 0ded39bb62
1 changed files with 17 additions and 8 deletions
--- a/monkey/monkey_island/cc/server_utils/windows_permissions.py
+++ b/monkey/monkey_island/cc/server_utils/windows_permissions.py
@ -4,16 +4,25 @@ import win32con
 import win32security


-def get_security_descriptor_for_owner_only_perms() -> None:
-    user = get_user_pySID_object()
+def get_security_descriptor_for_owner_only_perms():
+    user_sid = get_user_pySID_object()
    security_descriptor = win32security.SECURITY_DESCRIPTOR()
-
    dacl = win32security.ACL()
-    dacl.AddAccessAllowedAce(
-        win32security.ACL_REVISION,
-        ntsecuritycon.FILE_ALL_ACCESS,
-        user,
-    )
+
+    entries = [
+        {
+            "AccessMode": win32security.GRANT_ACCESS,
+            "AccessPermissions": ntsecuritycon.FILE_ALL_ACCESS,
+            "Inheritance": win32security.CONTAINER_INHERIT_ACE | win32security.OBJECT_INHERIT_ACE,
+            "Trustee": {
+                "TrusteeType": win32security.TRUSTEE_IS_USER,
+                "TrusteeForm": win32security.TRUSTEE_IS_SID,
+                "Identifier": user_sid,
+            },
+        }
+    ]
+    dacl.SetEntriesInAcl(entries)
+
    security_descriptor.SetSecurityDescriptorDacl(1, dacl, 0)

    return security_descriptor