Modify `has_expected_permissions()` to check files on Windows

2021-06-09 11:14:06 +05:30 · 2021-06-09 11:14:06 +05:30 · 011ab2a393
parent 10e7b19669
commit 011ab2a393
1 changed files with 33 additions and 2 deletions
--- a/monkey/monkey_island/cc/server_utils/file_utils.py
+++ b/monkey/monkey_island/cc/server_utils/file_utils.py
@ -1,12 +1,43 @@
 import os

+from monkey_island.cc.environment.utils import is_windows_os
+

 def expand_path(path: str) -> str:
    return os.path.expandvars(os.path.expanduser(path))


 def has_expected_permissions(path: str, expected_permissions: int) -> bool:
-    file_mode = os.stat(path).st_mode
-    file_permissions = file_mode & 0o777
+    if is_windows_os():
+        import win32api  # noqa: E402
+        import win32security  # noqa: E402
+
+        admins_sid, _, _ = win32security.LookupAccountName("", "Administrators")
+        user_sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName())
+
+        security_descriptor = win32security.GetNamedSecurityInfo(
+            path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION
+        )
+
+        acl = security_descriptor.GetSecurityDescriptorDacl()
+
+        for i in range(acl.GetAceCount()):
+            ace = acl.GetAce(i)
+            sid = ace[-1]
+            permissions = ace[1]
+            if sid == user_sid:
+                if oct(permissions & 0o777) != expected_permissions:
+                    return False
+            elif sid == admins_sid:
+                continue
+            else:
+                if oct(permissions) != 0:  # everyone but user & admins should have no permissions
+                    return False
+
+        return True
+
+    else:
+        file_mode = os.stat(path).st_mode
+        file_permissions = file_mode & 0o777

    return file_permissions == expected_permissions