forked from p15670423/monkey
Merge pull request #1254 from guardicore/windows-data-dir-inheritance
island: Add inheritance when setting Windows file or dir permissions
This commit is contained in:
commit
d3d34fe2d6
|
@ -4,16 +4,25 @@ import win32con
|
||||||
import win32security
|
import win32security
|
||||||
|
|
||||||
|
|
||||||
def get_security_descriptor_for_owner_only_perms() -> None:
|
def get_security_descriptor_for_owner_only_perms():
|
||||||
user = get_user_pySID_object()
|
user_sid = get_user_pySID_object()
|
||||||
security_descriptor = win32security.SECURITY_DESCRIPTOR()
|
security_descriptor = win32security.SECURITY_DESCRIPTOR()
|
||||||
|
|
||||||
dacl = win32security.ACL()
|
dacl = win32security.ACL()
|
||||||
dacl.AddAccessAllowedAce(
|
|
||||||
win32security.ACL_REVISION,
|
entries = [
|
||||||
ntsecuritycon.FILE_ALL_ACCESS,
|
{
|
||||||
user,
|
"AccessMode": win32security.GRANT_ACCESS,
|
||||||
)
|
"AccessPermissions": ntsecuritycon.FILE_ALL_ACCESS,
|
||||||
|
"Inheritance": win32security.CONTAINER_INHERIT_ACE | win32security.OBJECT_INHERIT_ACE,
|
||||||
|
"Trustee": {
|
||||||
|
"TrusteeType": win32security.TRUSTEE_IS_USER,
|
||||||
|
"TrusteeForm": win32security.TRUSTEE_IS_SID,
|
||||||
|
"Identifier": user_sid,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
]
|
||||||
|
dacl.SetEntriesInAcl(entries)
|
||||||
|
|
||||||
security_descriptor.SetSecurityDescriptorDacl(1, dacl, 0)
|
security_descriptor.SetSecurityDescriptorDacl(1, dacl, 0)
|
||||||
|
|
||||||
return security_descriptor
|
return security_descriptor
|
||||||
|
|
|
@ -16,7 +16,8 @@ if is_windows_os():
|
||||||
import win32security
|
import win32security
|
||||||
|
|
||||||
FULL_CONTROL = 2032127
|
FULL_CONTROL = 2032127
|
||||||
ACE_TYPE_ALLOW = 0
|
ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS
|
||||||
|
ACE_INHERIT_OBJECT_AND_CONTAINER = 3
|
||||||
|
|
||||||
|
|
||||||
def test_expand_user(patched_home_env):
|
def test_expand_user(patched_home_env):
|
||||||
|
@ -86,13 +87,16 @@ def test_create_secure_directory__perm_windows(test_path):
|
||||||
|
|
||||||
assert acl.GetAceCount() == 1
|
assert acl.GetAceCount() == 1
|
||||||
|
|
||||||
ace = acl.GetAce(0)
|
ace = acl.GetExplicitEntriesFromAcl()[0]
|
||||||
ace_type, _ = ace[0] # 0 for allow, 1 for deny
|
|
||||||
permissions = ace[1]
|
|
||||||
sid = ace[-1]
|
|
||||||
|
|
||||||
assert sid == user_sid
|
ace_access_mode = ace["AccessMode"]
|
||||||
assert permissions == FULL_CONTROL and ace_type == ACE_TYPE_ALLOW
|
ace_permissions = ace["AccessPermissions"]
|
||||||
|
ace_inheritance = ace["Inheritance"]
|
||||||
|
ace_sid = ace["Trustee"]["Identifier"]
|
||||||
|
|
||||||
|
assert ace_sid == user_sid
|
||||||
|
assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
|
||||||
|
assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER
|
||||||
|
|
||||||
|
|
||||||
def test_get_file_descriptor_for_new_secure_file__already_exists(test_path):
|
def test_get_file_descriptor_for_new_secure_file__already_exists(test_path):
|
||||||
|
@ -127,10 +131,13 @@ def test_get_file_descriptor_for_new_secure_file__perm_windows(test_path):
|
||||||
|
|
||||||
assert acl.GetAceCount() == 1
|
assert acl.GetAceCount() == 1
|
||||||
|
|
||||||
ace = acl.GetAce(0)
|
ace = acl.GetExplicitEntriesFromAcl()[0]
|
||||||
ace_type, _ = ace[0] # 0 for allow, 1 for deny
|
|
||||||
permissions = ace[1]
|
|
||||||
sid = ace[-1]
|
|
||||||
|
|
||||||
assert sid == user_sid
|
ace_access_mode = ace["AccessMode"]
|
||||||
assert permissions == FULL_CONTROL and ace_type == ACE_TYPE_ALLOW
|
ace_permissions = ace["AccessPermissions"]
|
||||||
|
ace_inheritance = ace["Inheritance"]
|
||||||
|
ace_sid = ace["Trustee"]["Identifier"]
|
||||||
|
|
||||||
|
assert ace_sid == user_sid
|
||||||
|
assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
|
||||||
|
assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER
|
||||||
|
|
Loading…
Reference in New Issue