[Zope] Problem with Python Win32 Extensions

Igor Leturia IGOR@emun.com
Wed, 2 Apr 2003 08:49:53 +0200


  Hi!

  I am making some changes to the LocalFS product, in windows. The
problem is that I need to read the security permissions of a file. I
have found a piece of code in the Python Win32 Extensions to do so (you
can see it at the end of the message).

  The problem is that the piece of code works properly if I run it in
ActivePython or in Python+Python Win32 Extensions, but not if I run it
in the Python version that comes with Zope. Doesn't Zope's Python
include Python Win32 Extensions. I think it does, as the win32security
module for example is there, but then why doesn't the code work?

  Any help will be appreciated.

      Igor Leturia

  This is the piece of code. The first function call, GetFileSecurity,
works, but the second, GetSecurityDescriptorOwner, doesn't:

# Contributed by Kelly Kranabetter.
import os, sys
import win32security, ntsecuritycon

# get security information
#name=3Dr"c:\autoexec.bat"
#name=3D r"g:\!workgrp\lim"
name=3Dsys.argv[0]

if not os.path.exists(name):
    print name, "does not exist!"
    sys.exit()

print "On file " , name, "\n"

# get owner SID
print "OWNER"
sd=3D win32security.GetFileSecurity(name,
win32security.OWNER_SECURITY_INFORMATION)
sid=3D sd.GetSecurityDescriptorOwner()
print "  ", win32security.LookupAccountSid(None, sid)

# get group SID
print "GROUP"
sd=3D win32security.GetFileSecurity(name,
win32security.GROUP_SECURITY_INFORMATION)
sid=3D sd.GetSecurityDescriptorGroup()
print "  ", win32security.LookupAccountSid(None, sid)

# get ACEs
sd=3D win32security.GetFileSecurity(name,
win32security.DACL_SECURITY_INFORMATION)
dacl=3D sd.GetSecurityDescriptorDacl()
if dacl =3D=3D None:
    print "No Discretionary ACL"
else:
    for ace_no in range(0, dacl.GetAceCount()):
        ace=3D dacl.GetAce(ace_no)
        print "ACE", ace_no

        print "  -Type"
        for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE",
"SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"):
            if getattr(ntsecuritycon, i) =3D=3D ace[0][0]:
                print "    ", i

        print "  -Flags", hex(ace[0][1])
        for i in ("OBJECT_INHERIT_ACE", "CONTAINER_INHERIT_ACE",
"NO_PROPAGATE_INHERIT_ACE", "INHERIT_ONLY_ACE",
"SUCCESSFUL_ACCESS_ACE_FLAG", "FAILED_ACCESS_ACE_FLAG"):
            if getattr(ntsecuritycon, i) & ace[0][1] =3D=3D
getattr(ntsecuritycon, i):
                print "    ", i

        print "  -mask", hex(ace[1])

        # files and directories do permissions differently
        permissions_file=3D ("DELETE", "READ_CONTROL", "WRITE_DAC",
"WRITE_OWNER", "SYNCHRONIZE", "FILE_GENERIC_READ", "FILE_GENERIC_WRITE",
"FILE_GENERIC_EXECUTE", "FILE_DELETE_CHILD")
        permissions_dir=3D ("DELETE", "READ_CONTROL", "WRITE_DAC",
"WRITE_OWNER", "SYNCHRONIZE", "FILE_ADD_SUBDIRECTORY", "FILE_ADD_FILE",
"FILE_DELETE_CHILD", "FILE_LIST_DIRECTORY", "FILE_TRAVERSE",
"FILE_READ_ATTRIBUTES", "FILE_WRITE_ATTRIBUTES", "FILE_READ_EA",
"FILE_WRITE_EA")
        permissions_dir_inherit=3D ("DELETE", "READ_CONTROL", =
"WRITE_DAC",
"WRITE_OWNER", "SYNCHRONIZE", "GENERIC_READ", "GENERIC_WRITE",
"GENERIC_EXECUTE", "GENERIC_ALL")
        if os.path.isfile(name):
            permissions=3D permissions_file
        else:
            permissions=3D permissions_dir
            # directories also contain an ACE that is inherited by
children (files) within them
            if ace[0][1] & ntsecuritycon.OBJECT_INHERIT_ACE =3D=3D
ntsecuritycon.OBJECT_INHERIT_ACE and ace[0][1] &
ntsecuritycon.INHERIT_ONLY_ACE =3D=3D ntsecuritycon.INHERIT_ONLY_ACE:
                permissions=3D permissions_dir_inherit

        calc_mask=3D 0  # calculate the mask so we can see if we are
printing all of the permissions
        for i in permissions:
            if getattr(ntsecuritycon, i) & ace[1] =3D=3D
getattr(ntsecuritycon, i):
                calc_mask=3D calc_mask | getattr(ntsecuritycon, i)
                print "    ", i
        print "  ", "Calculated Check Mask=3D", hex(calc_mask)
        print "  -SID\n    ", win32security.LookupAccountSid(None,
ace[2])