Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

setnamedsecurityinfo.py 4.3KB

1 year ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131
  1. import win32api
  2. import win32con
  3. import win32process
  4. import win32security
  5. fname, tmp = win32api.GetTempFileName(win32api.GetTempPath(), "tmp")
  6. print(fname)
  7. ## You need SE_RESTORE_NAME to be able to set the owner of a security descriptor to anybody
  8. ## other than yourself or your primary group. Most admin logins don't have it by default, so
  9. ## enabling it may fail
  10. new_privs = (
  11. (
  12. win32security.LookupPrivilegeValue("", win32security.SE_SECURITY_NAME),
  13. win32con.SE_PRIVILEGE_ENABLED,
  14. ),
  15. (
  16. win32security.LookupPrivilegeValue("", win32security.SE_TCB_NAME),
  17. win32con.SE_PRIVILEGE_ENABLED,
  18. ),
  19. (
  20. win32security.LookupPrivilegeValue("", win32security.SE_SHUTDOWN_NAME),
  21. win32con.SE_PRIVILEGE_ENABLED,
  22. ),
  23. (
  24. win32security.LookupPrivilegeValue("", win32security.SE_RESTORE_NAME),
  25. win32con.SE_PRIVILEGE_ENABLED,
  26. ),
  27. (
  28. win32security.LookupPrivilegeValue("", win32security.SE_TAKE_OWNERSHIP_NAME),
  29. win32con.SE_PRIVILEGE_ENABLED,
  30. ),
  31. (
  32. win32security.LookupPrivilegeValue("", win32security.SE_CREATE_PERMANENT_NAME),
  33. win32con.SE_PRIVILEGE_ENABLED,
  34. ),
  35. (
  36. win32security.LookupPrivilegeValue("", win32security.SE_ENABLE_DELEGATION_NAME),
  37. win32con.SE_PRIVILEGE_ENABLED,
  38. ),
  39. (
  40. win32security.LookupPrivilegeValue("", win32security.SE_CHANGE_NOTIFY_NAME),
  41. win32con.SE_PRIVILEGE_ENABLED,
  42. ),
  43. (
  44. win32security.LookupPrivilegeValue("", win32security.SE_DEBUG_NAME),
  45. win32con.SE_PRIVILEGE_ENABLED,
  46. ),
  47. (
  48. win32security.LookupPrivilegeValue(
  49. "", win32security.SE_PROF_SINGLE_PROCESS_NAME
  50. ),
  51. win32con.SE_PRIVILEGE_ENABLED,
  52. ),
  53. (
  54. win32security.LookupPrivilegeValue("", win32security.SE_SYSTEM_PROFILE_NAME),
  55. win32con.SE_PRIVILEGE_ENABLED,
  56. ),
  57. (
  58. win32security.LookupPrivilegeValue("", win32security.SE_LOCK_MEMORY_NAME),
  59. win32con.SE_PRIVILEGE_ENABLED,
  60. ),
  61. )
  62. all_info = (
  63. win32security.OWNER_SECURITY_INFORMATION
  64. | win32security.GROUP_SECURITY_INFORMATION
  65. | win32security.DACL_SECURITY_INFORMATION
  66. | win32security.SACL_SECURITY_INFORMATION
  67. )
  68. ph = win32process.GetCurrentProcess()
  69. th = win32security.OpenProcessToken(
  70. ph, win32security.TOKEN_ALL_ACCESS
  71. ) ##win32con.TOKEN_ADJUST_PRIVILEGES)
  72. win32security.AdjustTokenPrivileges(th, 0, new_privs)
  73. my_sid = win32security.GetTokenInformation(th, win32security.TokenUser)[0]
  74. pwr_sid = win32security.LookupAccountName("", "Power Users")[0]
  75. sd = win32security.GetNamedSecurityInfo(fname, win32security.SE_FILE_OBJECT, all_info)
  76. dacl = sd.GetSecurityDescriptorDacl()
  77. if dacl is None:
  78. dacl = win32security.ACL()
  79. sacl = sd.GetSecurityDescriptorSacl()
  80. if sacl is None:
  81. sacl = win32security.ACL()
  82. dacl_ace_cnt = dacl.GetAceCount()
  83. sacl_ace_cnt = sacl.GetAceCount()
  84. dacl.AddAccessAllowedAce(
  85. dacl.GetAclRevision(), win32con.ACCESS_SYSTEM_SECURITY | win32con.WRITE_DAC, my_sid
  86. )
  87. sacl.AddAuditAccessAce(sacl.GetAclRevision(), win32con.GENERIC_ALL, my_sid, 1, 1)
  88. win32security.SetNamedSecurityInfo(
  89. fname, win32security.SE_FILE_OBJECT, all_info, pwr_sid, pwr_sid, dacl, sacl
  90. )
  91. new_sd = win32security.GetNamedSecurityInfo(
  92. fname, win32security.SE_FILE_OBJECT, all_info
  93. )
  94. ## could do additional checking to make sure added ACE contains expected info
  95. if new_sd.GetSecurityDescriptorDacl().GetAceCount() != dacl_ace_cnt + 1:
  96. print("New dacl doesn" "t contain extra ace ????")
  97. if new_sd.GetSecurityDescriptorSacl().GetAceCount() != sacl_ace_cnt + 1:
  98. print("New Sacl doesn" "t contain extra ace ????")
  99. if (
  100. win32security.LookupAccountSid("", new_sd.GetSecurityDescriptorOwner())[0]
  101. != "Power Users"
  102. ):
  103. print("Owner not successfully set to Power Users !!!!!")
  104. if (
  105. win32security.LookupAccountSid("", new_sd.GetSecurityDescriptorGroup())[0]
  106. != "Power Users"
  107. ):
  108. print("Group not successfully set to Power Users !!!!!")
  109. win32security.SetNamedSecurityInfo(
  110. fname,
  111. win32security.SE_FILE_OBJECT,
  112. win32security.SACL_SECURITY_INFORMATION,
  113. None,
  114. None,
  115. None,
  116. None,
  117. )
  118. new_sd_1 = win32security.GetNamedSecurityInfo(
  119. fname, win32security.SE_FILE_OBJECT, win32security.SACL_SECURITY_INFORMATION
  120. )
  121. if new_sd_1.GetSecurityDescriptorSacl() is not None:
  122. print("Unable to set Sacl to NULL !!!!!!!!")