Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

FileSecurityTest.py 4.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. # Contributed by Kelly Kranabetter.
  2. import os
  3. import sys
  4. import ntsecuritycon
  5. import pywintypes
  6. import win32security
  7. import winerror
  8. # get security information
  9. # name=r"c:\autoexec.bat"
  10. # name= r"g:\!workgrp\lim"
  11. name = sys.argv[0]
  12. if not os.path.exists(name):
  13. print(name, "does not exist!")
  14. sys.exit()
  15. print("On file ", name, "\n")
  16. # get owner SID
  17. print("OWNER")
  18. try:
  19. sd = win32security.GetFileSecurity(name, win32security.OWNER_SECURITY_INFORMATION)
  20. sid = sd.GetSecurityDescriptorOwner()
  21. print(" ", win32security.LookupAccountSid(None, sid))
  22. except pywintypes.error as exc:
  23. # in automation and network shares we see:
  24. # pywintypes.error: (1332, 'LookupAccountName', 'No mapping between account names and security IDs was done.')
  25. if exc.winerror != winerror.ERROR_NONE_MAPPED:
  26. raise
  27. print("No owner information is available")
  28. # get group SID
  29. try:
  30. print("GROUP")
  31. sd = win32security.GetFileSecurity(name, win32security.GROUP_SECURITY_INFORMATION)
  32. sid = sd.GetSecurityDescriptorGroup()
  33. print(" ", win32security.LookupAccountSid(None, sid))
  34. except pywintypes.error as exc:
  35. if exc.winerror != winerror.ERROR_NONE_MAPPED:
  36. raise
  37. print("No group information is available")
  38. # get ACEs
  39. sd = win32security.GetFileSecurity(name, win32security.DACL_SECURITY_INFORMATION)
  40. dacl = sd.GetSecurityDescriptorDacl()
  41. if dacl == None:
  42. print("No Discretionary ACL")
  43. else:
  44. for ace_no in range(0, dacl.GetAceCount()):
  45. ace = dacl.GetAce(ace_no)
  46. print("ACE", ace_no)
  47. print(" -Type")
  48. for i in (
  49. "ACCESS_ALLOWED_ACE_TYPE",
  50. "ACCESS_DENIED_ACE_TYPE",
  51. "SYSTEM_AUDIT_ACE_TYPE",
  52. "SYSTEM_ALARM_ACE_TYPE",
  53. ):
  54. if getattr(ntsecuritycon, i) == ace[0][0]:
  55. print(" ", i)
  56. print(" -Flags", hex(ace[0][1]))
  57. for i in (
  58. "OBJECT_INHERIT_ACE",
  59. "CONTAINER_INHERIT_ACE",
  60. "NO_PROPAGATE_INHERIT_ACE",
  61. "INHERIT_ONLY_ACE",
  62. "SUCCESSFUL_ACCESS_ACE_FLAG",
  63. "FAILED_ACCESS_ACE_FLAG",
  64. ):
  65. if getattr(ntsecuritycon, i) & ace[0][1] == getattr(ntsecuritycon, i):
  66. print(" ", i)
  67. print(" -mask", hex(ace[1]))
  68. # files and directories do permissions differently
  69. permissions_file = (
  70. "DELETE",
  71. "READ_CONTROL",
  72. "WRITE_DAC",
  73. "WRITE_OWNER",
  74. "SYNCHRONIZE",
  75. "FILE_GENERIC_READ",
  76. "FILE_GENERIC_WRITE",
  77. "FILE_GENERIC_EXECUTE",
  78. "FILE_DELETE_CHILD",
  79. )
  80. permissions_dir = (
  81. "DELETE",
  82. "READ_CONTROL",
  83. "WRITE_DAC",
  84. "WRITE_OWNER",
  85. "SYNCHRONIZE",
  86. "FILE_ADD_SUBDIRECTORY",
  87. "FILE_ADD_FILE",
  88. "FILE_DELETE_CHILD",
  89. "FILE_LIST_DIRECTORY",
  90. "FILE_TRAVERSE",
  91. "FILE_READ_ATTRIBUTES",
  92. "FILE_WRITE_ATTRIBUTES",
  93. "FILE_READ_EA",
  94. "FILE_WRITE_EA",
  95. )
  96. permissions_dir_inherit = (
  97. "DELETE",
  98. "READ_CONTROL",
  99. "WRITE_DAC",
  100. "WRITE_OWNER",
  101. "SYNCHRONIZE",
  102. "GENERIC_READ",
  103. "GENERIC_WRITE",
  104. "GENERIC_EXECUTE",
  105. "GENERIC_ALL",
  106. )
  107. if os.path.isfile(name):
  108. permissions = permissions_file
  109. else:
  110. permissions = permissions_dir
  111. # directories also contain an ACE that is inherited by children (files) within them
  112. if (
  113. ace[0][1] & ntsecuritycon.OBJECT_INHERIT_ACE
  114. == ntsecuritycon.OBJECT_INHERIT_ACE
  115. and ace[0][1] & ntsecuritycon.INHERIT_ONLY_ACE
  116. == ntsecuritycon.INHERIT_ONLY_ACE
  117. ):
  118. permissions = permissions_dir_inherit
  119. calc_mask = 0 # calculate the mask so we can see if we are printing all of the permissions
  120. for i in permissions:
  121. if getattr(ntsecuritycon, i) & ace[1] == getattr(ntsecuritycon, i):
  122. calc_mask = calc_mask | getattr(ntsecuritycon, i)
  123. print(" ", i)
  124. print(" ", "Calculated Check Mask=", hex(calc_mask))
  125. print(" -SID\n ", win32security.LookupAccountSid(None, ace[2]))