Eryk Sun <eryk...@gmail.com> added the comment:
> Since the need to copy file ownership is common, I think there could > be space for a new copy3() function which copies ownership + extended > attributes (where possible). FYI, Windows and POSIX have significantly different concepts about file (object) ownership. In Windows: * Any type of SID can be set as the owner, such as a user, global group, local group, well-known group, domain, or logon session. All of these SID types, except for user SIDs, are commonly set in the groups of a token. Also, the token user is not limited to just users. It's commonly set to a well-known group such as SYSTEM, LOCAL SERVICE, or NETWORK SERVICE. * The effective access token of a thread is granted owner rights to an object if the token user or any of the token's enabled groups is the owner of the object. For example, if an object is owned by the "BUILTIN\Users" local group, then all access tokens for standard-user logons will be granted owner rights as long as they have the "BUILTIN\Users" group enabled, which it is by default. * If not set explicitly via "OWNER RIGHTS" (i.e. S-1-3-4), the owner is implicitly granted the READ_CONTROL right to query the object security and the WRITE_DAC right to modify the object's resource attributes and discretionary access-control list. As long as these rights are granted implicitly, they cannot be denied by deny access-control entries. However, implicit owner rights may be denied if an object has an implicit (by object type) or explicit (by label) no-read-up or no-write-up mandatory policy, and the token's integrity level is less than that of the object. * An explicit "OWNER RIGHTS" entry can be set in the discretionary access control list in order to override the implicit owner rights. This is not the same as setting owner rights in POSIX, since other ACL entries may grant or deny rights. Given the canonical priority of deny access-control entries and also mandatory access control based on the integrity level of the object vs the token, granting explicit access to "OWNER RIGHTS" does not necessarily ensure the owner will even be granted at least the desired access in all contexts. Also, unlike the implicit case, if an "OWNER RIGHTS" entry grants READ_CONTROL and/or WRITE_DAC access, either right may be denied by deny access-control entries. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue30044> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com