Tim Golden wrote:
I *think* this is a bug (or at least an unfortunate effect)
but I'll post here first for a sanity check.
I'm looking at Windows security: descriptors, ACLs, etc. The
conventional wisdom is that a DACL (or an SACL but less commonly)
can be one of three things within a security descriptor:
1) Not there
2) There but NULL
3) There and a (possibly empty) list of ACEs
When calling the GetSecurityDescriptorDacl Win32 API, the first
and second situations are distinguished by the lpbDaclPresent
parameter which receives 0 or 1. From that result, the pDacl
parameter is either meaningless or NULL/pointer to a list.
Within the win32security module, the GetSecurityDescriptorDacl
method of the PySECURITY_DESCRIPTOR object returns None in
both of the first two cases and I can't see any other way to
distinguish the cases without dropping down to ctypes or a
hand-built extension.
In practice, cases 1 and 2 are functionally identical . Once a security
descriptor has
been applied to an object, the SE_DACL_PRESENT flag is always set. If for
some reason you really need this info, you can call
GetSecurityDescriptorControl
and check for presence of the SE_DACL_PRESENT flag.
The offending code is in PySECURITY_DESCRIPTOR.cpp:
<snippet>
// get Dacl from SD
if (!::GetSecurityDescriptorDacl(psd, &bDaclPresent, &pdacl,
&bDaclDefaulted))
return PyWin_SetAPIError("GetSecurityDescriptorDacl");
if (!bDaclPresent || pdacl == NULL)
{
Py_INCREF(Py_None);
return Py_None;
}
return new PyACL(pdacl);
</snippet>
which returns None, as you see, in either case. The equivalent code
for SACL does the same thing.
I've not got an easy workaround. In general, it's very unlikely that
a DACL isn't present at all; and it's equally unlikely (I'm not sure
it's even meaningful) to have a NULL SACL. So I can fudge around things
a bit. But I'd prefer something more robust. However, it's difficult to
see what change to suggest without breaking the interface. The only
possibility I could come up with would be a separate pair of functions
whose only job would be to report the presence of the ACL in the SD.
Have I missed anything?
It's quite common for either of these to be NULL.
Most often files don't specify their own security, and just inherit from
the parent directory. SACL's are often NULL also, although they
don't show a difference in behaviour between NULL and empty as
DACL's do.
Roger
_______________________________________________
python-win32 mailing list
python-win32@python.org
http://mail.python.org/mailman/listinfo/python-win32
