Re: [python-win32] Reg. taking folder ownership

Tue, 28 Aug 2018 03:04:10 -0700 

> Eryk wrote:
> This call will succeed even if one or more of the privileges wasn't
> modified. In this case GetLastError() returns ERROR_NOT_ALL_ASSIGNED
> (1300). This will be the case if you try to enable the take-ownership
> and restore privileges for a UAC restricted token.

Thanks Eryk for responding. Yes it failed with 1300 and I'm running the
code from another admin account. But I think it's not a restricted account.
I could run any exe with Admin elevated privilege by right clicking and
choosing the option from context menu.

I tried with just Take ownership privilege for the current admin user. I've
changed the SetFileSecurity API to SetNamedSecurityInfo as suggested. Below
is the code I tried running. Getting (5, Access Denied) for
SetNamedSecurityInfo. Am I missing something?

def take_owner(path,account_name):
    owner_sid = win32security.LookupAccountName(None, account_name)[0]

    new_privs = (
        (win32security.LookupPrivilegeValue(
            '', ntsecuritycon.SE_TAKE_OWNERSHIP_NAME),
         win32con.SE_PRIVILEGE_ENABLED),)

    flags = win32security.TOKEN_ALL_ACCESS\
            | win32con.TOKEN_ADJUST_PRIVILEGES\
            | win32con.TOKEN_IMPERSONATE

    try:
        thread = win32api.GetCurrentThread()
        handle = win32security.OpenThreadToken(
            thread, flags, False)
    except win32security.error as e:
#        if e.errno == 1008:
        handle = win32security.OpenProcessToken(win32api.GetCurrentProcess
(), flags)

    win32security.AdjustTokenPrivileges(handle, 0, new_privs)

    lastError = win32api.GetLastError()

    print("last error=",lastError)

#     fs = win32security.GetNamedSecurityInfo(path,
win32security.SE_FILE_OBJECT, win32security.OWNER_SECURITY_INFORMATION)
#     fs.SetSecurityDescriptorOwner(owner_sid, True)

    win32security.SetNamedSecurityInfo(path, win32security.SE_FILE_OBJECT,
win32security.OWNER_SECURITY_INFORMATION, owner_sid, None, None, None)

> Tim Wrote:
> Admin1 can change the ACL to give Admin2 the right to change the ACL.?
> In the file permission dialog, that's the "Change permissions" right.?
> In code, it's the "WRITE_DAC" file permission.

@Tim Thanks for the tip.

Regards,
Goku

_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Reply via email to