Reading the access attributes of directories in Windows

[vsoler]

Hello everyone!

I need to read, for each of the directories in a shared file server
unit, who has access to the directories and what type of access
privileges.

This is something that I can easily do interactively in my Windows
Document Explorer by right clicking a single directory, clicking on
Properties, then on Security.

There I can see the Users and Group of Users that have access to the
selected directory, as well as the type of access to that directory
(Read/Write/eXecute etc.)

Since I have to prepare a new access scheme, I first need to read what
the current situation is.

I've been looking in the "os" library, and found the "os.chmod" method
but I am not sure that it is going to give me what I need. Should I
also used library "stat"?

So far I have not been able to find my way to the solution of this
problem.

Googling the web, I have seen that some examples provive some kind of
information but using codes (755 or 0577) that I shoud translate to
some form of understandable text messages.

I think that my problem consists of finding the correct library/method
to get the solution.

Can anybody help?

Thank you


Using Python 3.1 on Windows Vista

 

[Tim Golden]

I need to read, for each of the directories in a shared file server
unit, who has access to the directories and what type of access
privileges.

This is something that I can easily do interactively in my Windows
Document Explorer by right clicking a single directory, clicking on
Properties, then on Security.

There I can see the Users and Group of Users that have access to the
selected directory, as well as the type of access to that directory
(Read/Write/eXecute etc.)

Here you have one of those occasions when the Windows GUI does
a very good job of presenting a simplified but perfectly usable
interface layer on top of a moderately complex security scheme.

It's not as easy as you think.

I've been looking in the "os" library, and found the "os.chmod" method
but I am not sure that it is going to give me what I need. Should I
also used library "stat"?

No. Both of these are basically doing a best-endeavours job of mapping
certain Windows attributes to some Posix equivalent. They're essentially
useless for anything beyond the most trivial tasks.

Have a read here which will at least put you on the path of knowing
what terminology you need to search for:

http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html
http://timgolden.me.uk/python/win32_how_do_i/get-the-owner-of-a-file.html

and if you're interested, this is the kind of thing my winsys
package is reasonably good at:

http://timgolden.me.uk/python/winsys/security.html#module-security

TJG

 

[vsoler]

Here you have one of those occasions when the Windows GUI does
a very good job of presenting a simplified but perfectly usable
interface layer on top of a moderately complex security scheme.

It's not as easy as you think.


No. Both of these are basically doing a best-endeavours job of mapping
certain Windows attributes to some Posix equivalent. They're essentially
useless for anything beyond the most trivial tasks.

Have a read here which will at least put you on the path of knowing
what terminology you need to search for:

   http://timgolden.me.uk/python/win32_how_do_i/add-security-to-a-file.html
   http://timgolden.me.uk/python/win32_how_do_i/get-the-owner-of-a-file....

and if you're interested, this is the kind of thing my winsys
package is reasonably good at:

   http://timgolden.me.uk/python/winsys/security.html#module-security

TJG

Thank you very much, Tim, for your answer.

It looks as though it is going to suit my needs.

Your file WinSys-0.4.win32-py2.5.msi is obviously for python 2.5 and
2.6.
File WinSys-0.4.zip should be for the same versions of Python,
probably.
What about your WinSys-0.5beta.win32.exe file? is it for python 3?

I currently have python 3 in my pc. Do I need to install a previous
version of python?

Thank you for your help

Vicente Soler

 

[Tim Golden]

Thank you very much, Tim, for your answer.

It looks as though it is going to suit my needs.

Your file WinSys-0.4.win32-py2.5.msi is obviously for python 2.5 and
2.6.
File WinSys-0.4.zip should be for the same versions of Python,
probably.
What about your WinSys-0.5beta.win32.exe file? is it for python 3?

I currently have python 3 in my pc. Do I need to install a previous
version of python?

Thank you for your help

Vicente Soler

I have a subversion branch for Python 3. If you have subversion
access, try:

http://winsys.googlecode.com/svn/branches/py3k

and do the python setup.py install dance.

If you can't get that working, let me know and I'll publish
an installer somewhere.

TJG

 

[vsoler]

I have a subversion branch for Python 3. If you have subversion
access, try:

   http://winsys.googlecode.com/svn/branches/py3k

and do the python setup.py install dance.

If you can't get that working, let me know and I'll publish
an installer somewhere.

TJG

I currently do not have subversion access in my PC. I could try to
install a free copy of it. But it you could ptovide an installer, it
certainly would do things easier. Please let me know if it is
possible.

Vicente Soler

 

[Emile van Sebille]

On 8/19/2010 2:17 PM vsoler said...

On Aug 19, 10:59 pm, Tim Golden<[email protected]> wrote:

I currently do not have subversion access in my PC. I could try to
install a free copy of it.

I like this one for windows...

http://tortoisesvn.net/downloads

Emile

 

[Thomas Jollans]

No. Both of these are basically doing a best-endeavours job of mapping
certain Windows attributes to some Posix equivalent. They're essentially
useless for anything beyond the most trivial tasks.

This brings up an interesting, but probably quite complicated question: is it
reasonable to try to express Windows permissions using full POSIX ACLs (not
the traditional UNIX mode, the full-featured complex beast that most users
know nothing about and that many file systems don't enable by default) -- or
is it, maybe, possible to express the Windows permissions model as a subset of
POSIX ACL?

I'm no expert either, but the basic idea is that you replace the traditional
UNIX model with one where not only does every file have an owner and an owning
group, and r/w/x permission bits for owner, group, and "the rest", but you can
also specify permissions for arbitrary users and groups, in addition to the
standard set. I'm leaving out all the details, of course, first and foremost
those I don't know about myself, but that's essentially it.

Do Windows NT permissions do anything more? Or, apart from the "executable"
bit, anything less, for that matter?

Just asking. Maybe there are some experts around.

- Thomas

 

[Nobody]

This brings up an interesting, but probably quite complicated question: is it
reasonable to try to express Windows permissions using full POSIX ACLs

Do Windows NT permissions do anything more? Or, apart from the
"executable" bit, anything less, for that matter?

1. There are far more permission types than just "rwx". Specifically:

For files:

Execute File
Read Data
Write Data
Append Data

For folders:

Traverse Folder
List Folder
Create Files
Create Folders
Delete Subfolders and Files

For both:

Full Control
Read Attributes
Read Extended Attributes
Write Attributes
Write Extended Attributes
Delete
Read Permissions
Change Permissions
Take Ownership

Note that files/folders have a distinct "Delete" permission, as well as
the "Delete Subfolders and Files" permission on the parent folder.

Unix lacks the "Append Data" permission for files, and the "Create Files",
"Create Folders" and "Delete Subfolders and Files" correspond to having
write permission on a directory.

On Unix, you can read permissions (and attributes if the filesystem has
them) for any file which you can "reach" (i.e. have "x" permission on all
ancestor directories). You can only change permissions (and some
attributes) if you own the file, and only root can change ownership (and
change some attributes).

2. Permissions can be inherited from the "parent object" (which isn't
necessarily the parent folder). If you change a permission on the parent
object, it automatically affects any file or folder which inherits the
permission.

3. The owner can be either a user or a group.

4. On Windows, a file cannot be "given away" either by its owner or an
administrator. You can grant the "Take Ownership" permission, but
the recipient still has to explicitly change the ownership.

 

[Tim Golden]

I currently do not have subversion access in my PC. I could try to

install a free copy of it. But it you could ptovide an installer, it
certainly would do things easier. Please let me know if it is
possible.

Vicente, can you just confirm that you received the installer I
sent offlist? I'll try to put winsys on PyPI with installers;
just haven't got round to it yes

TJG

 

[vsoler]

Vicente, can you just confirm that you received the installer I
sent offlist? I'll try to put winsys on PyPI with installers;
just haven't got round to it yes

TJG

Tim,

I just downloaded it, and am going to install it right away.

 

[vsoler]

Vicente, can you just confirm that you received the installer I
sent offlist? I'll try to put winsys on PyPI with installers;
just haven't got round to it yes

TJG

Tim,

I just downloaded it, and am going to install it right away.

 

[vsoler]

Tim,

I just downloaded it, and am going to install it right away.

Tim,

It works!!! or at least, should I say, it runs!!! wonderful.

Now, would it be possible to have a hint/suggestion as to some lines
that I should include in my script?

I find this exercice very interesting.

Thank you for your help.

Vicente Soler

 

[Tim Golden]

Tim,

It works!!! or at least, should I say, it runs!!! wonderful.

Now, would it be possible to have a hint/suggestion as to some lines
that I should include in my script?

Depends what, exactly, you want your script to do

The simplest way to get an ad-hoc look at what permissions are applied to
a file is:

<code>
import os, sys
from winsys import fs

#
# Just using sys.executable as a file I know will exist;
# obviously you put your own file name in there...
#
fs.file (sys.executable).security ().dump ()

</code>

To get that in the more compact but more esoteric MS SDDL format:

<code>
import os, sys
from winsys import fs

print (fs.file (sys.executable).security ())

</code>

To decode the permission bit-strings to vaguely meaningful
names:

<code>
import os, sys
from winsys import fs

dacl = fs.file (sys.executable).security ().dacl
for permission in dacl:
print (d.trustee, " (Inherited )" if d.inherited else "")
for name in fs.FILE_ACCESS.names_from_value (d.access):
print (" ", name)

</code>

TJG

 

[vsoler]

Depends what, exactly, you want your script to do

The simplest way to get an ad-hoc look at what permissions are applied to
a file is:

<code>
import os, sys
from winsys import fs

#
# Just using sys.executable as a file I know will exist;
# obviously you put your own file name in there...
#
fs.file (sys.executable).security ().dump ()

</code>

To get that in the more compact but more esoteric MS SDDL format:

<code>
import os, sys
from winsys import fs

print (fs.file (sys.executable).security ())

</code>

To decode the permission bit-strings to vaguely meaningful
names:

<code>
import os, sys
from winsys import fs

dacl = fs.file (sys.executable).security ().dacl
for permission in dacl:
   print (d.trustee, " (Inherited )" if d.inherited else "")
   for name in fs.FILE_ACCESS.names_from_value (d.access):
     print ("  ", name)

</code>

TJG

Tim,

in your last piece of code, the definition of "d" is missing. missed
anything when copying?

Vicente Soler

 

[vsoler]

Depends what, exactly, you want your script to do

The simplest way to get an ad-hoc look at what permissions are applied to
a file is:

<code>
import os, sys
from winsys import fs

#
# Just using sys.executable as a file I know will exist;
# obviously you put your own file name in there...
#
fs.file (sys.executable).security ().dump ()

</code>

To get that in the more compact but more esoteric MS SDDL format:

<code>
import os, sys
from winsys import fs

print (fs.file (sys.executable).security ())

</code>

To decode the permission bit-strings to vaguely meaningful
names:

<code>
import os, sys
from winsys import fs

dacl = fs.file (sys.executable).security ().dacl
for permission in dacl:
   print (d.trustee, " (Inherited )" if d.inherited else "")
   for name in fs.FILE_ACCESS.names_from_value (d.access):
     print ("  ", name)

</code>

TJG

it seems as though the definition of "d" is missing in your last piece
of code

 

[Thomas Jollans]

Unix lacks the "Append Data" permission for files, and the "Create Files",
"Create Folders" and "Delete Subfolders and Files" correspond to having
write permission on a directory.

How does append differ from write? If you have appending permissions, but not
writing ones, is it impossible to seek? Or is there a more complex "block"
that bites you when you seek to before the old end of file and try writing
there?

Thank you for the insights, "Nobody". Makes me wonder whether SELinux makes
changes in this area, and if so, how far-reaching they are.

On Unix, you can read permissions (and attributes if the filesystem has
them) for any file which you can "reach" (i.e. have "x" permission on all
ancestor directories). You can only change permissions (and some
attributes) if you own the file, and only root can change ownership (and
change some attributes).

2. Permissions can be inherited from the "parent object" (which isn't
necessarily the parent folder). If you change a permission on the parent
object, it automatically affects any file or folder which inherits the
permission.

3. The owner can be either a user or a group.

What about both?

4. On Windows, a file cannot be "given away" either by its owner or an
administrator. You can grant the "Take Ownership" permission, but
the recipient still has to explicitly change the ownership.

Really? So the operating system actually places restrictions on what the
administrator can do?

Or is there a fine distinction here between administrator-accounts in general
and the NT "Administrator" account that at least some versions of Windows (xp
home edition springs to mind) appear to try to hide as best they can ? Well,
this is probably just my UNIX conditioning, expecting a single all-powerful
super-user, shining through here -- but it does seam strange to have a super-
user that is not omnipotent.

 

[Tim Golden]

it seems as though the definition of "d" is missing in your last piece
of code

Whoops, changed tack mid-thingy. Try:

dacl = ...
for d in dacl:
# .. as before

 

[vsoler]

Whoops, changed tack mid-thingy. Try:

dacl = ...
for d in dacl:
   # .. as before

Tim,

I'am testing your library. I am mainly interested in knowing the
access attributes of directories in the local(C:\) or shared unit(W:\)
of my system.

Using your script with 'c:\\' I get an error message saying... 'file
exists but it is a directory' and I cannot go any further.

Of course, the problem is that I am using "fs.file" when I should be
using something different.

Reading the doc I have found that I should be using os.walk(...),
which works, but then I cannot use fs.file

Could you please give me a hint as to what metghod I should be using?

Thank you

Vicente Soler

 

[Tim Golden]

I'am testing your library. I am mainly interested in knowing the
access attributes of directories in the local(C:\) or shared unit(W:\)
of my system.

Using your script with 'c:\\' I get an error message saying... 'file
exists but it is a directory' and I cannot go any further.

Of course, the problem is that I am using "fs.file" when I should be
using something different.

Either use fs.dir (if you know it's a directory) or fs.entry (if it
could be a file or a directory; the code will dispatch to the right one).

If you only want the directories immediately some directory,
you could do this:

<code>
from winsys import fs, security

root = fs.file (sys.executable).path # or fs.dir ("w:/") etc.
for d in root.dirs (ignore_access_errors=True):
print (d, "=>", d.security ()) # or whatever

</code>

If you want to walk the tree of directories looking at permissions, then:

<code>
import os, sys
from winsys import fs

root = fs.file (sys.executable).path
for dirpath, _, _ in root.walk ():
print (dirpath, "=>", dirpath.security ())

Reading the doc I have found that I should be using os.walk(...),
which works, but then I cannot use fs.file

In fact, even if you did for some reason use os.walk, you can
easily wrap the returned filenames using fs.entry:

<code>
import os, sys
from winsys import fs

root = os.path.dirname (sys.executable)
for dirpath, filenames, dirnames in os.walk (root):
print (dirpath, "=>", fs.entry (dirpath).security ())

</code>

TKG

 

[vsoler]

Either use fs.dir (if you know it's a directory) or fs.entry (if it
could be a file or a directory; the code will dispatch to the right one).

If you only want the directories immediately some directory,
you could do this:

<code>
from winsys import fs, security

root = fs.file (sys.executable).path  # or fs.dir ("w:/") etc.
for d in root.dirs (ignore_access_errors=True):
   print (d, "=>", d.security ()) # or whatever

</code>

If you want to walk the tree of directories looking at permissions, then:

<code>
import os, sys
from winsys import fs

root = fs.file (sys.executable).path
for dirpath, _, _ in root.walk ():
   print (dirpath, "=>", dirpath.security ())



In fact, even if you did for some reason use os.walk, you can
easily wrap the returned filenames using fs.entry:

<code>
import os, sys
from winsys import fs

root = os.path.dirname (sys.executable)
for dirpath, filenames, dirnames in os.walk (root):
   print (dirpath, "=>", fs.entry (dirpath).security ())

</code>

TKG

Tim,

I appreciate the time and effort that you are putting in this post.

Personally, I am impressed of the power of python, your winsys
library, and overall, how easy it is to customize the scripting of
one's day to day needs.

I have started testing your first script

from winsys import fs, security
root = fs.dir ("c:/")
for d in root.dirs (ignore_access_errors=True):
print (d, "=>", d.security ())

Howwvwer, I am getting an error:
c:\$recycle.bin\ => O:BADAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)
(A;OICIIO;GA;;;SY)(A;;0x1201ad;;;BU)
c:\aeat\ => O:BAD:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)
(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
(A;OICIIOID;SDGXGWGR;;;AU)
c:\archivos de programa\ => O:SYDAI(D;;CC;;;WD)(A;;0x1200a9;;;WD)
(A;;FA;;;SY)(A;;FA;;;BA)
c:\documents and settings\ => O:SYDAI(D;;CC;;;WD)(A;;0x1200a9;;;WD)
(A;;FA;;;SY)(A;;FA;;;BA)
c:\hp\ => O:SYD:AI(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)
(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
(A;OICIIOID;SDGXGWGR;;;AU)
Traceback (most recent call last):
File "C:/Users/Vicente/Documents/VS/Python/test6.py", line 5, in
<module>
print(d, "=>",d.security())
File "C:\Python31\lib\site-packages\winsys\fs.py", line 1044, in
security
return security.security (self, options=options)
File "C:\Python31\lib\site-packages\winsys\security.py", line 585,
in security
return Security.from_object (str (obj), obj_type, options=options)
File "C:\Python31\lib\site-packages\winsys\security.py", line 475,
in from_object
sd = wrapped (win32security.GetNamedSecurityInfo, obj,
object_type, options)
File "C:\Python31\lib\site-packages\winsys\exc.py", line 55, in
_wrapped
raise exception (errno, errctx, errmsg)
winsys.security.x_security: (5, 'GetNamedSecurityInfo', 'Acceso
denegado.')
I am using a system in the Spanish language. As you can see in the
last line, 'Acceso denegado' or 'Access denied' even though the flag
"ignore_access_errors" is set to True.

I am using python 3.1 on Windows 7. What do you think is the origin of
this problem?

Vicente Soler