I have a somewhat unclear question.
What I need: To determine if the permissions (or, strictly speaking, specific ACE DACLs) of a file / folder are inherited.
How I tried to solve this: using winapi bindings for python (more precisely, win32security code). Here's a stripped down version that does just that β it just takes the file path as an argument and prints the ACE one by one, indicating which flags are set.
from win32security import *
import sys
def decode_flags(flags):
_flags = {
SE_DACL_PROTECTED:"SE_DACL_PROTECTED",
SE_DACL_AUTO_INHERITED:"SE_DACL_AUTO_INHERITED",
OBJECT_INHERIT_ACE:"OBJECT_INHERIT_ACE",
CONTAINER_INHERIT_ACE:"CONTAINER_INHERIT_ACE",
INHERIT_ONLY_ACE:"INHERIT_ONLY_ACE",
NO_INHERITANCE:"NO_INHERITANCE",
NO_PROPAGATE_INHERIT_ACE:"NO_PROPAGATE_INHERIT_ACE",
INHERITED_ACE:"INHERITED_ACE"
}
for key in _flags.keys():
if (flags & key):
print '\t','\t',_flags[key],"is set!"
def main(argv):
target = argv[0]
print target
security_descriptor = GetFileSecurity(target,DACL_SECURITY_INFORMATION)
dacl = security_descriptor.GetSecurityDescriptorDacl()
for ace_index in range(dacl.GetAceCount()):
(ace_type,ace_flags),access_mask,sid = dacl.GetAce(ace_index)
name,domain,account_type = LookupAccountSid(None,sid)
print '\t',domain+'\\'+name,hex(ace_flags)
decode_flags(ace_flags)
if __name__ == '__main__':
main(sys.argv[1:])
Simple enough - get the security descriptor, get the DACL from it, and then iterate over the ACE into the DACL. The really important bit here is the INHERITED_ACE access flag. It must be set when ACE is inherited and not set explicitly.
/, ACL ACE ACE (), . , - , INHERITED_ACE ! , .
- (, , ), ( , , )! INHERITED_ACE , , , ACE .
:
- ( )
- Windows, , (, , Windows).
- , , , script, (INHERITED_ACE - ACE).
- ( ), .
- ( INHERITED_ACE)
- .. ( , )
, , , , .