5

I'm trying to read the access for files and directories in Windows using this code (patterned after Tim Golden's proposed patch to os.access to make it read from ACLs on Windows):

from ctypes import(
    windll,
    wintypes,
    c_char_p,
    c_void_p,
    byref
    )
from win32api import GetCurrentThread
from win32security import (
    GetFileSecurity,
    DACL_SECURITY_INFORMATION,
    ImpersonateSelf,
    SecurityImpersonation,
    OpenThreadToken,
    TOKEN_ALL_ACCESS,
    MapGenericMask
    )
from ntsecuritycon import (
    FILE_READ_DATA,
    FILE_WRITE_DATA,
    FILE_EXECUTE,
    FILE_ALL_ACCESS
    )
import pywintypes
import winnt

TRUE = 1

def CheckAccess(path,AccessDesired):
    result = wintypes.BOOL()
    granted = wintypes.DWORD(0)
    privsetlength = wintypes.DWORD(0)

    fileSD = GetFileSecurity(path, DACL_SECURITY_INFORMATION)
    if not fileSD.IsValid():
        raise Exception("Invalid security descriptor")

    ImpersonateSelf(SecurityImpersonation)
    token = OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE)
    mapping = wintypes.DWORD(MapGenericMask(AccessDesired,
        (FILE_READ_DATA, FILE_WRITE_DATA, FILE_EXECUTE, FILE_ALL_ACCESS)))
    if not windll.advapi32.AccessCheck(
        c_char_p(str(buffer(fileSD))),
        wintypes.HANDLE(int(token)),
        AccessDesired,
        byref(mapping),
        c_void_p(0), #privilege set, optional
        byref(privsetlength), #size of optional privilege set
        byref(granted),
        byref(result)
        ):
            code = GetLastError()
            raise WindowsError(GetLastError(),FormatMessage(code))
    return bool(result)

def HasReadAccess(path):
    return CheckAccess(path,FILE_READ_DATA)

def HasWriteAccess(path):
    return CheckAccess(path,FILE_WRITE_DATA)

if __name__ == "__main__":
    print(HasReadAccess("C:/Python26"))

However, every time I run this, I get this:

WindowsError: [Error 1338] The security descriptor structure is invalid.

How am I supposed to pass the SecurityDescriptor to AccessCheck?

EDIT: Changing the DACL_SECURITY_INFORMATION to DACL_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION gives me this:

WindowsError: [Error 122] The data area passed to a system call is too small.
Stuart P. Bentley
  • 8,777
  • 7
  • 48
  • 77

1 Answers1

5

Apparently by "optional" Windows means "required". I fixed it by allocating a buffer and passing the size of PRIVILEGE_SET (20).

Stuart P. Bentley
  • 8,777
  • 7
  • 48
  • 77
  • Hi Stuart, I'm dealing with the same problem right now; Could you please post your final working code ? – Ali Nov 16 '12 at 05:11
  • 2
    This was from an internship I did over a year ago, with code I didn't take with me, but from reading what I'm saying here I think the trick is to (going by the example written here) replace `privsetlength = wintypes.DWORD(0)` with `privsetlength = wintypes.DWORD(20)` and `c_void_p(0)` with something like `create_string_buffer(20)` (I've been spending the last year and a half happily forgetting everything I ever did involving the Python ctypes module). – Stuart P. Bentley Nov 16 '12 at 23:36
  • Haha :-) good for you to have put the ctypes behind! I did get this to work. for anyone who's interested, what I did was to call AccessCheck first with null to get the default behaviour (privsetlength) and then recall with the right size (see comments in msdn of AccessCheck). – Ali Nov 17 '12 at 00:50
  • And by the way, your code saved me at least a full day of work. Thanks! – Ali Nov 17 '12 at 00:51