return fdescr
return fdescr.as_sddl(sid)
+
+def fsacl_child_sd(parent_sddl, domain_sid, owner_sid, group_sid, container=True, as_sddl=True):
+ """
+
+ This function takes an the SDDL representation of a filesystem
+ ACL and return the SDDL representation of this ACL adapted
+ for child files/directories. It's used for Policy object provision
+ """
+ parent_sd = security.descriptor.from_sddl(parent_sddl, domain_sid)
+ fdescr = security.descriptor()
+ fdescr.owner_sid = owner_sid
+ fdescr.group_sid = group_sid
+ fdescr.type = parent_sd.type
+ fdescr.type |= security.SEC_DESC_DACL_AUTO_INHERITED
+ fdescr.revision = parent_sd.revision
+ aces = parent_sd.dacl.aces
+ for i in range(0, len(aces)):
+ ace = aces[i]
+ ace2 = None
+
+ if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED:
+ pass
+ elif ace.type == security.SEC_ACE_TYPE_ACCESS_DENIED:
+ pass
+ else:
+ continue
+
+ inherit_ace = False
+ if not container:
+ if ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT:
+ inherit_ace = True
+ else:
+ if ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT:
+ inherit_ace = True
+ if ((ace.flags & security.SEC_ACE_FLAG_OBJECT_INHERIT) and \
+ not (ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)):
+ inherit_ace = True
+
+ if not inherit_ace:
+ continue
+
+ if not container:
+ ace.flags = 0;
+ else:
+ ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
+ if not (ace.flags & security.SEC_ACE_FLAG_CONTAINER_INHERIT):
+ ace.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+ ace.flags &= ~security.SEC_ACE_FLAG_INHERIT_ONLY
+ if ace.flags & security.SEC_ACE_FLAG_NO_PROPAGATE_INHERIT:
+ ace.flags = 0;
+
+ ace.flags |= security.SEC_ACE_FLAG_INHERITED_ACE
+
+ if str(ace.trustee) == security.SID_CREATOR_OWNER:
+ ace2 = ace
+
+ ace = security.ace()
+ ace.type = ace.type
+ ace.flags = ace.flags
+ ace.access_mask = ace.access_mask
+ ace.trustee = owner_sid
+
+ ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+
+ if str(ace.trustee) == security.SID_CREATOR_GROUP:
+ ace2 = ace
+
+ ace = security.ace()
+ ace.type = ace.type
+ ace.flags = ace.flags
+ ace.access_mask = ace.access_mask
+ ace.trustee = group_sid
+
+ ace2.flags |= security.SEC_ACE_FLAG_INHERIT_ONLY
+
+ fdescr.dacl_add(ace)
+ if container and ace2 is not None:
+ fdescr.dacl_add(ace2)
+
+ if not as_sddl:
+ return fdescr
+
+ return fdescr.as_sddl(domain_sid)