11

As the question title might suggest, I would very much like to know of the way to check the ntfs permissions of the given file or folder (hint: those are the ones you see in the "security" tab). Basically, what I need is to take a path to a file or directory (on a local machine, or, preferrably, on a share on a remote machine) and get the list of users/groups and the corresponding permissions for this file/folder. Ultimately, the application is going to traverse a directory tree, reading permissions for each object and processing them accordingly.

Now, I can think of a number of ways to do that:

  • parse cacls.exe output -- easily done, BUT, unless im missing something, cacls.exe only gives the permissions in the form of R|W|C|F (read/write/change/full), which is insufficient (I need to get the permissions like "List folder contents", extended permissions too)
  • xcacls.exe or xcacls.vbs output -- yes, they give me all the permissions I need, but they work dreadfully slow, it takes xcacls.vbs about ONE SECOND to get permissions on a local system file. Such speed is unacceptable
  • win32security (it wraps around winapi, right?) -- I am sure it can be handled like this, but I'd rather not reinvent the wheel

Is there anything else I am missing here?

Improve this question
3
  • 2
    I think win32security is what you want. It is indeed a wrapper around the Windows API. Are you concerned that it's too low-level? Commented May 22, 2009 at 7:06
  • Well, if it is the only way I might as well do it using win32security, but that would be like rolling my own cacls, thats why I've referred to it as reinventing the wheel. Commented May 22, 2009 at 8:00
  • Well, first of all, cacls doesn't do everything the Win API does (including, apparently, what you want to do). Second, calling the API (even through bindings) will probably be much faster then shelling out to another program and parsing the output. Commented May 22, 2009 at 8:23

1 Answer 1

Reset to default
18

Unless you fancy rolling your own, win32security is the way to go. There's the beginnings of an example here:

http://timgolden.me.uk/python/win32_how_do_i/get-the-owner-of-a-file.html

If you want to live slightly dangerously (!) my in-progress winsys package is designed to do exactly what you're after. It is available on pip:

pip install winsys

or you can just checkout the git repository:

git clone https://github.com/tjguk/winsys.git winsys

To do what you describe (guessing slightly at the exact requirements) you could do this:

import codecs
from winsys import fs

base = "c:\\temp"
with codecs.open("permissions.log", "wb", encoding="utf8") as log:
    for f in fs.flat(base):
        log.write("\n" + f.relative_to(base) + "\n")
    for ace in f.security().dacl:
        access_flags = fs.FILE_ACCESS.names_from_value(ace.access)
        log.write("  %s => %s\n" % (ace.trustee, ", ".join(access_flags)))

TJG

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Oh, Tim, thank you SO much! I was going to say, that I've already figured out how to do it (using win32security, yeah), but I've just realized, that I did it using the examples on your site! What kind of coincidence is that! :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.