[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [rdiff-backup-users] [PATCH] Backing up Windows ACLs
From: |
Josh Nisly |
Subject: |
Re: [rdiff-backup-users] [PATCH] Backing up Windows ACLs |
Date: |
Fri, 27 Jun 2008 08:48:23 +0600 |
User-agent: |
Thunderbird 2.0.0.14 (X11/20080505) |
Fred Gansevles found some problems with the previous patch. Attached is
an updated one.
Josh Nisly wrote:
Attached is a patch that fixes any problems I know about with the
previous one, and includes several fixes by Fred Gansevles. It
serializes the ACL record to string in the RPath member, which allows
new versions to work with existing servers. I've also implemented the
correct checks for whether the remote connection supports ACLs, so
backing up a Windows client to a linux server should work fine.
Comments are welcome.
Thanks,
JoshN
Index: dist/makedist
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/dist/makedist,v
retrieving revision 1.29
diff -u -r1.29 makedist
--- dist/makedist 23 Jun 2008 02:30:21 -0000 1.29
+++ dist/makedist 23 Jun 2008 06:35:53 -0000
@@ -118,7 +118,7 @@
"Security.py", "selection.py",
"SetConnections.py", "static.py",
"statistics.py", "TempFile.py",
"Time.py",
- "user_group.py"]:
+ "user_group.py", "win_acls.py"]:
shutil.copyfile(os.path.join(SourceDir, filename),
os.path.join(tardir,
"rdiff_backup", filename))
Index: rdiff_backup/Globals.py
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/rdiff_backup/Globals.py,v
retrieving revision 1.45
diff -u -r1.45 Globals.py
--- rdiff_backup/Globals.py 13 Apr 2008 11:25:21 -0000 1.45
+++ rdiff_backup/Globals.py 26 Jun 2008 06:44:09 -0000
@@ -85,6 +85,12 @@
acls_write = None
acls_conn = None
+# Like the above, but applies to support of Windows
+# access control lists.
+win_acls_active = None
+win_acls_write = None
+win_acls_conn = None
+
# Like above two setting groups, but applies to support of Mac OS X
# style resource forks.
resource_forks_active = None
Index: rdiff_backup/connection.py
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/rdiff_backup/connection.py,v
retrieving revision 1.29
diff -u -r1.29 connection.py
--- rdiff_backup/connection.py 9 Jul 2007 03:53:40 -0000 1.29
+++ rdiff_backup/connection.py 23 Jun 2008 06:35:52 -0000
@@ -27,7 +27,8 @@
except ImportError: pass
try: import posix1e
except ImportError: pass
-
+try: import win32security
+except ImportError: pass
class ConnectionError(Exception): pass
class ConnectionReadError(ConnectionError): pass
@@ -539,6 +540,9 @@
TempFile, SetConnections, librsync, log, regress, fs_abilities, \
eas_acls, user_group, compare
+try: import win_acls
+except: pass
+
Globals.local_connection = LocalConnection()
Globals.connections.append(Globals.local_connection)
# Following changed by server in SetConnections
Index: rdiff_backup/fs_abilities.py
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/rdiff_backup/fs_abilities.py,v
retrieving revision 1.46
diff -u -r1.46 fs_abilities.py
--- rdiff_backup/fs_abilities.py 14 Jun 2008 18:17:57 -0000 1.46
+++ rdiff_backup/fs_abilities.py 25 Jun 2008 05:59:05 -0000
@@ -29,7 +29,7 @@
import errno, os
import Globals, log, TempFile, selection, robust, SetConnections, \
- static, FilenameMapping
+ static, FilenameMapping, win_acls
class FSAbilities:
"""Store capabilities of given file system"""
@@ -39,6 +39,7 @@
ownership = None # True if chown works on this filesystem
acls = None # True if access control lists supported
eas = None # True if extended attributes supported
+ win_acls = None # True if windows access control lists supported
hardlinks = None # True if hard linking supported
fsync_dirs = None # True if directories can be fsync'd
dir_inc_perms = None # True if regular files can have full permissions
@@ -97,6 +98,7 @@
self.win_reserved_filenames)])
add_boolean_list([('Access control lists', self.acls),
('Extended attributes',
self.eas),
+ ('Windows access control
lists', self.win_acls),
('Case sensitivity',
self.case_sensitive),
('Escape DOS devices',
self.escape_dos_devices),
('Mac OS X style resource
forks',
@@ -120,6 +122,7 @@
self.read_only = 1
self.set_eas(rp, 0)
self.set_acls(rp)
+ self.set_win_acls(rp)
self.set_resource_fork_readonly(rp)
self.set_carbonfile()
self.set_case_sensitive_readonly(rp)
@@ -151,6 +154,7 @@
self.set_fsync_dirs(subdir)
self.set_eas(subdir, 1)
self.set_acls(subdir)
+ self.set_win_acls(subdir)
self.set_dir_inc_perms(subdir)
self.set_resource_fork_readwrite(subdir)
self.set_carbonfile()
@@ -364,6 +368,24 @@
self.eas = 0
else: self.eas = 1
+ def set_win_acls(self, dir_rp):
+ """Test if windows access control lists are supported"""
+ try:
+ import win32security
+ except ImportError:
+ log.Log("Unable to import win32security module. Windows
ACLs\n"
+ "not supported by filesystem at %s" %
dir_rp.path, 4)
+ self.win_acls = 0
+ return
+ try:
+ win_acls.init_acls()
+ except OSError:
+ log.Log("Windows ACLs not supported by filesystem\n"
+ "at %s" % dir_rp.path, 4)
+ self.win_acls = 0
+ return
+ self.win_acls = 1
+
def set_dir_inc_perms(self, rp):
"""See if increments can have full permissions like a
directory"""
test_rp = rp.append('dir_inc_check')
@@ -489,6 +511,7 @@
% (subdir.path), 4)
self.escape_dos_devices = 1
+
def get_readonly_fsa(desc_string, rp):
"""Return an fsa with given description_string
@@ -521,6 +544,10 @@
log.Log.FatalError("--never-drop-acls specified, but
ACL support\n"
"missing from
destination filesystem")
+ def set_win_acls(self):
+ self.update_triple(self.src_fsa.win_acls,
self.dest_fsa.win_acls,
+ ('win_acls_active', 'win_acls_write',
'win_acls_conn'))
+
def set_resource_forks(self):
self.update_triple(self.src_fsa.resource_forks,
self.dest_fsa.resource_forks,
@@ -729,6 +756,10 @@
def set_acls(self):
self.update_triple(self.dest_fsa.acls,
('acls_active', 'acls_write',
'acls_conn'))
+ def set_win_acls(self):
+ self.update_triple(self.src_fsa.win_acls,
self.dest_fsa.win_acls,
+ ('win_acls_active', 'win_acls_write',
'win_acls_conn'))
+
def set_resource_forks(self):
self.update_triple(self.dest_fsa.resource_forks,
('resource_forks_active',
@@ -754,6 +785,7 @@
bsg = BackupSetGlobals(rpin.conn, Globals.rbdir.conn, src_fsa, dest_fsa)
bsg.set_eas()
bsg.set_acls()
+ bsg.set_win_acls()
bsg.set_resource_forks()
bsg.set_carbonfile()
bsg.set_hardlinks()
@@ -781,6 +813,7 @@
rsg = RestoreSetGlobals(Globals.rbdir.conn, rpout.conn, src_fsa,
dest_fsa)
rsg.set_eas()
rsg.set_acls()
+ rsg.set_win_acls()
rsg.set_resource_forks()
rsg.set_carbonfile()
rsg.set_hardlinks()
Index: rdiff_backup/metadata.py
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/rdiff_backup/metadata.py,v
retrieving revision 1.29
diff -u -r1.29 metadata.py
--- rdiff_backup/metadata.py 14 Jun 2008 18:17:57 -0000 1.29
+++ rdiff_backup/metadata.py 23 Jun 2008 06:35:52 -0000
@@ -433,9 +433,10 @@
class CombinedWriter:
"""Used for simultaneously writting metadata, eas, and acls"""
- def __init__(self, metawriter, eawriter, aclwriter):
+ def __init__(self, metawriter, eawriter, aclwriter, winaclwriter):
self.metawriter = metawriter
- self.eawriter, self.aclwriter = eawriter, aclwriter # these can
be None
+ self.eawriter, self.aclwriter, self.winaclwriter = \
+ eawriter, aclwriter, winaclwriter # these can
be None
def write_object(self, rorp):
"""Write information in rorp to all the writers"""
@@ -444,11 +445,14 @@
self.eawriter.write_object(rorp.get_ea())
if self.aclwriter and not rorp.get_acl().is_basic():
self.aclwriter.write_object(rorp.get_acl())
+ if self.winaclwriter:
+ self.winaclwriter.write_object(rorp.get_win_acl())
def close(self):
self.metawriter.close()
if self.eawriter: self.eawriter.close()
if self.aclwriter: self.aclwriter.close()
+ if self.winaclwriter: self.winaclwriter.close()
class Manager:
@@ -456,6 +460,7 @@
meta_prefix = 'mirror_metadata'
acl_prefix = 'access_control_lists'
ea_prefix = 'extended_attributes'
+ wacl_prefix = 'win_access_control_lists'
def __init__(self):
"""Set listing of rdiff-backup-data dir"""
@@ -501,6 +506,11 @@
return self._iter_helper(self.acl_prefix,
eas_acls.AccessControlListFile, time,
restrict_index)
+ def get_win_acls_at_time(self, time, restrict_index):
+ """Return WACLs iter at given time from recordfile (or None)"""
+ return self._iter_helper(self.wacl_prefix,
+ win_acls.WinAccessControlListFile,
time, restrict_index)
+
def GetAtTime(self, time, restrict_index = None):
"""Return combined metadata iter with ea/acl info if
necessary"""
cur_iter = self.get_meta_at_time(time, restrict_index)
@@ -521,6 +531,14 @@
log.Log("Warning: Extended Attributes file not
found", 2)
ea_iter = iter([])
cur_iter = eas_acls.join_ea_iter(cur_iter, ea_iter)
+ if Globals.win_acls_active:
+ wacl_iter = self.get_win_acls_at_time(time,
restrict_index)
+ if not wacl_iter:
+ log.Log("Warning: Windows Access Control List
file not"
+ " found.", 2)
+ wacl_iter = iter([])
+ cur_iter = win_acls.join_wacl_iter(cur_iter, wacl_iter)
+
return cur_iter
def _writer_helper(self, prefix, flatfileclass, typestr, time):
@@ -548,17 +566,26 @@
return self._writer_helper(self.acl_prefix,
eas_acls.AccessControlListFile, typestr, time)
+ def get_win_acl_writer(self, typestr, time):
+ """Return WinAccessControlListFile opened for writing"""
+ return self._writer_helper(self.wacl_prefix,
+
win_acls.WinAccessControlListFile, typestr, time)
+
def GetWriter(self, typestr = 'snapshot', time = None):
"""Get a writer object that can write meta and possibly
acls/eas"""
metawriter = self.get_meta_writer(typestr, time)
- if not Globals.eas_active and not Globals.acls_active:
+ if not Globals.eas_active and not Globals.acls_active and \
+ not Globals.win_acls_active:
return metawriter # no need for a CombinedWriter
if Globals.eas_active: ea_writer = self.get_ea_writer(typestr,
time)
else: ea_writer = None
if Globals.acls_active: acl_writer =
self.get_acl_writer(typestr, time)
else: acl_writer = None
- return CombinedWriter(metawriter, ea_writer, acl_writer)
+ if Globals.win_acls_active: win_acl_writer = \
+ self.get_win_acl_writer(typestr, time)
+ else: win_acl_writer = None
+ return CombinedWriter(metawriter, ea_writer, acl_writer,
win_acl_writer)
class PatchDiffMan(Manager):
"""Contains functions for patching and diffing metadata
@@ -664,3 +691,4 @@
import eas_acls # put at bottom to avoid python circularity bug
+import win_acls
Index: rdiff_backup/rpath.py
===================================================================
RCS file: /sources/rdiff-backup/rdiff-backup/rdiff_backup/rpath.py,v
retrieving revision 1.120
diff -u -r1.120 rpath.py
--- rdiff_backup/rpath.py 10 Jun 2008 13:14:52 -0000 1.120
+++ rdiff_backup/rpath.py 26 Jun 2008 06:44:09 -0000
@@ -185,6 +185,7 @@
rpout.chmod(rpin.getperms())
if Globals.acls_write: rpout.write_acl(rpin.get_acl())
if not rpin.isdev(): rpout.setmtime(rpin.getmtime())
+ if Globals.win_acls_write: rpout.write_win_acl(rpin.get_win_acl())
def copy_attribs_inc(rpin, rpout):
"""Change file attributes of rpout to match rpin
@@ -257,6 +258,8 @@
if error.errno != errno.EEXIST: raise
# On Windows, files can't be renamed on top of
an existing file
+ try: rp_source.conn.os.chmod(rp_dest.path,
stat.S_IWRITE)
+ except: pass
rp_source.conn.os.unlink(rp_dest.path)
rp_source.conn.os.rename(rp_source.path,
rp_dest.path)
@@ -338,6 +361,7 @@
elif key == 'size' and not self.isreg(): pass
elif key == 'ea' and not Globals.eas_active: pass
elif key == 'acl' and not Globals.acls_active: pass
+ elif key == 'win_acl' and not Globals.win_acls_active:
pass
elif key == 'carbonfile' and not
Globals.carbonfile_active: pass
elif key == 'resourcefork' and not
Globals.resource_forks_active:
pass
@@ -378,6 +402,7 @@
elif key == 'inode': pass
elif key == 'ea' and not Globals.eas_write: pass
elif key == 'acl' and not Globals.acls_write: pass
+ elif key == 'win_acl' and not Globals.win_acls_write:
pass
elif key == 'carbonfile' and not
Globals.carbonfile_write: pass
elif key == 'resourcefork' and not
Globals.resource_forks_write:
pass
@@ -395,8 +420,8 @@
def equal_verbose(self, other, check_index = 1,
compare_inodes = 0, compare_ownership
= 0,
- compare_acls = 0, compare_eas = 0,
compare_size = 1,
- compare_type = 1, verbosity = 2):
+ compare_acls = 0, compare_eas = 0,
compare_win_acls = 0,
+ compare_size = 1, compare_type = 1,
verbosity = 2):
"""Like __eq__, but log more information. Useful when
testing"""
if check_index and self.index != other.index:
log.Log("Index %s != index %s" % (self.index,
other.index),
@@ -417,6 +442,7 @@
pass
elif key == 'ea' and not compare_eas: pass
elif key == 'acl' and not compare_acls: pass
+ elif key == 'win_acl' and not compare_win_acls: pass
elif (not other.data.has_key(key) or
self.data[key] != other.data[key]):
if not other.data.has_key(key):
@@ -434,7 +460,8 @@
return self.equal_verbose(other,
compare_inodes = compare_inodes,
compare_eas =
Globals.eas_active,
- compare_acls
= Globals.acls_active)
+ compare_acls
= Globals.acls_active,
+
compare_win_acls = Globals.win_acls_active)
def __ne__(self, other): return not self.__eq__(other)
@@ -682,6 +709,17 @@
"""Record resource fork in dictionary. Does not write"""
self.data['resourcefork'] = rfork
+ def set_win_acl(self, acl):
+ """Record Windows access control list in dictionary. Does not
write"""
+ self.data['win_acl'] = acl
+
+ def get_win_acl(self):
+ """Return access control list object from dictionary"""
+ try: return self.data['win_acl']
+ except KeyError:
+ acl = self.data['win_acl'] =
get_blank_win_acl(self.index)
+ return acl
+
def has_alt_mirror_name(self):
"""True if rorp has an alternate mirror name specified"""
return self.data.has_key('mirrorname')
@@ -1304,6 +1342,16 @@
assert not fp.close()
self.set_resource_fork(rfork_data)
+ def get_win_acl(self):
+ """Return Windows access control list, setting if necessary"""
+ try: acl = self.data['win_acl']
+ except KeyError: acl = self.data['win_acl'] = win_acl_get(self)
+ return acl
+
+ def write_win_acl(self, acl):
+ """Change access control list of rp"""
+ write_win_acl(self, acl)
+ self.data['win_acl'] = acl
class RPathFileHook:
"""Look like a file, but add closing hook"""
@@ -1394,6 +1442,8 @@
rpath.data['gname'] = user_group.gid2gname(rpath.data['gid'])
if Globals.eas_conn: rpath.data['ea'] = ea_get(rpath)
if Globals.acls_conn: rpath.data['acl'] = acl_get(rpath)
+ if Globals.win_acls_conn:
+ rpath.data['win_acl'] = win_acl_get(rpath)
if Globals.resource_forks_conn and rpath.isreg():
rpath.get_resource_fork()
if Globals.carbonfile_conn and rpath.isreg():
@@ -1427,3 +1477,7 @@
def get_blank_acl(index): assert 0
def ea_get(rp): assert 0
def get_blank_ea(index): assert 0
+
+def win_acl_get(rp): assert 0
+def write_win_acl(rp): assert 0
+def get_blank_win_acl(): assert 0
--- rdiff_backup/win_acls.py.orig Thu Jun 26 10:32:06 2008
+++ rdiff_backup/win_acls.py Thu Jun 26 10:04:27 2008
@@ -0,0 +1,201 @@
+# Copyright 2008 Fred Gansevles <address@hidden>
+#
+# This file is part of rdiff-backup.
+#
+# rdiff-backup is free software; you can redistribute it and/or modify
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# rdiff-backup is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with rdiff-backup; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+
+__version__ = (0, 1, 1)
+
+import C, metadata, re, rorpiter, rpath
+
+try:
+ from win32security import *
+except:
+ GROUP_SECURITY_INFORMATION = 0
+ OWNER_SECURITY_INFORMATION = 0
+ DACL_SECURITY_INFORMATION = 0
+
+class ACL:
+ flags = (GROUP_SECURITY_INFORMATION|
+ OWNER_SECURITY_INFORMATION|
+ DACL_SECURITY_INFORMATION)
+
+ def __init__(self, index=()):
+ self.__acl = ""
+ self.index = index
+
+ def get_indexpath(self): return self.index and '/'.join(self.index) or
'.'
+
+ def load_from_rp(self, rp, skip_inherit_only = True):
+ self.index = rp.index
+ try:
+ sd = rp.conn.win32security.GetFileSecurity(rp.path,
ACL.flags)
+ except:
+ return
+
+ if skip_inherit_only:
+ # skip the inherit_only aces
+ acl = sd.GetSecurityDescriptorDacl()
+ if acl:
+ n = acl.GetAceCount()
+ # traverse the ACL in reverse, so the indices
stay correct
+ while n:
+ n -= 1
+ ace_flags = acl.GetAce(n)[0][1]
+ if ace_flags & INHERIT_ONLY_ACE:
+ acl.DeleteAce(n)
+ sd.SetSecurityDescriptorDacl(1, acl, 0)
+
+ if ACL.flags & SACL_SECURITY_INFORMATION:
+ acl = sd.GetSecurityDescriptorSacl()
+ if acl:
+ n = acl.GetAceCount()
+ # traverse the ACL in reverse, so the
indices stay correct
+ while n:
+ n -= 1
+ ace_flags = acl.GetAce(n)[0][1]
+ if ace_flags & INHERIT_ONLY_ACE:
+ acl.DeleteAce(n)
+ sd.SetSecurityDescriptorSacl(1, acl, 0)
+
+ self.__acl = \
+
rp.conn.win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(sd,
+ SDDL_REVISION_1, ACL.flags)
+
+ def clear_rp(self, rp):
+ # not sure how to interpret this
+ # I'll jus clear all acl-s from rp.path
+ sd = rp.conn.win32security.GetFileSecurity(rp.path, ACL.flags)
+
+ acl = sd.GetSecurityDescriptorDacl()
+ if acl:
+ n = acl.GetAceCount()
+ # traverse the ACL in reverse, so the indices stay
correct
+ while n:
+ n -= 1
+ acl.DeleteAce(n)
+ sd.SetSecurityDescriptorDacl(1, acl, 0)
+
+ if ACL.flags & SACL_SECURITY_INFORMATION:
+ acl = sd.GetSecurityDescriptorSacl()
+ if acl:
+ n = acl.GetAceCount()
+ # traverse the ACL in reverse, so the indices
stay correct
+ while n:
+ n -= 1
+ acl.DeleteAce(n)
+ sd.SetSecurityDescriptorSacl(1, acl, 0)
+
+ SetFileSecurity(rp.path, ACL.flags, sd)
+
+ def write_to_rp(self, rp):
+ if self.__acl:
+ sd =
rp.conn.win32security.ConvertStringSecurityDescriptorToSecurityDescriptor(self.__acl,
+ SDDL_REVISION_1)
+ rp.conn.win32security.SetFileSecurity(rp.path,
ACL.flags, sd)
+
+ def __str__(self):
+ return '# file: %s\n%s\n' % \
+ (C.acl_quote(self.get_indexpath()),
unicode(self.__acl))
+
+ def from_string(self, acl_str):
+ lines = acl_str.splitlines()
+ if len(lines) != 2 or not lines[0][:8] == "# file: ":
+ raise metadata.ParsingError("Bad record beginning: " +
lines[0][:8])
+ filename = lines[0][8:]
+ if filename == '.': self.index = ()
+ else: self.index = tuple(C.acl_unquote(filename).split('/'))
+ self.__acl = lines[1]
+
+def Record2WACL(record):
+ acl = ACL()
+ acl.from_string(record)
+ return acl
+
+def WACL2Record(wacl):
+ return unicode(wacl)
+
+class WACLExtractor(metadata.FlatExtractor):
+ """Iterate ExtendedAttributes objects from the WACL information file"""
+ record_boundary_regexp = re.compile('(?:\\n|^)(# file: (.*?))\\n')
+ record_to_object = staticmethod(Record2WACL)
+ def filename_to_index(self, filename):
+ """Convert possibly quoted filename to index tuple"""
+ if filename == '.': return ()
+ else: return tuple(C.acl_unquote(filename).split('/'))
+
+class WinAccessControlListFile(metadata.FlatFile):
+ """Store/retrieve ACLs from extended_attributes file"""
+ _prefix = "win_access_control_lists"
+ _extractor = WACLExtractor
+ _object_to_record = staticmethod(WACL2Record)
+
+def join_wacl_iter(rorp_iter, wacl_iter):
+ """Update a rorp iter by adding the information from acl_iter"""
+ for rorp, wacl in rorpiter.CollateIterators(rorp_iter, wacl_iter):
+ assert rorp, "Missing rorp for index %s" % (wacl.index,)
+ if not wacl: wacl = ACL(rorp.index)
+ rorp.set_win_acl(unicode(wacl))
+ yield rorp
+
+def rpath_acl_win_get(rpath):
+ acl = ACL()
+ acl.load_from_rp(rpath)
+ return unicode(acl)
+rpath.win_acl_get = rpath_acl_win_get
+
+def rpath_get_blank_win_acl(index):
+ acl = ACL(index)
+ return unicode(acl)
+rpath.get_blank_win_acl = rpath_get_blank_win_acl
+
+def rpath_set_win_acl(rp, acl_str):
+ acl = ACL()
+ acl.from_string(acl_str)
+ acl.write_to_rp(rp)
+rpath.write_win_acl = rpath_set_win_acl
+
+def init_acls():
+ # A process that tries to read or write a SACL needs
+ # to have and enable the SE_SECURITY_NAME privilege.
+ # And inorder to backup/restore, the SE_BACKUP_NAME and
+ # SE_RESTORE_NAME privileges are needed.
+ import win32api
+ try:
+ hnd = OpenProcessToken(win32api.GetCurrentProcess(),
+ TOKEN_ADJUST_PRIVILEGES| TOKEN_QUERY)
+ except win32api.error:
+ return
+ try:
+ try:
+ lpv = lambda priv: LookupPrivilegeValue(None, priv)
+ # enable the SE_*_NAME priveleges
+ SecurityName = lpv(SE_SECURITY_NAME)
+ AdjustTokenPrivileges(hnd, False, [
+ (SecurityName, SE_PRIVILEGE_ENABLED),
+ (lpv(SE_BACKUP_NAME), SE_PRIVILEGE_ENABLED),
+ (lpv(SE_RESTORE_NAME), SE_PRIVILEGE_ENABLED)
+ ])
+ except win32api.error:
+ return
+ for name, enabled in GetTokenInformation(hnd, TokenPrivileges):
+ if name == SecurityName and enabled:
+ # now we *may* access the SACL (sigh)
+ ACL.flags |= SACL_SECURITY_INFORMATION
+ break
+ finally:
+ win32api.CloseHandle(hnd)
+