Python windows service to automatically grant folder permissions creates duplicate ACEs

Question

I wrote a windows service in Python that scans a given directory for new folders. Whenever a new folder is created, the service creates 4 sub-folders and grants each one a different set of permissions. The problem is that within those subfolders, any folders created (essentially tertiary level, or sub-sub-folders) have the following error when accessing the permissions (through right-click-> properties->security):

"The permissions on test folder are incorrectly ordered, which may cause some entries to be ineffective"

To reiterate, we have folder A which is scanned. When I create folder B in folder A, folders 1,2,3,4 are created within B, with permissions provided by the script. Any folders created within (1,2,3,4) have the above error when opening up the directory permissions. Furthermore, the security entries for SYSTEM, Administrators and Authenticated Users appear twice when clicking on advanced.

The relevant portion of code is:

import win32security
import ntsecuritycon

for rw_user in rw:
    sd=win32security.GetFileSecurity(in_dir+"\\"+dir_,win32security.DACL_SECURITY_INFORMATION)
    dacl=sd.GetSecurityDescriptorDacl()
    dacl.AddAccessAllowedAceEx(sec.ACL_REVISION_DS,sec.OBJECT_INHERIT_ACE|sec.CONTAINER_INHERIT_ACE,con.FILE_GENERIC_READ|con.FILE_ADD_FILE,p_dict[rw_user][0])

    sd.SetSecurityDescriptorDacl(1,dacl,0)
    win32security.SetFileSecurity(in_dir+"\\"+dir_,win32security.DACL_SECURITY_INFORMATION,sd)

This is based on the example found in Setting folder permissions in Windows using Python

Any help is greatly appreciated.

***EDITED TO ADD:

This is the output of icacls.exe on the folder created by the service:

PS C:\> icacls "C:\directory monitor\main\center\test\request"
C:\directory monitor\main\center\test\request PNIM\jmtzlilmi:(OI)(CI)(R,WD)
                                                PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
                                                PNIM\jmtzlilmi:(OI)(CI)(R,WD)
                                                PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
                                                BUILTIN\Administrators:(I)(F)
                                                BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                NT AUTHORITY\SYSTEM:(I)(F)
                                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                BUILTIN\Users:(I)(OI)(CI)(RX)
                                                NT AUTHORITY\Authenticated Users:(I)(M)
                                                NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

This is the output of icacls on the directory that I created within the automatically created folder, the one that has duplicate entries:

PS C:\> icacls "C:\directory monitor\main\center\test\request\test folder"
C:\directory monitor\main\center\test\request\test folder PNIM\jmtzlilmi:(OI)(CI)(R,WD)
                                                            PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
                                                            PNIM\jmtzlilmi:(OI)(CI)(R,WD)
                                                            PNIM\jmtzlilmi:(OI)(CI)(W,Rc)
                                                            BUILTIN\Administrators:(F)
                                                            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                            NT AUTHORITY\SYSTEM:(F)
                                                            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                            BUILTIN\Users:(OI)(CI)(RX)
                                                            NT AUTHORITY\Authenticated Users:(M)
                                                            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

The folder being monitored by the service is called center, the folder I created within is called test. The service then creates "request" within test, and I created "test folder" within request (yes, I'm brilliant at naming folders, I know. It's a bit more coherent in production.)

EDITED AGAIN:

Copied the wrong bit of code. I used AddAccessAllowedAceEx and NOT AddAccessAllowedAce. Many apologies...

Are SYSTEM, Administrators and Authenticated Users in `rw`? Windows subfolders tend to inherit permissions of their parent folder. If those settings are inherited, and you add them again, that could be the source for the doubles. — CAB, Oct 05 '16 at 14:44
Please show the output of icacls.exe for one of the created subfolders. — Eryk Sun, Oct 05 '16 at 14:54
What is your question? You seem to know how to set ACLs - are you asking why the error occurs? NT wants only one Allow or Deny ACL per security principal, and any Deny ACLs should be before all Allow ACLs. I generally use the string version of security descriptors from Python (there are win32security APIs to convert back & forth). — cco, Oct 06 '16 at 09:30
No, but you have multiple Allow ACLs for the same security principal, which also gives a warning. If you collapse them to one per principal, you won't get the warning. — cco, Oct 06 '16 at 10:01
The extra entries for Administrators, SYSTEM, and Authenticated Users are all (I)nherited from some parent directory, which has inherit only (IO) entries (i.e. they don't apply to the parent directory itself). I don't know why they're not getting collapsed into a single ACE. I've seen that before, but haven't seen a problem with it like what's going on with "test folder". That's a folder you created using Explorer or cmd? The entries not flagged as (I)nherited are out of canonical order; hence the error. But they *should* be flagged as inherited. I cannot reproduce this in Windows 10. — Eryk Sun, Oct 06 '16 at 13:05
I also can't see how, given the code you've shown, the "PNIM\jmtzlilmi" entries are flagged as `(OI)(CI)`. `AddAccessAllowedAce` doesn't set inheritance flags. These entries should have been added without those flags. I cannot reproduce this result by calling `AddAccessAllowedAce`. Maybe the "PNIM\jmtzlilmi" entries are added twice for a trivial reason in your code; I'm not concerned with that, and Windows does *not* have a problem with that. — Eryk Sun, Oct 06 '16 at 13:10
@eryksun, you are partially correct - I made a mistake in the portion of code I posted in the example. I shall correct it now. I used AddAccessAllowedAce in an older version of the service, however the error was produced by AddAccessAllowedAceEx(win32security.ACL_REVISION_DS,win32security.OBJECT_INHERIT_ACE|win32security.CONTAINER_INHERIT_ACE,ntsecuritycon.FILE_GENERIC_READ|ntsecuritycon.FILE_ADD_FILE,user) — DanielG, Oct 09 '16 at 13:48

score 0 · Answer 1 · answered Oct 13 '16 at 14:26

So the problem here is in the win32security.SetFileSecurity() function. As per MSDN, this function is obsolete (see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379577(v=vs.85).aspx) and has been replaced by SetNamedSecurityInfo. I switched, and everything appears to work well. Thanks anyway!

Python windows service to automatically grant folder permissions creates duplicate ACEs

1 Answers1