Authenticated Users SID

2021-07-29 16:43:45 +02:00 · 2021-07-29 16:43:45 +02:00 · 8515bf4d6e
parent f77090dfb8
commit 8515bf4d6e
2 changed files with 13 additions and 0 deletions
--- a/ntfs_acl.py
+++ b/ntfs_acl.py
@ -293,6 +293,8 @@ class SID(Constructable):

 SID_ADMINISTRATORS = SID('S-1-5-32-544') # the built-in Administrators group
 SID_SYSTEM = SID('S-1-5-18') # the Local System (NT AUTHORITY\SYSTEM) account
+SID_USERS = SID('S-1-5-32-545')
+SID_AUTH_USERS = SID('S-1-5-11') # Authenticated Users
 SID_EVERYONE = SID('S-1-1-0')

 # as empiricaly set by Windows 10
--- a/setup_win10.py
+++ b/setup_win10.py
@ -11,6 +11,7 @@ from pathlib import Path
 import subprocess
 import tempfile
 import parted
+from ntfs_acl import *

 my_dir = Path(__file__).parent
 if str(my_dir) not in sys.path:
@ -138,6 +139,16 @@ def setup_part(part, wim, image_name, *, unattend=None, postproc=None, postproc_
            trg = ci_lookup(dir, 'Windows', 'Panther', 'unattend.xml', creating=True, parents=True)
            print(f"Copying unattend file: {unattend} -> {trg}")
            shutil.copy(unattend, trg)
+
+            # Unattend.xml may contain sensitive information, including administrator's
+            # password. We must protect it with correct ACLs.
+            write_sd(
+                    trg,
+                    SecurityDescriptor(dacl=[
+                        ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_SYSTEM),
+                        ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_ADMINISTRATORS) ,
+                    ], dacl_inherit=False),
+            )
        for script in postproc:
            script = str(script)
            if '/' not in script: script = f"./{script}"