Authenticated Users SID

This commit is contained in:
Filip Stedronsky 2021-07-29 16:43:45 +02:00
parent f77090dfb8
commit 8515bf4d6e
2 changed files with 13 additions and 0 deletions

View File

@ -293,6 +293,8 @@ class SID(Constructable):
SID_ADMINISTRATORS = SID('S-1-5-32-544') # the built-in Administrators group SID_ADMINISTRATORS = SID('S-1-5-32-544') # the built-in Administrators group
SID_SYSTEM = SID('S-1-5-18') # the Local System (NT AUTHORITY\SYSTEM) account SID_SYSTEM = SID('S-1-5-18') # the Local System (NT AUTHORITY\SYSTEM) account
SID_USERS = SID('S-1-5-32-545')
SID_AUTH_USERS = SID('S-1-5-11') # Authenticated Users
SID_EVERYONE = SID('S-1-1-0') SID_EVERYONE = SID('S-1-1-0')
# as empiricaly set by Windows 10 # as empiricaly set by Windows 10

View File

@ -11,6 +11,7 @@ from pathlib import Path
import subprocess import subprocess
import tempfile import tempfile
import parted import parted
from ntfs_acl import *
my_dir = Path(__file__).parent my_dir = Path(__file__).parent
if str(my_dir) not in sys.path: if str(my_dir) not in sys.path:
@ -138,6 +139,16 @@ def setup_part(part, wim, image_name, *, unattend=None, postproc=None, postproc_
trg = ci_lookup(dir, 'Windows', 'Panther', 'unattend.xml', creating=True, parents=True) trg = ci_lookup(dir, 'Windows', 'Panther', 'unattend.xml', creating=True, parents=True)
print(f"Copying unattend file: {unattend} -> {trg}") print(f"Copying unattend file: {unattend} -> {trg}")
shutil.copy(unattend, trg) shutil.copy(unattend, trg)
# Unattend.xml may contain sensitive information, including administrator's
# password. We must protect it with correct ACLs.
write_sd(
trg,
SecurityDescriptor(dacl=[
ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_SYSTEM),
ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_ADMINISTRATORS) ,
], dacl_inherit=False),
)
for script in postproc: for script in postproc:
script = str(script) script = str(script)
if '/' not in script: script = f"./{script}" if '/' not in script: script = f"./{script}"