This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Provide Windows predefined access type constants
Type: enhancement Stage: patch review
Components: Windows Versions: Python 3.9
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, eryksun, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2019-08-02 17:23 by steve.dower, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 20617 open ZackerySpytz, 2020-06-03 16:07
Messages (4)
msg348908 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-08-02 17:23 
We currently do not provide the standard access type constants anywhere, despite providing some of the specific access type flags (e.g. in `winreg`):

#define DELETE                           (0x00010000L)
#define READ_CONTROL                     (0x00020000L)
#define WRITE_DAC                        (0x00040000L)
#define WRITE_OWNER                      (0x00080000L)
#define SYNCHRONIZE                      (0x00100000L)

#define STANDARD_RIGHTS_REQUIRED         (0x000F0000L)

#define STANDARD_RIGHTS_READ             (READ_CONTROL)
#define STANDARD_RIGHTS_WRITE            (READ_CONTROL)
#define STANDARD_RIGHTS_EXECUTE          (READ_CONTROL)

#define STANDARD_RIGHTS_ALL              (0x001F0000L)

#define SPECIFIC_RIGHTS_ALL              (0x0000FFFFL)

I'm not sure where the best place to expose them would be. `os` (`nt`) seems best, but it's 99% a POSIX shim that doesn't actually have anything Windows-specific exposed, and `_winapi` is not public.

They're likely already available through pywin32 or similar, but given their use with `winreg` we should probably at least make them available there.
msg348919 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2019-08-02 21:03 
The STANDARD_RIGHTS_* and SPECIFIC_RIGHTS_ALL constants aren't used much in practice. Do you have a particular case that needs them?

I don't think we have direct use for the standard rights constants in winreg. For example, deleting a key via winreg.DeleteKeyEx internally opens a handle with the required DELETE access. Also, kernel key objects don't even support SYNCHRONIZE access (i.e. they can't be waited on).

There's also the generic rights that object types map to sets of standard and specific rights: GENERIC_READ (0x8000_0000), GENERIC_WRITE (0x4000_0000), GENERIC_EXECUTE (0x2000_0000), and GENERIC_ALL (0x1000_0000). But, here again, winreg doesn't really need this. It already includes the pre-mapped generic key rights: KEY_READ, KEY_WRITE, KEY_EXECUTE, and KEY_ALL_ACCESS (except GENERIC_EXECUTE actually maps to KEY_EXECUTE | KEY_CREATE_LINK).
msg348937 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-08-03 01:03 
At least the first five can be used to open keys with even less rights than default, which can sometimes be necessary for keys with obscure ACLs.

Having the constants present is also helpful when rendering a text view.

Perhaps _winapi is the best place? It already includes CreateFile and OpenProcess, both of which also use these flags and already have some of the "preconstructed" values exposed.
msg348939 - (view) Author: Eryk Sun (eryksun) * (Python triager) Date: 2019-08-03 03:31 
> Perhaps _winapi is the best place? It already includes CreateFile and 
> OpenProcess, both of which also use these flags and already have some 
> of the "preconstructed" values exposed.

I'd like to see an os.windows namespace, with os.windows.constants and os.windows.errors. _winapi is for internal use. Some of what's defined there can be made public, including common constants and errors, but not all of it.

> At least the first five can be used to open keys with even less rights 
> than default, which can sometimes be necessary for keys with obscure 
> ACLs.

Key objects don't support SYNCHRONIZE. The only concern for us is excluding the other standard rights (i.e. READ_CONTROL, WRITE_OWNER, WRITE_DAC, DELETE).

All four modes of generic access include READ_CONTROL, which allows querying an object's owner, group, and DACL, but we have no direct use of this information in winreg. KEY_ALL_ACCESS also includes WRITE_OWNER, WRITE_DAC and DELETE access, of which we also have no need. For deleting a key, DeleteKey[Ex] does not require DELETE access on the supplied handle, which is used by WINAPI RegDeleteKey[Ex]W only for an internal handle-relative open that requests DELETE access. The other two are also never needed directly by winreg, since it doesn't support security functions to modify the owner/group and DACL in a key's security descriptor. They're only of use indirectly if using ctypes or PyWin32 to call a handle-based security function such as SetSecurityInfo.

If we can't get generic access because we lack one or more of the standard rights or specific rights in the generic set, then we can request just the required specific rights. The specific rights of the four generic access modes are as follows:

    KEY_READ      : KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY
    KEY_WRITE     : KEY_SET_VALUE, KEY_CREATE_SUB_KEY
    KEY_EXECUTE   : Same as KEY_READ
    KEY_ALL_ACCESS: KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY,
                    KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK
History
Date User Action Args
2022-04-11 14:59:18adminsetgithub: 81927
2020-06-03 16:07:27ZackerySpytzsetkeywords: + patch
nosy: + ZackerySpytz

pull_requests: + pull_request19843
stage: needs patch -> patch review
2019-08-03 03:31:55eryksunsetmessages: + msg348939
2019-08-03 01:03:36steve.dowersetmessages: + msg348937
2019-08-02 21:03:38eryksunsetnosy: + eryksun
messages: + msg348919
2019-08-02 17:23:17steve.dowercreate