[cifs-protocol] [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164
Obaid Farooqi
obaidf at microsoft.com
Fri Apr 14 17:12:34 UTC 2023
Hi Douglas:
After much code browsing, my impression was that " is not allowed in the attribute values. I asked the PG if there is an escape sequence and answer was "maybe". The person who wrote the code did it 15 years ago and does not work with it anymore.
So, I tried to test it and it confirmed my finding that " is not allowed, escaped or otherwise.
I'll file a bug to correct ABNF.
PS: if you want to test various SDDL conditional expressions, you can compile and run the following code:
Creating a DACL - Win32 apps | Microsoft Learn<https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl>
In this code, a DACL is created from SDDL, a directory is crated and DACL is applied to it. You can see the DACL is correctly applied in the "Advanced" windows in the security tab of properties of the directory.
I added the following ACE to the already present ACE's in the code
(XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))
Note: the escaping of quotes around PM is for C++, not SDDL.
The resulting DACL looks like
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)
The result can be verified in the properties->security->Advanced as follows (the following is a picture and if you did not get it, let me know)
[A screenshot of a computer Description automatically generated]
Notice the 3rd column "Condition".
For the same condition, when I introduced a " in PM as part of the value (escaped or otherwise), the code errored out when creating DACL from SDDL.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
===================================
From: Douglas Bagnall douglas.bagnall at catalyst.net.nz<mailto:douglas.bagnall at catalyst.net.nz>
Sent: Thursday, February 23, 2023 6:10 PM
To: cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation Help dochelp at microsoft.com<mailto:dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL format
hi Dochelp,
I am interested in the details of the format for conditional ACE SDDL format, which is not really described in [MS-DTYP] (unlike the wire format).
>From the examples, it is clear that it involves double-quote delimiters:
(Title=="VP")
But how are escapes handled -- how would it handle a string that itself contained a double quote?
In the ABNF there is a thing called "char-string":
char-string = DQUOTE *(CHAR) DQUOTE
which we can deduce applies to Unicode strings due to the definition of value-array, but this doesn't answer the question. Rather, it expands it, since
RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values, so there must be an escaping mechanism for these characters too (unless the use of CHAR is mistaken).
My guess is that Unicode strings the same %hhhh sequence as attr-char2 (encoding the double quote as %0022), but there is no mention of that.
cheers,
Douglas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230414/c5baa212/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 147203 bytes
Desc: image001.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230414/c5baa212/image001.jpg>
More information about the cifs-protocol
mailing list