[cifs-protocol] [MS-DTYP] Conditional ACE SDDL: NOT syntax clarification - TrackingID#2303150040000163

Obaid Farooqi obaidf at microsoft.com
Mon Apr 17 18:48:24 UTC 2023 

Hi Douglas:
I tested and no, "(" is not required after "!"

I gave the following SDDL to apply to a file and I worked as intended:

D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; AU)(XA;;FX;;;S-1-1-0;(!@User.Title<mailto:!@User.Title> == "PM"))(A;OICI;GA;;;BA)

I'll file a bug against MS-DTYP to fix the ABNF.
Please le me know if this doesn't answer your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

=====================================

From: Douglas Bagnall douglas.bagnall at catalyst.net.nz<mailto:douglas.bagnall at catalyst.net.nz>
Sent: Tuesday, March 14, 2023 3:52 PM
To: Interoperability Documentation Help dochelp at microsoft.com<mailto:dochelp at microsoft.com>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] [MS-DTYP] Conditional ACE SDDL: NOT syntax clarification.

hi Dochelp,

In the ABNF for SDDL, in 2.5.1.1, the only place the NOT operator "!" is mentioned is in the cond-expr line:

       cond-expr = term /                                              \
                   term [wspace] ("||" / "&&" ) [wspace] cond-expr /   \
                   (["!"] [wspace] "(" cond-expr ")")


(We have already established in 2302020040006024 /
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fcifs-protocol%2F2023-February%2F003947.html&data=05%7C01%7CHungChun.Yu%40microsoft.com%7Cc522a8d1924a435eb82a08db24ded039%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638144311654849856%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=I2xaSLXR2DWUmNeMZ8fhAoOT1XI%2Fs4uVe1PXjWNyoj8%3D&reserved=0<https://lists.samba.org/archive/cifs-protocol/2023-February/003947.html> that the second part with the "||" or "&&" is erroneous -- this question is about the third part, with the '["!"]').

So that says the only place a "!" can occur is in front of a parenthetical expression; you can't write "!A", you need to say "!(A)".

That would be OK, and I have been working on that basis, but then in 2.5.1.3 "Parentheses and Order of Precedence", the "!" operator is given a middling precedence, below that of e.g. "==". And that makes me wonder about an expression like

    !(A) == B

Since == has higher precedence than !, it will grab the (A) before the ! can, and the expression is effectively "!(A == B)"; if you mean to do it the other way, you need to write "(!(A)) == B". But that looks silly. It makes me doubt that the semantic meaning is so divorced from the syntactic rule, and leads me to think the ABNF is taking another descriptive short cut.

Does '!' really always need to be followed by '('?

cheers,
Douglas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230417/ea1a3132/attachment.htm>

More information about the cifs-protocol mailing list