[cifs-protocol] [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Obaid Farooqi obaidf at microsoft.com
Tue Apr 25 16:23:46 UTC 2023 

Hi Douglas:
I want to add some nuance to my previous reply.
I used an API directly to test the escaping of double quote or 4 hex numbers representing the Unicode of double quote. It did not work at all.
Having said that, the document is not for API. There is a possibility that the receiving node where the object resides may perform some preprocessing before invoking the API. The preprocessing may take care of escaping.

Do you have a set up where you can modify the security descriptor of an object using a protocol that you are planning to implement (from Windows-to-Windows) and use the escape sequence?

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

From: Obaid Farooqi
Sent: Friday, April 14, 2023 12:13 PM
To: douglas.bagnall at catalyst.net.nz
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164

Hi Douglas:
After much code browsing, my impression was that " is not allowed in the attribute values. I asked the PG if there is an escape sequence and answer was "maybe". The person who wrote the code did it 15 years ago and does not work with it anymore.
So, I tried to test it and it confirmed my finding that " is not allowed, escaped or otherwise.

I'll file a bug to correct ABNF.

PS: if you want to test various SDDL conditional expressions, you can compile and run the following code:

Creating a DACL - Win32 apps | Microsoft Learn<https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl>

In this code, a DACL is created from SDDL, a directory is crated and DACL is applied to it. You can see the DACL is correctly applied in the "Advanced" windows in the security tab of properties of the directory.

I added the following ACE to the already present ACE's in the code
(XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))

Note: the escaping of quotes around PM is for C++, not SDDL.
The resulting DACL looks like
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)

The result can be verified in the properties->security->Advanced as follows (the following is a picture and if you did not get it, let me know)
[A screenshot of a computer  Description automatically generated]

Notice the 3rd column "Condition".

For the same condition, when I introduced a " in PM as part of the value (escaped or otherwise), the code errored out when creating DACL from SDDL.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

===================================

From: Douglas Bagnall douglas.bagnall at catalyst.net.nz<mailto:douglas.bagnall at catalyst.net.nz>
Sent: Thursday, February 23, 2023 6:10 PM
To: cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>; Interoperability Documentation Help dochelp at microsoft.com<mailto:dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL format

hi Dochelp,

I am interested in the details of the format for conditional ACE SDDL format, which is not really described in [MS-DTYP] (unlike the wire format).

>From the examples, it is clear that it involves double-quote delimiters:

    (Title=="VP")

But how are escapes handled -- how would it handle a string that itself contained a double quote?

In the ABNF there is a thing called "char-string":

    char-string = DQUOTE *(CHAR) DQUOTE

which we can deduce applies to Unicode strings due to the definition of value-array, but this doesn't answer the question. Rather, it expands it, since
RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values, so there must be an escaping mechanism for these characters too (unless the use of CHAR is mistaken).

My guess is that Unicode strings the same %hhhh sequence as attr-char2 (encoding the double quote as %0022), but there is no mention of that.

cheers,
Douglas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230425/09764218/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 147203 bytes
Desc: image001.jpg
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230425/09764218/image001.jpg>

More information about the cifs-protocol mailing list