[cifs-protocol] [MS-DTYP] SDDL conditional ACEs: XU and ZA mixed up?
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Fri Aug 25 00:11:28 UTC 2023
hi Dochelp,
In 2.5.1.1 Syntax, it says:
"XU" Access Allowed Object Callback 0xB
"ZA" Audit Callback 0xD
suggesting that
D:(XU;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
should compile to Access Allowed Object Callback ACE. But it doesn't.
Nor does it compile to an Audit Callback ACE, presumably because it needs to be
in a SACL not a DACL.
These are the strings that *do* work:
D:(ZA;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
this compiles to ACE type 11.
D:(ZA;;;;;WD;(Member_of SID(WD)))
this compiles to ACE type 9 (that is, without a GUID, "ZA" devolves to "XA").
S:(XU;;;;;WD;(Member_of SID(WD)))
this compiles to ACE type 13.
So I am pretty sure [MS-DTYP] got those 2 mixed up.
Douglas
More information about the cifs-protocol
mailing list