[cifs-protocol] [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - TrackingID#2212170040000207
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Jan 11 23:12:39 UTC 2023
thanks Kristian,
Just to clarify this bit
> Hypothetical, using single literal SID: ("Member_of") [wspace] "SID(" sid-string ")"
when you say "hypothetical", does that mean you haven't confirmed it?
I don't have any problem with the example. The example is good! It would be nice
to have more.
I think the problem is with the ABNF, which does not make this distinction and
has other inaccuracies, as noted earlier.
If the absence of a whitespace token makes a difference to the parsing, the ABNF
should not just say "[wspace]", it should explain the difference.
cheers,
Douglas
On 12/01/23 11:10, Kristian Smith wrote:
> Hi Douglas,
>
> After researching this [MS-DTYP] question, I’ve determined that the difference
> between a sid-array and a literal-SID is a trailing [wspace].
>
> Here is my logic:
>
> Member_of general definition: ("Member_of")
> [wspace] sid-array
>
> SID array general definition: sid-array =
> literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace]
> literal-SID [wspace]) "}"
>
> SID array with single element: sid-array =
> literal-SID [wspace]
>
> Alternate SID array with single element: sid-array = "{" [wspace]
> literal-SID [wspace] "}"
>
> literal-SID = "SID(" sid-string ")"
>
> *Using a SID array with single element: ("Member_of") [wspace]
> "SID(" sid-string ")" [wspace]*
>
> *Alt SID array with single element: ("Member_of")
> [wspace] "{" [wspace] "SID(" sid-string ")" [wspace] "}"*
>
> Hypothetical, using single literal SID: ("Member_of")
> [wspace] "SID(" sid-string ")"
>
> The document dictates the use of a sid-array for “Member_of”, regardless of the
> number of elements in the array. This would mean using curly braces with
> [wspace] padding, or using the trailing [wspace], as bolded above. If you
> believe that example 3 needs to be altered, please let me know what would enable
> better clarity.
>
> Thank you for your patience,
>
> Kristian
>
> Kristian Smith
>
> Support Escalation Engineer
>
> Windows Open Spec Protocols
>
> Office: (425) 421-4442
>
> kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
> *From:* Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Thursday, December 29, 2022 12:13 PM
> *To:* Douglas Bagnall <douglas.bagnall at catalyst.net.nz>;
> cifs-protocol at lists.samba.org
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* Re: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays -
> TrackingID#2212170040000207
>
> Hi Douglas,
>
> I'll be looking into this issue for you. I'll reach out when I have more
> information.
>
> Thanks,
>
> Kristian
>
> Kristian Smith
>
> Support Escalation Engineer
>
> Windows Open Spec Protocols
>
> Office: (425) 421-4442
>
> kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
>
> --------------------------------------------------------------------------------
>
> *From:*Jeff McCashland (He/him) <jeffm at microsoft.com <mailto:jeffm at microsoft.com>>
> *Sent:* Friday, December 16, 2022 8:17 PM
> *To:* Douglas Bagnall <douglas.bagnall at catalyst.net.nz
> <mailto:douglas.bagnall at catalyst.net.nz>>; cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>>
> *Cc:* Microsoft Support <supportmail at microsoft.com
> <mailto:supportmail at microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays -
> TrackingID#2212170040000207
>
> [DocHelp to BCC, support on CC, SR ID on Subject]
>
> Hi Douglas,
>
> Thank you for the question. We have created SR 2212170040000207 to track this
> issue. One of our engineers will respond soon to assist.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> Pacific Time (US and Canada)
> Local country phone number found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cbe1d030b363846bddf0608dadfe596a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638068474415736250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yqLDjLspa7ij01PgRGElgxnlZXy%2FJmAHok%2FTdv%2BQxWo%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cbe1d030b363846bddf0608dadfe596a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638068474415736250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yqLDjLspa7ij01PgRGElgxnlZXy%2FJmAHok%2FTdv%2BQxWo%3D&reserved=0> | Extension 1138300
>
> -----Original Message-----
> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz
> <mailto:douglas.bagnall at catalyst.net.nz>>
> Sent: Friday, December 16, 2022 6:02 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com
> <mailto:dochelp at microsoft.com>>; cifs-protocol at lists.samba.org
> <mailto:cifs-protocol at lists.samba.org>
> Subject: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays
>
> hi Dochelp,
>
> I am working on conditional ACES for Samba. The documentation is mostly very
> clear, but I have one question prompted by example 3 in 2.4.4.19, which deals
> with the encoding of this SDDL snippet:
>
> > (@User.clearanceLevel>=@Resource.requiredClearance
> <mailto:=@Resource.requiredClearance>) ||
> > (Member_of{SID(BA)})
>
> where the 'Member_of{SID(BA)}' becomes a composite token containing the single
> SID, followed by the Member_of operator. So far this makes sense.
>
> However, earlier, in 2.4.4.17.6 ('Relational Operator Tokens') we have
>
> > The operand type MUST be either a SID literal, or a composite, each of
> > whose elements is a SID literal.
>
> which is also clear. But the ABNF in 2.5.1.1 ('Syntax') look like
>
> > memberof-op = ( "Member_of" / ... ) wspace sid-array
>
> and sid-array is
>
> > sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( ","
> [wspace] literal-SID [wspace]) "}"
>
> so *syntactically*, this (a literal-SID without the curly brackets)
>
> (Member_of SID(BA))
>
> would also refer to a sid-array. Thus here's the question: would this last form
> be compiled as a composite value (as implied by "sid-array") or would it be a
> solitary SID?
>
> And if doesn't result in a solitary SID, how would such a SID be represented in
> SDDL, or is that not possible?
>
> The wider question is whether, for valid conditonal aces, an ACE -> SDDL -> ACE
> cycle should always end up at the same point as the original.
>
> As a side-note, the example omits the wspace in memberof-op. I suspect the ABNF
> is inexact, but it might be fiddly to fix because I don't know if '[wspace]'
> would work for the form without {}.
>
> cheers,
> Douglas
>
More information about the cifs-protocol
mailing list