[cifs-protocol] [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - TrackingID#2212170040000207

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Jan 11 23:12:39 UTC 2023 

thanks Kristian,

Just to clarify this bit

> Hypothetical, using single literal SID:                     ("Member_of") [wspace] "SID(" sid-string ")"

when you say "hypothetical", does that mean you haven't confirmed it?

I don't have any problem with the example. The example is good! It would be nice 
to have more.

I think the problem is with the ABNF, which does not make this distinction and 
has other inaccuracies, as noted earlier.

If the absence of a whitespace token makes a difference to the parsing, the ABNF 
should not just say "[wspace]", it should explain the difference.

cheers,
Douglas


On 12/01/23 11:10, Kristian Smith wrote:
> Hi Douglas,
> 
> After researching this [MS-DTYP] question, I’ve determined that the difference 
> between a sid-array and a literal-SID is a trailing [wspace].
> 
> Here is my logic:
> 
> Member_of general definition:                              ("Member_of") 
> [wspace] sid-array
> 
> SID array general definition:                                   sid-array = 
> literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] 
> literal-SID [wspace]) "}"
> 
> SID array with single element:                                sid-array = 
> literal-SID [wspace]
> 
> Alternate SID array with single element:               sid-array = "{" [wspace] 
> literal-SID [wspace] "}"
> 
> literal-SID = "SID(" sid-string ")"
> 
> *Using a SID array with single element:                ("Member_of") [wspace] 
> "SID(" sid-string ")" [wspace]*
> 
> *Alt SID array with single element:                        ("Member_of") 
> [wspace] "{" [wspace] "SID(" sid-string ")" [wspace] "}"*
> 
> Hypothetical, using single literal SID:                     ("Member_of") 
> [wspace] "SID(" sid-string ")"
> 
> The document dictates the use of a sid-array for “Member_of”, regardless of the 
> number of elements in the array. This would mean using curly braces with 
> [wspace] padding, or using the trailing [wspace], as bolded above. If you 
> believe that example 3 needs to be altered, please let me know what would enable 
> better clarity.
> 
> Thank you for your patience,
> 
> Kristian
> 
> Kristian Smith
> 
> Support Escalation Engineer
> 
> Windows Open Spec Protocols
> 
> Office: (425) 421-4442
> 
> kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> 
> *From:* Kristian Smith <Kristian.Smith at microsoft.com>
> *Sent:* Thursday, December 29, 2022 12:13 PM
> *To:* Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; 
> cifs-protocol at lists.samba.org
> *Cc:* Microsoft Support <supportmail at microsoft.com>
> *Subject:* Re: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - 
> TrackingID#2212170040000207
> 
> Hi Douglas,
> 
> I'll be looking into this issue for you. I'll reach out when I have more 
> information.
> 
> Thanks,
> 
> Kristian
> 
> Kristian Smith
> 
> Support Escalation Engineer
> 
> Windows Open Spec Protocols
> 
> Office: (425) 421-4442
> 
> kristian.smith at microsoft.com <mailto:kristian.smith at microsoft.com>
> 
> --------------------------------------------------------------------------------
> 
> *From:*Jeff McCashland (He/him) <jeffm at microsoft.com <mailto:jeffm at microsoft.com>>
> *Sent:* Friday, December 16, 2022 8:17 PM
> *To:* Douglas Bagnall <douglas.bagnall at catalyst.net.nz 
> <mailto:douglas.bagnall at catalyst.net.nz>>; cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org>>
> *Cc:* Microsoft Support <supportmail at microsoft.com 
> <mailto:supportmail at microsoft.com>>
> *Subject:* RE: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - 
> TrackingID#2212170040000207
> 
> [DocHelp to BCC, support on CC, SR ID on Subject]
> 
> Hi Douglas,
> 
> Thank you for the question. We have created SR 2212170040000207 to track this 
> issue. One of our engineers will respond soon to assist.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open 
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) 
> Pacific Time (US and Canada)
> Local country phone number found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cbe1d030b363846bddf0608dadfe596a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638068474415736250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yqLDjLspa7ij01PgRGElgxnlZXy%2FJmAHok%2FTdv%2BQxWo%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cbe1d030b363846bddf0608dadfe596a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638068474415736250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yqLDjLspa7ij01PgRGElgxnlZXy%2FJmAHok%2FTdv%2BQxWo%3D&reserved=0> | Extension 1138300
> 
> -----Original Message-----
> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz 
> <mailto:douglas.bagnall at catalyst.net.nz>>
> Sent: Friday, December 16, 2022 6:02 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com 
> <mailto:dochelp at microsoft.com>>; cifs-protocol at lists.samba.org 
> <mailto:cifs-protocol at lists.samba.org>
> Subject: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays
> 
> hi Dochelp,
> 
> I am working on conditional ACES for Samba. The documentation is mostly very 
> clear, but I have one question prompted by example 3 in 2.4.4.19, which deals 
> with the encoding of this SDDL snippet:
> 
>  > (@User.clearanceLevel>=@Resource.requiredClearance 
> <mailto:=@Resource.requiredClearance>) ||
>  > (Member_of{SID(BA)})
> 
> where the 'Member_of{SID(BA)}' becomes a composite token containing the single 
> SID, followed by the Member_of operator. So far this makes sense.
> 
> However, earlier, in 2.4.4.17.6 ('Relational Operator Tokens') we have
> 
>  > The operand type MUST be either a SID literal, or a composite, each of
>  > whose elements is a SID literal.
> 
> which is also clear. But the ABNF in 2.5.1.1 ('Syntax') look like
> 
>  > memberof-op = ( "Member_of" / ... ) wspace sid-array
> 
> and sid-array is
> 
>  > sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," 
> [wspace] literal-SID [wspace]) "}"
> 
> so *syntactically*, this (a literal-SID without the curly brackets)
> 
>       (Member_of SID(BA))
> 
> would also refer to a sid-array. Thus here's the question: would this last form 
> be compiled as a composite value (as implied by "sid-array") or would it be a 
> solitary SID?
> 
> And if doesn't result in a solitary SID, how would such a SID be represented in 
> SDDL, or is that not possible?
> 
> The wider question is whether, for valid conditonal aces, an ACE -> SDDL -> ACE 
> cycle should always end up at the same point as the original.
> 
> As a side-note, the example omits the wspace in memberof-op. I suspect the ABNF 
> is inexact, but it might be fiddly to fix because I don't know if '[wspace]'
> would work for the form without {}.
> 
> cheers,
> Douglas
>

More information about the cifs-protocol mailing list