<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Douglas:<o:p></o:p></p>
<p class="MsoNormal">I want to add some nuance to my previous reply.<o:p></o:p></p>
<p class="MsoNormal">I used an API directly to test the escaping of double quote or 4 hex numbers representing the Unicode of double quote. It did not work at all.
<o:p></o:p></p>
<p class="MsoNormal">Having said that, the document is not for API. There is a possibility that the receiving node where the object resides may perform some preprocessing before invoking the API. The preprocessing may take care of escaping.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Do you have a set up where you can modify the security descriptor of an object using a protocol that you are planning to implement (from Windows-to-Windows) and use the escape sequence?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="mso-ligatures:none">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Obaid Farooqi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Escalation Engineer | Microsoft<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-ligatures:none">From:</span></b><span style="mso-ligatures:none"> Obaid Farooqi
<br>
<b>Sent:</b> Friday, April 14, 2023 12:13 PM<br>
<b>To:</b> douglas.bagnall@catalyst.net.nz<br>
<b>Cc:</b> cifs-protocol@lists.samba.org; Microsoft Support <supportmail@microsoft.com><br>
<b>Subject:</b> [MS-DTYP] Conditional ACE Unicode literal SDDL format - TrackingID#2302240040001164<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Douglas:<o:p></o:p></p>
<p class="MsoNormal">After much code browsing, my impression was that “ is not allowed in the attribute values. I asked the PG if there is an escape sequence and answer was “maybe”. The person who wrote the code did it 15 years ago and does not work with it
anymore.<o:p></o:p></p>
<p class="MsoNormal">So, I tried to test it and it confirmed my finding that “ is not allowed, escaped or otherwise.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ll file a bug to correct ABNF.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">PS: if you want to test various SDDL conditional expressions, you can compile and run the following code:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://learn.microsoft.com/en-us/windows/win32/secbp/creating-a-dacl">Creating a DACL - Win32 apps | Microsoft Learn</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In this code, a DACL is created from SDDL, a directory is crated and DACL is applied to it. You can see the DACL is correctly applied in the “Advanced” windows in the security tab of properties of the directory.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I added the following ACE to the already present ACE’s in the code<o:p></o:p></p>
<p class="MsoNormal">(XA;;FX;;;S-1-1-0;(@User.Title == \"PM\"))<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note: the escaping of quotes around PM is for C++, not SDDL.
<o:p></o:p></p>
<p class="MsoNormal">The resulting DACL looks like<o:p></o:p></p>
<p class="MsoNormal">D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;; AU)(XA;;FX;;;S-1-1-0;(@User.Title == "PM"))(A;OICI;GA;;;BA)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The result can be verified in the properties->security->Advanced as follows (the following is a picture and if you did not get it, let me know)<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><img border="0" width="768" height="531" style="width:8.0in;height:5.5312in" id="Picture_x0020_2" src="cid:image001.jpg@01D976CC.A02B0480" alt="A screenshot of a computer
Description automatically generated"></span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Notice the 3<sup>rd</sup> column “Condition”.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For the same condition, when I introduced a “ in PM as part of the value (escaped or otherwise), the code errored out when creating DACL from SDDL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Obaid Farooqi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Escalation Engineer | Microsoft<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">===================================<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">From: Douglas Bagnall <a href="mailto:douglas.bagnall@catalyst.net.nz">
douglas.bagnall@catalyst.net.nz</a> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Sent: Thursday, February 23, 2023 6:10 PM<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">To: <a href="mailto:cifs-protocol@lists.samba.org">
cifs-protocol@lists.samba.org</a>; Interoperability Documentation Help <a href="mailto:dochelp@microsoft.com">
dochelp@microsoft.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Subject: [EXTERNAL] [MS-DTYP] Conditional ACE Unicode literal SDDL format<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">hi Dochelp,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">I am interested in the details of the format for conditional ACE SDDL format, which is not really described in [MS-DTYP] (unlike the wire format).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">From the examples, it is clear that it involves double-quote delimiters:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"> (Title=="VP")<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">But how are escapes handled -- how would it handle a string that itself contained a double quote?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">In the ABNF there is a thing called "char-string":<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"> char-string = DQUOTE *(CHAR) DQUOTE<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">which we can deduce applies to Unicode strings due to the definition of value-array, but this doesn't answer the question. Rather, it expands it, since<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">RFC5234 says CHAR is 7-bit ASCII only, precluding most Unicode values, so there must be an escaping mechanism for these characters too (unless the use of CHAR is mistaken).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">My guess is that Unicode strings the same %hhhh sequence as attr-char2 (encoding the double quote as %0022), but there is no mention of that.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-ligatures:none">Douglas<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>