[cifs-protocol] [MS-DTYP] no SDDL for ACCESS_DENIED_CALLBACK_OBJECT_ACE?
douglas.bagnall at catalyst.net.nz
Fri Aug 25 00:36:12 UTC 2023
According to [MS-DTYP], there is no way to express a
ACCESS_DENIED_CALLBACK_OBJECT_ACE in SDDL.
I just want to confirm that.
If ACCESS_ALLOWED_CALLBACK_OBJECT_ACE has type "ZA", symmetry would propose "ZD"
for the denied counterpart, but no.
I have tried mutating a ACCESS_ALLOWED_CALLBACK_OBJECT_ACE to flip the ace type,
but I can't get it to encode as SDDL.
So I suppose it is the case that in the places where we transmit security
descriptors as SDDL, we just can't transmit these ones.
More information about the cifs-protocol