[cifs-protocol] [MS-DTYP] 2.5.1.1 another SDDL syntax ABNF inaccuracy
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Feb 2 10:24:09 UTC 2023
hi Dochelp,
I think this bit is wrong in the SDDL ABNF. We have (with irrelevant bits
omitted):
conditional-ace = ... ";" "(" cond-expr ")" ")"
cond-expr = term /
term [wspace] ("||" / "&&" ) [wspace] cond-expr /
(["!"] [wspace] "(" cond-expr ")")
which says a conditional expression compounded with '&&' or '||' can only
have a simple term on the left hand side. That doesn't seem right, nor is
it in keeping with the text.
Not least of all, examples 2 and 3 in 2.4.4.17.9 have compound expressions
on either side of a central operator, like so:
(@User.smartcard==1 || @Device.managed==1) && (@Resource.dept
Any_of{"Sales","HR"})
My belief is the example is correct and the ABNF is wrong. It should
probably say something more like this:
cond-expr = term /
cond-expr [wspace] ("||" / "&&" ) [wspace] cond-expr /
(["!"] [wspace] "(" cond-expr ")")
though that doesn't explain when you need parentheses and when you don't.
Douglas
More information about the cifs-protocol
mailing list