[cifs-protocol] [MS-DTYP] another SDDL syntax ABNF inaccuracy

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Thu Feb 2 10:24:09 UTC 2023

hi Dochelp,

I think this bit is wrong in the SDDL ABNF. We have (with irrelevant bits 

   conditional-ace = ... ";" "(" cond-expr ")" ")"

   cond-expr = term /
               term [wspace] ("||" / "&&" ) [wspace] cond-expr /
               (["!"] [wspace] "(" cond-expr ")")

which says a conditional expression compounded with '&&' or '||' can only 
have a simple term on the left hand side. That doesn't seem right, nor is 
it in keeping with the text.

Not least of all, examples 2 and 3 in have compound expressions 
on either side of a central operator, like so:

   (@User.smartcard==1 || @Device.managed==1) && (@Resource.dept 

My belief is the example is correct and the ABNF is wrong. It should 
probably say something  more like this:

   cond-expr = term /
               cond-expr [wspace] ("||" / "&&" ) [wspace] cond-expr /
               (["!"] [wspace] "(" cond-expr ")")

though that doesn't explain when you need parentheses and when you don't.


More information about the cifs-protocol mailing list