[cifs-protocol] [MS-DTYP] SDDL conditional ACEs: XU and ZA mixed up?
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Sep 13 03:42:51 UTC 2023
On 25/08/23 12:11, Douglas Bagnall via cifs-protocol wrote:
> hi Dochelp,
>
>
> In 2.5.1.1 Syntax, it says:
>
> "XU" Access Allowed Object Callback 0xB
> "ZA" Audit Callback 0xD
>
> suggesting that
>
> D:(XU;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
>
> should compile to Access Allowed Object Callback ACE. But it doesn't.
> Nor does it compile to an Audit Callback ACE, presumably because it
> needs to be in a SACL not a DACL.
>
> These are the strings that *do* work:
>
> D:(ZA;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
> this compiles to ACE type 11.
>
> D:(ZA;;;;;WD;(Member_of SID(WD)))
> this compiles to ACE type 9 (that is, without a GUID, "ZA" devolves to
> "XA").
>
> S:(XU;;;;;WD;(Member_of SID(WD)))
> this compiles to ACE type 13.
>
> So I am pretty sure [MS-DTYP] got those 2 mixed up.
Just for cifs-protocol's information, dochelp confirmed this off list,
and a documentation bug has been filed.
Douglas
More information about the cifs-protocol
mailing list