[cifs-protocol] [MS-DTYP] meaning of ACCESS_*_CALLBACK_OBJECT_ACE
douglas.bagnall at catalyst.net.nz
Sun Sep 24 23:36:29 UTC 2023
The interpretation of ACCESS_ALLOWED_CALLBACK_OBJECT_ACE and
ACCESS_DENIED_CALLBACK_OBJECT_ACE is not really explained in MS-DTYP.
Section 184.108.40.206.3 says what to do for ordinary allow and deny conditional ACEs,
but not for the object types.
My current assumption for an allow callback ACE goes like this:
1. Test the condition on the ACE
2a. if it is true, treat the ACE as if it is an ACCESS_ALLOWED_OBJECT_ACE.
2b. if it is unknown/false, ignore the ACE.
and correspondingly in the DENY case, with UNKNOWN being treated as "true".
is that correct?
More information about the cifs-protocol