I was looking at using S-1-2-3-4 to take away rights via ownership and
granting no access (but not denying it either) makes sense as access
is granted via group membership. Microsofts documentation seems to
suggest the a 0x0 mask is valid.
Quote from
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125370(v=ws.10)?redirectedfrom=MSDN
"When you add the Owner Rights security principal to objects, you can
specify what permissions are given to the owner of an object. For example
you can specify in the access control entry (ACE) of an object that the
owner of a particular object is given Read permissions or you can specify
NULL permissions to an object, which grants the owner of the object no
permissions."
Here is example output:
# setcifsacl -a "ACL:S-1-2-3-4:0x0/0x0/0x0" bruno-test
verify_ace_mask: Invalid mask 0x0 (value 0x0)
Besides the owner rights case, I think this might also make sense in an ACL
to break inheritence, though in that case there might be other ways to
do that.
Unless having a 0x0 mask actually breaks things, it doesn't seem that
it is a good idea to prohibit it.
