Access control list

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In computer security, an access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.

Contents

[edit] ACL-based security models

In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation. A key issue in the definition of any ACL-based security model is the question of how access control lists are edited. For each object; who can modify the object's ACL and what changes are allowed.

Systems that use ACLs can be classified into two categories: discretionary and mandatory. A system is said to have discretionary access control if the creator or owner of an object can fully control access to the object, including, for example, altering the object's ACL to grant access to anyone else. A system is said to have mandatory access control (also known as "non-discretionary access control" in the security literature) if it enforces system-wide restrictions that override the permissions stated in the ACL.

Traditional ACL systems assign permissions to individual users, which can become cumbersome in a system with a large number of users. In a more recent approach called role-based access control, permissions are assigned to roles, and users are assigned to roles.

[edit] File system ACLs

The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. These entries are known as access control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

Most of the unix-like operating systems - Linux, FreeBSD or Solaris, support so called POSIX.1e ACLs, based on early POSIX draft that was abandoned. Many of them - for example AIX, Mac OS X, beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem[1], support NFSv4 ACLs, which are the part of NFSv4 standard. There are experimental implementations of NFSv4 ACLs for Linux[2] and FreeBSD[3].

[edit] Networking ACLs

In networking, ACL refers to a list of rules detailing service ports or (network) daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.

[edit] See also

[edit] References

  1. ^ http://docs.sun.com/app/docs/doc/819-5461/ftyxi?a=view
  2. ^ http://www.suse.de/~agruen/nfs4acl/
  3. ^ http://wiki.freebsd.org/NFSv4_ACLs
Retrieved from "http://en.wikipedia.org/wiki/Access_control_list"
Personal tools