In
computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, an access-control list (ACL) is a list of permissions associated with a
system resource
In computing, a system resource, or simply resource, is any physical or virtual component of limited availability that is accessible to a computer. All connected devices and internal system components are resources. Virtual system resources in ...
(object or facility). An ACL specifies which
users or
system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in a typical ACL specifies a subject and an operation. For instance,
* If a file object has an ACL that contains, this would give Alice permission to read and write the file and give Bob permission only to read it.
* If the
Resource Access Control Facility (RACF) profile CONSOLE CLASS(TSOAUTH) has an ACL that contains, this would give ALICE permission to use the TSO CONSOLE command.
Implementations
Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the
filesystem of
Multics
Multics ("MULTiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.Dennis M. Ritchie, "The Evolution of the Unix Time-sharing System", Communications of t ...
in 1965.
Filesystem ACLs
A
filesystem ACL is a
data structure
In computer science, a data structure is a data organization and storage format that is usually chosen for Efficiency, efficient Data access, access to data. More precisely, a data structure is a collection of data values, the relationships amo ...
(usually a table) containing entries that specify individual user or
group rights to specific system objects such as programs,
processes, or files. These entries are known as access-control entries (ACEs) in the Microsoft
Windows NT
Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...
,
OpenVMS
OpenVMS, often referred to as just VMS, is a multi-user, multiprocessing and virtual memory-based operating system. It is designed to support time-sharing, batch processing, transaction processing and workstation applications. Customers using Op ...
, and
Unix-like
A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...
operating system
An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ...
s such as
Linux
Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
,
macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
, and
Solaris. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or
execute
Execution, in capital punishment
Capital punishment, also known as the death penalty and formerly called judicial homicide, is the state-sanctioned killing of a person as punishment for actual or supposed misconduct. The sentence (law), s ...
an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
One of the first operating systems to provide filesystem ACLs was Multics.
PRIMOS featured ACLs at least as early as 1984.
In the 1990s the ACL and
role-based access control
In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control, discretion ...
(RBAC) models were extensively tested and used to administer file permissions.
POSIX ACL
POSIX
The Portable Operating System Interface (POSIX; ) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines application programming interfaces (APIs), along with comm ...
1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL". The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL. , no live sources of the draft could be found on the Internet, but it can still be found in the
Internet Archive
The Internet Archive is an American 501(c)(3) organization, non-profit organization founded in 1996 by Brewster Kahle that runs a digital library website, archive.org. It provides free access to collections of digitized media including web ...
.
Most of the Unix and Unix-like operating systems (e.g.
Linux
Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
since 2.5.46 or November 2002,
FreeBSD
FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...
, or Solaris) support POSIX.1e ACLs (not necessarily draft 17). ACLs are usually stored in the extended attributes of a file on these systems.
NFSv4 ACL
NFSv4 ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the
Network File System
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems (Sun) in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like ...
.
NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include
AIX,
FreeBSD
FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...
,
Mac OS X
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
beginning with version 10.4 ("
Tiger
The tiger (''Panthera tigris'') is a large Felidae, cat and a member of the genus ''Panthera'' native to Asia. It has a powerful, muscular body with a large head and paws, a long tail and orange fur with black, mostly vertical stripes. It is ...
"), or Solaris with
ZFS
ZFS (previously Zettabyte File System) is a file system with Volume manager, volume management capabilities. It began as part of the Sun Microsystems Solaris (operating system), Solaris operating system in 2001. Large parts of Solaris, includin ...
filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for
Ext3
ext3, or third extended filesystem, is a journaling file system, journaled file system that is commonly used with the Linux kernel. It used to be the default file system for many popular Linux distributions but generally has been supplanted by ...
filesystem and the more recent
Richacls, which brings NFSv4 ACLs support for
Ext4
ext4 (fourth extended filesystem) is a journaling file system for Linux, developed as the successor to ext3.
ext4 was initially a series of backward-compatible extensions to ext3, many of them originally developed by Cluster File Systems for ...
filesystem. As with POSIX ACLs, NFSv4 ACLs are usually stored as extended attributes on Unix-like systems.
NFSv4 ACLs are organized nearly identically to the Windows NT ACLs used in
NTFS
NT File System (NTFS) (commonly called ''New Technology File System'') is a proprietary journaling file system developed by Microsoft in the 1990s.
It was developed to overcome scalability, security and other limitations with File Allocation Tabl ...
. NFSv4.1 ACLs are a superset of both NT ACLs and POSIX draft ACLs.
Samba
Samba () is a broad term for many of the rhythms that compose the better known Brazilian music genres that originated in the Afro-Brazilians, Afro Brazilian communities of Bahia in the late 19th century and early 20th century, It is a name or ...
supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs.
Active Directory ACLs
Microsoft
Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
's
Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...
service implements an
LDAP
The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed Directory service, directory information services over an Internet Protocol (IP) networ ...
server that stores and disseminates configuration information about users and computers in a domain. Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows NT uses for the NTFS filesystem. Windows 2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.
Networking ACLs
On some types of proprietary computer hardware (in particular,
routers and
switches), an access-control list provides rules that are applied to
port numbers or
IP address
An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
es that are available on a
host or other
layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network
domain name
In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority, or control. Domain names are often used to identify services provided through the Internet, such as websites, email services, and more. ...
s, this is a questionable idea because individual
TCP,
UDP, and
ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately
resolve names to numeric addresses. This presents an additional
attack surface
The attack surface of a software environment is the sum of the different points (for " attack vectors") where an unauthorized user (the "attacker") can try to enter data to, extract data, control a device or critical software in an environment. Ke ...
for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual
servers and
routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to
firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as
PCI DSS.
SQL implementations
ACL algorithms have been ported to
SQL
Structured Query Language (SQL) (pronounced ''S-Q-L''; or alternatively as "sequel")
is a domain-specific language used to manage data, especially in a relational database management system (RDBMS). It is particularly useful in handling s ...
and to
relational database systems. Many "modern" (2000s and 2010s) SQL-based systems, like
enterprise resource planning
Enterprise resource planning (ERP) is the integrated management of main business processes, often in real time and mediated by software and technology. ERP is usually referred to as a category of business management software—typically a suit ...
and
content management
Content management (CM) are a set of processes and technologies that support the collection, managing, and publishing of information in any form or medium. When stored and accessed via computers, this information may be more specifically referre ...
systems, have used ACL models in their administration modules.
Comparing with RBAC
The main alternative to the ACL model is the role-based access-control (RBAC) model. A "minimal RBAC model", ''RBACm'', can be compared with an ACL mechanism, ''ACLg'', where only groups are permitted as entries in the ACL. Barkley (1997) showed that ''RBACm'' and ''ACLg'' are equivalent.
In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of the way in which administrators view organizations.
For data interchange, and for "high-level comparisons", ACL data can be translated to
XACML.
[G. Karjoth, A. Schade and E. Van Herreweghen (2008)]
Implementing ACL-based Policies in XACML
, In "2008 Annual Computer Security Applications Conference".
See also
*
Access token manager
*
Cacls
*
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that ref ...
*
C-list
*
Confused deputy problem
In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused deputy ...
*
DACL
*
Extended file attributes
*
File-system permissions
Typically, a file system maintains permission settings for each stored item commonly computer file, files and directory (computer), directories that either grant or deny the ability to manipulate file system items. Often the settings allow cont ...
*
Privilege (computing)
In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ab ...
*
Role-based access control
In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control, discretion ...
(RBAC)
Notes
References
Further reading
*
*
*
*
*
*
*
*
{{DEFAULTSORT:Access Control List
Computer access control