An access-control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.
Many kinds of operating systems implement ACLs, or have a historical implementation.
A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access-control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
POSIX 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL". The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding the project and turning to more powerful alternatives such as NFSv4 ACL. As of December 2019[update], no live sources of the draft could be found on the Internet, but it can still be found in the Internet Archive.
Most of the Unix and Unix-like operating systems (e.g. Linux since 2.5.46 or November 2002, BSD, or Solaris) support POSIX.1e ACLs (not necessarily draft 17). Many of them, for example AIX, FreeBSD, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and the more recent Richacls which brings NFSv4 ACLs support for Ext4 filesystem. ACLs are usually stored in the extended attributes of a file on these systems.
Active Directory ACLs
Microsoft's Active Directory Directory Service implements an LDAP server that store and disseminate configuration information about users and computers in a domain. Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows NT uses for the NTFS filesystem. Windows 2000 then extended the syntax for access control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects.
On some types of proprietary computer-hardware (in particular routers and switches), an access-control list provides rules that are applied to port numbers or IP addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the access-control list is protecting. Both individual servers as well as routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS.
ACL algorithms have been ported to SQL and to relational database systems. Many "modern" (2000s and 2010s) SQL-based systems, like enterprise resource planning and content management systems, have used ACL models in their administration modules.
Comparing with RBAC
The main alternative to the ACL model is the role-based access-control (RBAC) model. A "minimal RBAC model", RBACm, can be compared with an ACL mechanism, ACLg, where only groups are permitted as entries in the ACL. Barkley (1997) showed that RBACm and ACLg are equivalent.
In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express, and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of the way in which administrators view organizations.
- Capability-based security
- Confused deputy problem
- Extended file attributes
- Role-based access control (RBAC)
- RFC 4949
- "Managing Authorization and Access Control". Microsoft Technet. 2005-11-03. Retrieved 2013-04-08.
- Grünbacher, Andreas. "POSIX Access Control Lists on Linux". Usenix. Retrieved 12 December 2019.
- wurtzkurdle. "Why was POSIX.1e withdrawn?". Unix StackExchange. Retrieved 12 December 2019.
- Trümper, Winfried (February 28, 1999). "Summary about Posix.1e". Archived from the original on 2008-07-23.
- "Red Hat Enterprise Linux AS 3 Release Notes (x86 Edition)". Red Hat. 2003. Retrieved 2013-04-08.
EA (Extended Attributes) and ACL (Access Control Lists) functionality is now available for ext3 file systems. In addition, ACL functionality is available for NFS.
- "NFSv4 ACLs". FreeBSD. 2011-09-12. Retrieved 2013-04-08.
- "Chapter 8 Using ACLs and Attributes to Protect ZFS Files". Oracle Corporation. 2009-10-01. Retrieved 2013-04-08.
- Grünbacher, Andreas (May 2008). "Native NFSv4 ACLs on Linux". SUSE. Archived from the original on 2013-06-20. Retrieved 2013-04-08.
- Grünbacher, Andreas (July–September 2010). "Richacls - Native NFSv4 ACLs on Linux". bestbits.at. Archived from the original on 2013-03-20. Retrieved 2013-04-08.
- "P.S.I. Pacer Software, Inc. Gnet-II revision 3.0". Communications. Computerworld. 18 (21). 1984-05-21. p. 54. ISSN 0010-4841. Retrieved 2017-06-30.
The new version of Gnet-II (revision 3.0) has added a line-security mechanism which is implemented under the Primos ACL subsystem.
- "[MS-ADTS]: Active Directory Technical Specification".
- Swift, Michael M. (November 2002). "Improving the granularity of access control for Windows 2000". Cite journal requires
- J. Barkley (1997) "Comparing simple role based access control models and access control lists", In "Proceedings of the second ACM workshop on Role-based access control", pages 127-132.
- G. Karjoth, A. Schade and E. Van Herreweghen (2008) "Implementing ACL-based Policies in XACML", In "2008 Annual Computer Security Applications Conference".
- Rhodes, Tom. "File System Access Control Lists (ACLs)". FreeBSD Handbook. Retrieved 2013-04-08.
- Michael Fox; John Giordano; Lori Stotler; Arun Thomas (2005-08-24). "SELinux and grsecurity: A Case Study Comparing Linux Security Kernel Enhancements" (PDF). University of Virginia. Archived from the original (PDF) on 2012-02-24. Retrieved 2013-04-08.
- Hinrichs, Susan (2005). "Operating System Security". CyberSecurity Spring 2005. University of Illinois. Archived from the original on 2012-03-04. Retrieved 2013-04-08.
- Mitchell, John. "Access Control and Operating System Security" (PDF). Stanford University. Retrieved 2013-04-08.
- Clarkson, Michael. "Access Control". Cornell University. Retrieved 2013-04-08.
- Klein, Helge (2009-03-12). "Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained". Retrieved 2013-04-08.
- "Access Control Lists". MSDN Library. 2012-10-26. Retrieved 2013-04-08.
- "How Permissions Work". Microsoft Technet. 2003-03-28. Retrieved 2013-04-08.