With respect to a computer file system, an access control list (ACL) is a list of permissions attached to an object. An ACL specifies which users--or system processes--are granted access to objects, as well as what operations are allowed to be performed on given objects. In a typical ACL, each entry in the list specifies a subject and an operation. For example, the entry (Alice, delete) on the ACL for file WXY gives Alice permission to delete file WXY.

Contents 1 ACL-based security models 2 Filesystem ACLs 3 Networking ACLs 4 See also 5 References 6 External links

[edit] ACL-based security models

In an ACL-based security model, when a subject requests an operation on an object, the operating system first checks the ACL for an applicable entry in order to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system hierarchy.

[edit] Filesystem ACLs

In a Filesystem ACL, the list is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects, such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

Most of the Unix-like operating systems (eg. Linux, BSD or Solaris) support so called POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them -- for example AIX, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem --^[1] support NFSv4 ACLs, which are part of the NFSv4 standard. FreeBSD 9-CURRENT supports NFSv4 ACLs on both UFS and ZFS file systems; full support is expected to be backported to version 8.1. There is an experimental implementation of NFSv4 ACLs for Linux^[2].

[edit] Networking ACLs

On some types of proprietary computer hardware, an Access Control List refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.

[edit] See also

• Standard Access Control List, Cisco-IOS configuration rules
• Role-based access control
• Confused deputy problem
• Capability-based security
• Cacls

[edit] References

[edit] External links

• http://www.freebsd.org/doc/en/books/handbook/fs-acl.html
• http://semillon.wpi.edu/~aofa/mailing_list/msg00390.html
• http://www.columbia.edu/acis/email/cyrus/acls.html
• http://www.uwm.edu/IMT/Computing/sasdoc8/sashtml/eis/z1032021.htm
• http://windows.stanford.edu/docs/glossary.htm
• http://www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
• http://www.cs.uiuc.edu/class/fa05/cs498sh/seclab/slides/OSNotes.ppt
• http://crypto.stanford.edu/cs155old/cs155-spring03/lecture9.pdf
• http://www.cs.cornell.edu/courses/cs513/2007fa/NL.accessControl.html