Access Control List

Sample of an ACL

An access control list (short ACL , English for access control list , short ZSL ) is a software technology with which operating systems and application programs can limit access to data and functions. An ACL defines the extent to which individual users and system processes have access to certain objects (such as services, files , registry entries, etc.).

In contrast to simple access rights , ACLs can be set more precisely. In Windows, for example, ACLs can be used to assign different rights to a file for multiple users and multiple groups, while Linux with simple access rights only allows rights to be assigned to one user, a group and the “rest of the world”.

Unix and Linux

In the Unix world, the access control list is an extension of the classic access control on the level of the owner-group-world model . In this way, access rights can be specifically assigned or forbidden for individual users. Many Unix implementations such as B. Solaris , IRIX, and HP-UX introduced support for a very similar ACL model, designed as an extension of the classic Unix access rights model, in the early to mid-1990s, and attempts were made to move this ACL system under POSIX-1003.1e standardize. The corresponding draft standard (draft standard) was withdrawn in October 1997.

In mid-2000, POSIX-1003.1e ACLs were implemented in FreeBSD and Linux . AIX , HP-UX, Linux, FreeBSD, TrustedBSD , Solaris, Trusted Solaris and IRIX now offer native support for the withdrawn POSIX 1003.1e ACLs.

Under Linux, the file systems Btrfs , ext2 , ext3 , ext4 , JFS , XFS and ReiserFS support POSIX-1003.1e ACLs completely. On the command line, the ACLs are typically managed with the commands getfacland setfacl. With KDE version 3.5, the file manager Konqueror with native POSIX-1003.1e ACL support is also available. For the Gnome desktop environment , the Nautilus file manager from version 2.16 natively supports POSIX-1003.1e ACLs. POSIX-1003.1e ACLs are statically inherited in Linux, i. H. the authorizations are propagated in newly created subdirectories and files as required. If the ACL of a higher-level directory is changed, however, this has no effect on the structure below.

With RFC 3010 ( NFSv4 ) a new ACL standard based on the NFS ACL system was established in December 2000 . Solaris, AIX and macOS now support this standard. The ZFS file system only supports NFSv4 ACLs.

Microsoft Windows

Under Windows NT 4.0 , each operating system object (file, process, etc.) is assigned a so-called access control descriptor , which can contain an ACL. If there is no ACL, every user has full access to the object. If the ACL is present but empty, no user has access. An ACL consists of a header and a maximum of 1820 Access Control Entries (ACE). An ACE contains the information whether a user or a user group should be allowed a certain type of access ( allow ) or denied ( deny ). Windows Explorer writes the entries denying access at the beginning of the ACL. If a user requests access to an object, the Windows Object Manager goes through the list from the beginning. As soon as entries for all requested rights have been found, the Object Manager allows or denies access accordingly. If the Object Manager encounters an entry denying access while going through the list, the search is aborted and access to the object is denied.

With Windows NT up to version 4.0 ACL are statically inherited, from Windows 2000 this happens dynamically if required . If the ACL of a higher-level directory is changed, this affects the directory structure below, depending on the inheritance selected.

Other systems

Multics was the first to support ACLs since 1965.
macOS supports ACLs from Mac OS X Tiger (10.4, 2005).
The operating system OpenVMS from HP (originally DEC ) also supports ACL; their entries are called ACE.
In Cisco's IOS operating system , ACL refers to packet filter settings, among other things .
ACLs are used in a number of web applications to restrict access to individual pages or areas to specific users or user groups, for example in some wikis (such as DokuWiki ) and CMS (such as eZ Publish ).
SAP also uses ACLs for detailed user authorization in many of its applications, e.g. B. in the collaboration software cFolders (see cProjects ) or the SAP Easy Document Management.
In the case of an LDAP directory, depending on the manufacturer, an ACL can allow or deny access to attributes or (LDAP) containers .

Web links

swell

↑ Martin Grotegut: Windows Vista , Springer Science + Business Media , p. 10 .
↑ Maximum Number of ACEs in an ACL in the Microsoft Knowledge Database, September 20, 2003.
^ Richard E. Smith: Elementary Information Security , Jones & Bartlett Learning, p. 150 .

[1] Martin Grotegut: Windows Vista , Springer Science + Business Media , p. 10 .

[2] Maximum Number of ACEs in an ACL in the Microsoft Knowledge Database, September 20, 2003.

[3] Richard E. Smith: Elementary Information Security , Jones & Bartlett Learning, p. 150 .