Norton Internet Security logo

ACL (Access Control List)

Dec 7, 2010

ACL — short for Access Control List, a set of data that informs a computer's operating system which permissions, or access rights, that each user or group has to a specific system object, such as a directory or file. Each object has a unique security attribute that identifies which users have access to it, and the ACL is a list of each object and user access privileges such as read, write, or execute.

The information that identifies specific users or groups and their access privileges for a particular file or directory. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an access control list that contains (Alice, delete), this would give Alice permission to delete the file.

When a subject requests an operation on an object in an ACL-based security model (a computer scheme for specifying and enforcing security policies) the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. Access control list models may be applied to collections of objects as well as to individual entities within the system hierarchy.

A filesystem access control list is a data structure containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its access control list. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations an ACE can control whether or not a user, or group of users, may alter the ACL on an object.

Most of the Unix and Unix-like operating systems (e.g. Linux, BSD, or Solaris) support so called POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There is an experimental implementation of NFSv4 ACLs for Linux.

On some types of proprietary computer hardware, an Access Control List refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

0 comments: (+add yours?)

Post a Comment

Note: Only a member of this blog may post a comment.