Access Control Lists
Next: Discretionary Access Algorithm
Up: Discretionary Access Control
Previous: POSIX.1 Permission Bit
An access control list is an object that
is associated with a file and contains entries specifying the access that
individual users or groups of users have to the file.
Access control lists provide a straightforward way of granting
or denying access for a specified user or groups of users. Without the use
of access control lists (using the permission bit mechanism only), granting
access to the granularity of a single user (who is not the owner of the file)
can be cumbersome. The following is a simplified example of an access
control list:
In this example the granting of read, write and execute permission is
apparent. User ``JRC'' and group ``GROUP3'' are explicitly denied access to the
file.
To provide an ACL capability, the POSIX.6 standard specifies:
- the definition and use of ACLs.
- the definition of initial access permissions on file creation.
- the access check algorithm, and (4) the utilities needed to manipulate
the ACLs.
The POSIX.6 standard specifies that a POSIX.1 file is the only
object that has an ACL
associated with it. The POSIX.6 standard does not specify
the actual implementation of
ACLs on a system, nor does it specify the internal representation of the
ACL. Ordering of the entries within the ACL is also not specified, however
the internal order does not effect the specified order of the access check
algorithm. The composition of an ACL entry is specified by the
POSIX.6 standard as follows:
- Tag type, specifies that the ACL entry is one of the following:
the file owner, the owning group, a specific named user, a specific named
group, or other (meaning all other users).
- Qualifier field, describes the specific instance of the tag
type. For specific named users and specific named groups, the qualifier
field contains the userid and groupid, respectively. Qualifier fields
for the owner entry and owning group entries are not relevant because this
information is specified elsewhere.
- Set of permissions, specifies the access rights for the entry.
The POSIX.6 standard specifies that at a minimum read, write, and
execute/search permissions must be supported.
The POSIX.6 defined access control list has 3 mandatory entries:
an owner entry
(called the file owner class), an owner group entry (called the file group
class), and a world entry. This allows the three entries of the permission
bit mechanism (owner, group, and other) to also be considered an ACL,
and hence, compatible with the POSIX.6 specified ACL interfaces.
Calls made to modify these ACL entries
will also modify the corresponding file permission bits. Likewise, calls
made to modify the file permission bits will also modify the corresponding
ACL entries. This is intended to support backward compatibility with
the large pool of existing applications that use the interfaces to the
file permission bit mechanism.
Next: Discretionary Access Algorithm
Up: Discretionary Access Control
Previous: POSIX.1 Permission Bit
John Barkley
Fri Oct 7 16:17:21 EDT 1994