ACL - aryanjoshi0823/5143-Operating-System GitHub Wiki

Access Control List (ACL) in File Systems

An Access Control List (ACL) is a security mechanism that specifies which users or system processes can access specific resources, such as files or directories, and defines the types of operations they can perform. ACLs provide fine-grained permissions that go beyond traditional file permission schemes like those found in Unix-like operating systems, which typically use rwx (read, write, execute) permissions for only the owner, group, and others.

Key Components of ACL

  1. Subjects: Entities such as users, groups, or processes that request access to a resource.
  2. Objects: Resources such as files, directories, or devices that are being accessed.
  3. Permissions: The actions allowed on the object, such as read, write, execute, or delete.

Each entry in an ACL defines a rule that associates a subject with specific permissions on an object. These entries are often referred to as Access Control Entries (ACEs).

How ACLs Work in File Systems

  1. File and Directory Permissions

    • ACLs are applied to files and directories, specifying what each user or group can do with them.
    • When a user or process attempts to access a file, the operating system checks the ACL to determine if the requested operation is allowed.

  2. Hierarchical Evaluation

    • ACLs are checked in order, and the first matching rule determines access.
    • If no rules match, access is denied by default.

  3. Inheritance

    • In some file systems, directories can have default ACLs, which are inherited by newly created files and subdirectories.

Types of ACLs

  1. Discretionary Access Control List (DACL)

    • Defines explicit permissions for users and groups.
    • Example: A DACL for a file might grant read access to User A, write access to Group B, and deny all access to others.

  2. System Access Control List (SACL)

    • Used for auditing and logging access attempts.
    • Specifies what types of access attempts (successful or failed) should be recorded in security logs.

Implementation in Different File Systems

1. POSIX ACLs (Linux and Unix-like systems)

  • Extends traditional rwx permissions with additional rules.
  • Commands:
    • getfacl to view ACLs.
    • setfacl to modify ACLs.
  • Example: 
    setfacl -m u:username:rwx file.txt  # Grants rwx to a specific user
getfacl file.txt                    # Displays ACLs for the file

2. NTFS ACLs (Windows)

  • ACLs are a core feature of the NTFS file system.
  • Permissions can be set via the File Properties Security tab or programmatically.
  • Example:
    • Allow read access to a specific user: 
      icacls file.txt /grant username:R

3. Network File Systems (NFS and SMB)

  • Support ACLs for shared files.
  • Example: NFS uses ACLs managed via nfs4_getfacl and nfs4_setfacl.

4. Modern File Systems (ZFS, APFS, ext4)

  • Provide robust ACL support with advanced inheritance and compatibility with POSIX standards.

Advantages of ACLs

  1. Granularity: Fine-tuned control over file and directory access.
  2. Flexibility: Permissions can be assigned to specific users or groups without altering the system-wide structure.
  3. Inheritance: Simplifies managing permissions for hierarchical file structures.
  4. Auditing: With SACLs, administrators can monitor access attempts for security purposes.