Access Control List
A list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. It's a fundamental concept in computer security for managing resource access.
1960s
2
Definitions
In Filesystems
In the context of a computer's filesystem, an Access Control List is a table of permissions associated with a file or directory. It specifies which users or groups are granted or denied specific access rights.
Key Concepts:
- ACE (Access Control Entry): Each entry in an ACL is an ACE. It typically contains a user/group identifier and the specific permissions (e.g., read, write, execute) granted or denied to that identifier.
- Granularity: ACLs provide more granular control than traditional Unix-style permissions (owner, group, other). For example, you can grant read access to User A, write access to User B, and full control to Group C, all on the same file.
Example:
An ACL for a file named report.docx might look like this:
user:alice:read,write(Alice can read and write)user:bob:read(Bob can only read)group:managers:read,write(Anyone in the managers group can read and write)user:charlie:deny(Charlie is explicitly denied all access)
In Networking
In networking, an Access Control List is a set of rules applied to router or firewall interfaces to control network traffic. It acts as a filter, permitting or denying packets based on defined criteria. This is a fundamental tool for network security.
Key Concepts:
- Packet Filtering: ACLs inspect packet headers for information like source IP address, destination IP address, protocol (TCP, UDP, ICMP), and port numbers.
- Rule Order: The rules in a network ACL are processed sequentially from top to bottom. Once a packet matches a rule, the specified action (permit or deny) is taken, and no further rules are checked.
- Implicit Deny: Most network ACLs have an invisible 'deny all' rule at the very end. If a packet doesn't match any of the preceding rules, it is dropped.
Example: A simple network ACL on a router might have these rules:
permit tcp any host 192.168.1.100 eq 80(Allow any source to access the web server at 192.168.1.100 on port 80)deny tcp any any eq 23(Block all Telnet traffic)permit ip any any(Allow all other IP traffic)
Origin & History
Etymology
The term is a straightforward combination of 'Access Control' (the selective restriction of access to a resource) and 'List' (a collection of items). It literally describes a list that controls access.
Historical Context
The concept of an **Access Control List** emerged in the 1960s with the development of multi-user, time-sharing operating systems like Multics. These systems needed a way to protect users' files from one another. Early systems used a simpler model, often just owner, group, and world permissions (like in early Unix). The **ACL** model, introduced by systems like Multics, provided a more granular and flexible way to define permissions for multiple specific users and groups on a single object. In the 1980s and 1990s, **ACLs** became a standard feature in networking devices like routers and firewalls to control the flow of data packets across networks. Cisco IOS, for example, heavily popularized the use of network **ACLs**. Modern operating systems like Windows NT, macOS, and Linux have long supported sophisticated filesystem **ACLs**, extending the traditional Unix permission model to offer more precise control over file and directory access.
Usage Examples
The system administrator configured the file server's Access Control List to ensure that only members of the finance department could access the quarterly reports.
To enhance network security, the network engineer added a new rule to the router's ACL to block incoming traffic from a known malicious IP address.
I can't access that folder; I think my user account isn't on the Permission List for it.
Frequently Asked Questions
What is the primary difference between a filesystem ACL and a network ACL?
A filesystem Access Control List determines which users can perform actions (like read, write, execute) on a specific file or directory. A network ACL, typically found on routers or firewalls, filters network traffic by defining rules that permit or deny packets based on criteria like source/destination IP addresses, ports, and protocols.
What happens if a user's request doesn't match any rule in an ACL?
Most Access Control List implementations have an implicit 'deny all' rule at the end. This means if a request does not explicitly match any 'permit' or 'allow' rule in the list, it is denied by default. This is a security best practice known as the principle of least privilege.