Access Control Lists

(1)

Introduction General Overview Defaults and Access Check Algorithm ACL Functions Implementing ACLs in Linux References

Prakash Chandrasekaran

Microsoft Research India http://www.cmi.ac.in/˜prakash on leave from Chennai Mathematical Institute

ISEA, IMSc, 22 May 2006

This presentation is licensed under the Free Documentation License. Permission is granted to copy, distribute, and/or modify this document provided this copyright notice and the acknowledgement and reference slides are retained.

Prakash Chandrasekaran Access Control Lists

(2)

Acknowledgements

Thanks to all the authors - whose works I have made use of - (see references) for making their work available free online. Many portions of this presentation (being definitions) has been copied as is, from various sources.

(3)

POSIX Standards Why ACL Not the Silver Bullet Terminology

Outline

1 Introduction POSIX Standards Why ACL

Not the Silver Bullet Terminology

2 General Overview

3 Defaults and Access Check Algorithm

4 ACL Functions

5 Implementing ACLs in Linux

6 References

(4)

Definition (ACL)

The access control list (ACL) is a concept in computer security used to enforce privilege separation.

The list is a data structure, usually a table, containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file.

The privileges or permissions determine specific access rights, such as whether a user can read from, write to or execute an object. In some implementations it can also control whether or not a user, or group of users, may alter the ACL on an object.

(5)

Definition (ACL)

An ACL is a means of determining the appropriate access rights to a given object depending on certain aspects of the process that is making the request.

(Principally the process’s user identity (in POSIX, effective UID).)

(6)

Definition (ACL)

(7)

Definition (ACL)

(8)

In the networking world

In networking, the term Access Control List (ACL) refers to a list of ports and services that are available on a host, each with a list of hosts and/or networks permitted to use the service.

Both individual servers as well as routers can have access lists.

Access lists are used to control both inbound and outbound traffic, and in this context they are similar to firewalls.

(9)

In the networking world

In networking, the term Access Control List (ACL) refers to a list of ports and services that are available on a host, each with a list of hosts and/or networks permitted to use the service.

Both individual servers as well as routers can have access lists.

Access lists are used to control both inbound and outbound traffic, and in this context they are similar to firewalls.

(10)

POSIX Standards

The ACL is a concept with several different implementations in various operating systems, although there is a POSIX

”standard”.

The POSIX security drafts, .1e and .2c, were withdrawn when it became clear their scope was too wide and the work would not complete.

But, the well-developed parts defining ACLs have been widely implemented and are known as ”POSIX ACLs”.

Most ACL implementations on UNIX are based on 1003.1e draft 17 or earlier (POSIX.1e).

(11)

POSIX Standards

”standard”.

(12)

POSIX Standards

”standard”.

(13)

POSIX Standards

”standard”.

(14)

Why ACLs ?

Problem

Users A, B, and C belong to group G. A has a file to which (s)he wants to give full access to B, but only read permission to C.

To solve problems like above, we need fine grained access control, that specifies permissions for each user.

Almost all modern operating systems have an implementation of ACLs.

(15)

Why ACLs ?

Problem

Users A, B, and C belong to group G. A has a file to which (s)he wants to give full access to B, but only read permission to C.

To solve problems like above, we need fine grained access control, that specifies permissions for each user.

Almost all modern operating systems have an implementation of ACLs.

(16)

ACL - not the silver bullet

ACLs cannot implement all of the security measures that one might wish to have on all systems.

A fine-grained capability-based operating system may be a better approach, with the authority transferred from the objects being accessed to the objects seeking access - allowing for much finer-grained control.

(17)

Terminology

access A specific type of interaction between a process and an object, that results in flow of information from one to another.

access control The prevention of unauthorized access to objects by processes.

access control list (ACL) A discretionary access control entity associated with an object.

access control policy A set of rules, by which a users’

authorization to access an object is determined.

(18)

Terminology

(19)

Terminology

(20)

Terminology

(21)

Terminology

audit The process of capturing, storing, analyzing and maintaining data concerning security related activities.

availability The property of an object being accessible and usable by an authorized user on demand.

capability An attribute of a process that is included in the determination of whether or not a process has the privilege to perform a specific action.

(22)

Terminology

(23)

Terminology

(24)

Terminology

discretionary access control (DAC) A means of restricting access to objects based on the identity of the user, process, and/or groups to which the objects belong. The controls are discretionary in the sense that the subjects are able to pass on the permissions to others.

(25)

Terminology

MAC label The representation of a security attribute of an object, that represents the objects sensitivity, and is used for mandatory access control decisions.

mandatory access control (MAC) A means of restricting and permitting access to objects based on an

implementation-defined security policy using MAC labels. The restrictions are mandatory in the sense that they are always imposed by the system.

(26)

Terminology

MAC label The representation of a security attribute of an object, that represents the objects sensitivity, and is used for mandatory access control decisions.

mandatory access control (MAC) A means of restricting and permitting access to objects based on an

implementation-defined security policy using MAC labels. The restrictions are mandatory in the sense that they are always imposed by the system.

(27)

Terminology

principle of least privilege A security design principle that states that a subject can be granted only those privileges necessary to accomplish its legitimate function, and only for the time that such privileges are actually required.

(28)

Terminology

required ACL entries The three ACL entries that must exist in every valid ACL : one each for the owner, owning group, and other users (not specifically enumerated in the ACL).

(29)

Access/Default ACLs Reading/Writing ACLs ACL Entry Composition Standard ACL Tag Types Constraints on ACLs ACLs and File Permission Bits

Outline

1 Introduction

2 General Overview Access/Default ACLs Reading/Writing ACLs ACL Entry Composition Standard ACL Tag Types Constraints on ACLs ACLs and File Permission Bits

3 Defaults and Access Check Algorithm

4 ACL Functions

6 References

(30)

Access/Default ACLs

access ACL Every object can be thought of as having associated with it an ACL that governs the discretionary access to that object; this ACL is referred to as an access ACL.

default ACL A directory may have an associated ACL that governs the initial access ACL for objects creates within that directory; this ACL is referred to as an default ACL.

(31)

Access/Default ACLs

access ACL Every object can be thought of as having associated with it an ACL that governs the discretionary access to that object; this ACL is referred to as an access ACL.

default ACL A directory may have an associated ACL that governs the initial access ACL for objects creates within that directory; this ACL is referred to as an default ACL.

(32)

Reading/Writing ACLs

The order of internal storage of entries within an ACL does not affect the order of evaluation.

In order to read an ACL from an object, a process must have read access to the objects’ attributes.

In order to update an ACL to an object, a process must have write access to the objects’ attributes.

(33)

Reading/Writing ACLs

(34)

Reading/Writing ACLs

(35)

ACL Entry Composition

An ACL entry contains, at a minimum, three distinct pieces of information:

tag type specifies the type of ACL entry

qualifier specifies an instance of an ACL entry tag type permissions set specifies the discretionary access rights for

processes identified by the tag type and qualifier.

Example (some valid tag types)

ACL GROUP denotes discretionary access rights for processes whose effective/supplementary group ID match the qualifier.

ACL GROUP OBJ denotes discretionary access rights for processes whose effective/supplementary group ID match group ID of the file.

(36)

ACL Entry Composition

(37)

ACL Entry Composition

(38)

ACL Entry Composition

(39)

Standard ACL Tag Types

ACL MASK denotes the maximum discretionary access rights that can be granted to a process in the file group class.

ACL OTHER denotes the maximum discretionary access rights for processes whose attributes do not match any other entry in the ACL.

ACL USER denotes the maximum discretionary access rights for processes whose effective user ID matches the ACL qualifier.

ACL USER OBJ denotes the maximum discretionary access rights for processes whose effective user ID matches the user ID of the owner of the file.

(40)

Standard ACL Tag Types

(41)

Standard ACL Tag Types

(42)

Standard ACL Tag Types

(43)

Standard ACL Tag Types

(44)

Standard ACL Tag Types

(45)

Constraints on ACLs

An ACL shall contain exactly one entry for each of

ACL USER OBJ, ACL GROUP OBJ, and ACL OTHER tag types.

ACL entries with ACL GROUP and ACL USER tag types shall appear zero or more times in an ACL.

A conforming implementation shall support the maximum no.

of entries in an ACL, as defined by the value of

POSIX ACL PATH MAX, on a non-empty set of objects.

(46)

Constraints on ACLs

(47)

Constraints on ACLs

(48)

Some more definitions

Definition (Minimum ACL)

An ACL that contains only the required ACL entries

(ACL USER OBJ, ACL GROUP OBJ, and ACL OTHER) is called a minimum ACL.

Definition (Extended ACL)

An ACL which is not a minimum ACL is called an extended ACL

(49)

Some more definitions

Definition (Minimum ACL)

An ACL that contains only the required ACL entries

(ACL USER OBJ, ACL GROUP OBJ, and ACL OTHER) is called a minimum ACL.

Definition (Extended ACL)

An ACL which is not a minimum ACL is called an extended ACL

(50)

Constraints on ACLs (cont’d.)

An ACL that contains ACL GROUP, ACL USER, or implementation-defined ACL entries in the file group class shall contain exactly one ACL MASK entry.

If an ACL does not contain ACL GROUP, ACL USER, or implementation-defined ACL entries in the file group class, then the ACL MASK entry shall be optional.

(51)

Constraints on ACLs (cont’d.)

An ACL that contains ACL GROUP, ACL USER, or implementation-defined ACL entries in the file group class shall contain exactly one ACL MASK entry.

If an ACL does not contain ACL GROUP, ACL USER, or implementation-defined ACL entries in the file group class, then the ACL MASK entry shall be optional.

(52)

Minimum set of permissions

The set of discretionary access permissions shall, at a minimum, include:

read, write,

execute/search.

Additional permissions may be added and shall be implementation-defined.

(53)

ACLs and File Permission Bits

ACL interfaces extend the file permission bit interfaces to provide a finer granularity of access control.

The file permission bits shall correspond to three entries in an ACL:

file owner class permission corresponds to ACL USER OBJ entry.

file group class permission corresponds to ACL GROUP OBJ entry or the ACL MASK entry if the ACL contains one.

file other class permission corresponds to ACL OTHER entry.

The above correspondence shall be maintained whenever the file permission bits are modified.

(54)

ACLs and File Permission Bits

(55)

ACLs and File Permission Bits

(56)

ACLs and File Permission Bits

(57)

ACLs and File Permission Bits

(58)

ACLs and File Permission Bits

(59)

Default ACLs Initial access permissions Access check algorithm

Outline

1 Introduction

2 General Overview

3 Defaults and Access Check Algorithm Default ACLs

Initial access permissions Access check algorithm

4 ACL Functions

6 References

(60)

Default ACLs

A default ACL is an additional ACL which may be associated with a directory, but has no operational effecton the discretionary access on that directory.

If there is a default ACL, then it shall be used to initialize the access ACL for any object created in that directory.

Newly created directories shall inherit their parents default ACL.

A default ACL has the same minimum requirements and constraints as an access ACL.

Entries withing a default ACL are manipulated using the same interfaces as those used for an access ACL.

If a default ACL does not exist on a directory, then any implementation defined defaults may be applied.

(61)

Default ACLs

(62)

Default ACLs

(63)

Default ACLs

(64)

Default ACLs

(65)

Default ACLs

(66)

Initial access permissions

When an object is created, its access ACL is always initialized.

The initial access ACL is determined using:

the mode parameter passed to the functions which can create objects: creat(), mkdir(), mkfifo()andopen().

the default ACL may be used by the owner of a directory to specify the maximum discretionary access permissions to be associated with objects created within that directory.

(67)

Initial access permissions

(68)

Initial access permissions

(69)

Initial access permissions

(70)