Access Control List
2013-04-02 09:31
295 查看
source: http://en.wikipedia.org/wiki/Access_control_list
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations
are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.
ACL-based security models
When a subject requests an operation on an object in an ACL-based security model, the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security
model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system's hierarchy.
Filesystem ACLs
A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft
Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object.
In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
Most of the Unix and Unix-like operating systems (e.g. Linux, BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS
filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and recent Richacls, which brings NFSv4 ACLs support for Ext4 filesystem.
Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches), an Access Control List refers to rules that are applied to port numbers or IP Addresses that are available on a host or other layer 3, each with a list of hosts and/or networks
permitted to use the service. Although it is additionally possible to configure Access Control Lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP packets do not contain domain names. Consequently,
the device enforcing the Access Control List must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the Access Control List is protecting. Both
individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations
and standards such as PCI DSS.
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations
are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.
ACL-based security models
When a subject requests an operation on an object in an ACL-based security model, the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security
model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system's hierarchy.
Filesystem ACLs
A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft
Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object.
In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
Most of the Unix and Unix-like operating systems (e.g. Linux, BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD, Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS
filesystem, support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and recent Richacls, which brings NFSv4 ACLs support for Ext4 filesystem.
Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches), an Access Control List refers to rules that are applied to port numbers or IP Addresses that are available on a host or other layer 3, each with a list of hosts and/or networks
permitted to use the service. Although it is additionally possible to configure Access Control Lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP packets do not contain domain names. Consequently,
the device enforcing the Access Control List must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the Access Control List is protecting. Both
individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations
and standards such as PCI DSS.
相关文章推荐
- Access_Control_List
- Zookeeper - ACL(Access Control List)
- ACL(Access Control List)访问控制列表(一)
- Access Control List and Process(如何设置DACL)
- ORA-24247: network access denied by access control list
- 18 ACL访问控制列表(access control list)
- 记一次ORA-24247: network access denied by access control list (ACL)
- 访问控制列表(Access Control List,ACL)
- Linux具体权限规划之ACL(Access Control List)
- access control list (ACL)
- Access Control List and Process(如何设置DACL)
- Windows Azure Virtual Network (10) 使用Azure Access Control List(ACL)设置客户端访问权限
- ACL(Access Control List)、特殊权限
- Acl(Access Control List)访问控制列表
- windows访问控制列表 --ACL(Access Control List)
- Access Control List in .net
- ZooKeeper 笔记(5) ACL(Access Control List)访问控制列表
- Linux的新权限机制——ACL(Access Control List)
- Oracle ACL (Access Control List)详解
- Oracle ACL(Access Control List)