Access Control Lists (ACLs) allow you to regulate the access of processes and users to certain computer objects, such as files or registries. With them, only authorized users can access certain resources.
What is an Access Control List?¶
Access Control Lists are a form of access control and work just like Mandatory Access Control or Role Based Access Control. Basically, ACLs are regulatory frameworks. They are for example used by operating systems or application programs, which use them to manage access to certain parts of their program or to certain resources. The use of ACL is therefore similar to a measurement of managing rights to files or other resources of a computer.
These Access Control Lists can be represented as a kind of table which indicates, for each resource, the users having access to it as well as the type of access they benefit from. Below are the most common access rights:
- the right to read a file (“read”)
- the right to write a file
- the right to execute a file (“execute”)
Within an ACL, these elements are also called “Access Control Entries” or “ACEs” in English.
The operating principle of Access Control Lists is very simple: as soon as a given user wishes to access a particular resource, the corresponding ACL checks whether this access is indeed authorized (to put it another way, it checks whether there is a ACE for the user). If this is the case, she authorizes him this access; conversely, she can refuse it.
Different ACL Types and Uses¶
It exists different types of ACL. The possibilities for using access control lists are therefore also very broad. Essentially, there are two main types of ACL: network and file system ACLs.
Network LCD¶
Network ACLs are access control lists that are presented in table form. You can use them as a sort of firewall for your incoming data traffic, on routers for example. Network ACLs determine which packets can or cannot enter the network. Thus, these ACLs therefore make it possible to control access to the network.
In the field of network ACLs, it is essential to distinguish normal ACLs extended ACLs : Traditionally, ACLs only take into account the source IP address, without distinguishing between different network protocols such as TCP, UDP or HTTP. These lists allow you to authorize or deny access to the entire network. On the other hand, extended ACLs also take into account thedestination IP address. They filter packets in a much more differentiated way, based for example on the network protocol or on the source and target ports of a packet.
File system ACL¶
File system ACLs, on the other hand, control theaccess to files and resources within an operating system. These lists can be used in particular to regulate and manage the access of certain users to particular files.
Structure of Access Control Lists¶
Each access control list mainly consists of several access control inputs (“Access Control Entries” or “ACE” in English). These entries correspond to all the rules of the Access Control List and are also made up of different elements, the exact nature of which depends above all on the type of ACL used. If all ACEs include an identifier and access rights information, considerable differences can sometimes oppose them. Thus, in addition to IP addresses, network ACLs therefore contain information about the protocol or port numbers, whereas file system ACLs still record information relating to user groups.
Implementing ACL¶
The implementation of ACLs also differs depending on whether you choose a network ACL or a file system ACL. The second is easily and directly configured using terminal commands, while the network ACL is implemented in network components such as routers.
The concrete implementation of an ACL depends on the type of ACL chosen (network or file system), but also on your operating system and the practical application case for which you intend it.
Benefits¶
ACLs offer several advantages. File system ACLs are particularly interesting because they allow users to configure their computer to allow access to certain resources to only certain users. In this context, access control lists can notably complement the rights management integrated into Linux by further detailing access protection, which thus makes it possible toimprove system security.
Network ACLs are not far behind, with access control lists providing relatively simple alternative to other firewall implementations. They also allow you to control traffic between networks, and therefore improve the security of your network, but also its performance.