How do access control lists work?
Access control lists (ACLs) control the access of processes and users to individual areas of a computer such as files or registers. By doing so they ensure that only authorised users can access certain resources.
What is an access control list?
Access control lists, just like mandatory access control or role based access control are a form of access control. Basically ACLs are a set of rules used by operating systems or applications to manage access to specific program parts or resources. An access control list, then, is a way to manage file or other resource rights on a computer.
You can, therefore, imagine access control lists as a type of table containing the users and the type of access they have. The most common access rights are:
- the right to read a file
- the right to write a file (write)
- the right to execute a file
The entries in an access control list are also known as access control entities (ACE).
Access control lists work on very simple principle, which is that if a certain user wants to access a resource, the ACL will check whether they are allowed access. In other words, whether there is an ACE for the user. If this is the case then access will be permitted, if not then it is denied.
Types of access control lists and uses
There are different types of access control lists meaning that there is a wide range of uses for ACLs. In general, there are two primary different access control list: Network and file-system ACLs.
Network ACLs
Network access control lists are table-style lists which work like a type of firewall for incoming data traffic, for example, within routers. A network ACL like this determines which packages can enter a network and which can‘t. This means that by using a network ACL, access to the network can be controlled.
Within network ACLs it’s also worth noting there is a difference between normal and extended access control lists. Normal ACLs only take into the consideration the source IP address and don’t differentiate between different network protocols such as TCP, UDP or http. They are used to either permit or deny access to the entire network. On the other hand, extended ACLs also consider the target IP address and filter packages in an essentially differently manner, for example, on the basis of the network protocol or the source and target ports of a package.
File-system ACLs
In contrast, file-system ACLs manage access to files and resources in the operating system. The lists are used within operating systems, for example, to control and manage the access rights of individual users to certain files.
Building access control lists
Every access control list is essentially made up of multiple access control entities. These entries create the access control list’s set of rules and again are made up of individual components. Exactly which components depends on the specific type of ACL. Although all ACEs have an ID as well as information about the access rights, they are dramatically different from each other. While network ACLs also contain information about IP addresses, information about the protocol or port numbers, file-system ACLs contain information about user groups.
ACL implementation
There is also a difference in how access control lists are implemented depending on whether they are used as a network ACL or a file-system ACL. While the latter can be configured simply using terminal commands, network ACLs are implemented in network components such as routers.
The exact implementation of an access control list not only depends on the type (network or file system) but also the operating system and the exact usage case.
Benefits
Access control lists offer a range of benefits. In particular file-system ACLs allow users to configure their computer so that only authorised users can access certain resources. Access control lists, therefore, expand integrated rights management in Linux with more detailed access protection and improve system security.
Network ACLs are a proportionate uncomplicated alternative to a firewall. They also allow you to control the data traffic between networks. This not only improves performance, but it also increases security.