System User's Guide: Operating System and Devices

Access Control Lists

Access control consists of protected information resources that specify who can be granted access to such resources. The operating system allows for need-to-know or discretionary security. The owner of an information resource can grant other users read or write access rights for that resource. A user who is granted access rights to a resource can transfer those rights to other users. This security allows for user-controlled information flow in the system; the owner of an information resource defines the access permissions to the object.

Users have user-based access only to the objects that they own. Typically, users receive either the group permissions or the default permissions for a resource. The major task in administering access control is to define the group memberships of users, because these memberships determine the users' access rights to the files that they do not own.

Access control lists (ACLs) increase the quality of file access controls by adding extended permissions that modify the base permissions assigned to individuals and groups. With extended permissions, you can permit or deny file access to specific individuals or groups without changing the base permissions.

Note: The access control list for a file cannot exceed one memory page (approximately 4096 bytes) in size.

To maintain access control lists, use the aclget, acledit, and the aclput commands.

The chmod command in numeric mode (with octal notations) can set base permissions and attributes. The chmod subroutine, which the command calls, disables extended permissions. If you use the numeric mode of the chmod command on a file that has an ACL, extended permissions are disabled. The symbolic mode of the chmod command does not disable extended permissions. For information on numeric and symbolic mode, refer to the chmod command.

Base Permissions

Base permissions are the traditional file-access modes assigned to the file owner, file group, and other users. The access modes are: read (r), write (w), and execute/search (x).

In an access control list, base permissions are in the following format, with the Mode parameter expressed as rwx (with a hyphen (-) replacing each unspecified permission):

base permissions: 
   owner(name): Mode
   group(group): Mode
   others: Mode

Attributes

Three attributes can be added to an access control list:

setuid (SUID): Set-user-ID mode bit. This attribute sets the effective and saved user IDs of the process to the owner ID of the file on execution.
setgid (SGID): Set-group-ID mode bit. This attribute sets the effective and saved group IDs of the process to the group ID of the file on execution.
savetext (SVTX): Saves the text in a text file format.

These attributes are added in the following format:

attributes: SUID, SGID, SVTX

Extended Permissions

Extended permissions allow the owner of a file to define access to that file more precisely. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations. Permissions are modified through the use of keywords.

The permit, deny, and specify keywords are defined as follows:

permit	Grants the user or group the specified access to the file
deny	Restricts the user or group from using the specified access to the file
specify	Precisely defines the file access for the user or group

If a user is denied a particular access by either a deny or a specify keyword, no other entry can override that access denial.

The enabled keyword must be specified in the ACL for the extended permissions to take effect. The default value is the disabled keyword.

In an ACL, extended permissions are in the following format:

extended permissions: 
  enabled | disabled
    permit   Mode  UserInfo...: 
    deny     Mode  UserInfo...:
    specify  Mode  UserInfo...:

Use a separate line for each permit, deny, or specify entry. The Mode parameter is expressed as rwx (with a hyphen (-) replacing each unspecified permission). The UserInfo parameter is expressed as u:UserName, or g:GroupName, or a comma-separated combination of u:UserName and g:GroupName.

Note: If more than one user name is specified in an entry, that entry cannot be used in an access control decision, because a process has only one user ID.

Access Control List Example

The following is an example of an ACL:

attributes: SUID
base permissions:
      owner(frank):  rw-
      group(system): r-x
      others: ---
extended permissions:
      enabled
        permit  rw-  u:dhs
        deny    r--  u:chas, g:system
        specify r--  u:john, g:gateway, g:mail
        permit  rw-  g:account, g:finance

The parts of the ACL and their meanings are the following:

The first line indicates that the setuid bit is turned on.
The next line, which introduces the base permissions, is optional.
The next three lines specify the base permissions. The owner and group names in parentheses are for information only. Changing these names does not alter the file owner or file group. Only the chown command and the chgrp command can change these file attributes.
The next line, which introduces the extended permissions, is optional.
The next line indicates that the extended permissions that follow are enabled.
The last four lines are the extended entries. The first extended entry grants user dhs read (r) and write (w) permission on the file.
The second extended entry denies read (r) access to user chas only when he is a member of the system group.
The third extended entry specifies that as long as user john is a member of both the gateway group and the mail group, has read (r) access. If user john is not a member of both groups, this extended permission does not apply.
The last extended entry grants any user in both the account group and the finance group read (r) and write (w) permission.
Note: More than one extended entry can be applied to a process, with restrictive modes taking precedence over permissive modes.

See the acledit command in the AIX 5L Version 5.2 Commands Reference for the complete syntax.

Access Authorization

The owner of the information resource is responsible for managing access rights. Resources are protected by permission bits, which are included in the mode of the object. The permission bits define the access permissions granted to the owner of the object, the group of the object, and for the others default class. The operating system supports three different modes of access (read, write, and execute) that can be granted separately.

When a user logs in to an account (using the login or su commands), the user IDs and group IDs assigned to that account are associated with the user's processes. These IDs determine the access rights of the process.

For files, directories, named pipes, and devices (special files), access is authorized as follows:

For each access control entry (ACE) in the access control list (ACL), the identifier list is compared to the identifiers of the process. If there is a match, the process receives the permissions and restrictions defined for that entry. The logical unions for both permissions and restrictions are computed for each matching entry in the ACL. If the requesting process does not match any of the entries in the ACL, it receives the permissions and restrictions of the default entry.
If the requested access mode is permitted (included in the union of the permissions) and is not restricted (included in the union of the restrictions), access is granted. Otherwise, access is denied.

A process with a user ID of 0 is known as a root user process. These processes are generally allowed all access permissions. But if a root user process requests execute permission for a program, access is granted only if execute permission is granted to at least one user.

The identifier list of an ACL matches a process if all identifiers in the list match the corresponding type of effective identifier for the requesting process. A USER-type identifier matched is equal to the effective user ID of the process, and a GROUP-type identifier matches if it is equal to the effective group ID of the process or to one of the supplementary group IDs. For instance, an ACE with an identifier list such as the following:

USER:fred, GROUP:philosophers, GROUP:software_programmer

would match a process with an effective user ID of fred and a group set of:

philosophers, philanthropists, software_programmer, doc_design

but would not match for a process with an effective user ID of fred and a group set of:

philosophers, iconoclasts, hardware_developer, graphic_design

Note that an ACE with an identifier list of the following would match for both processes:

USER:fred, GROUP:philosophers

In other words, the identifier list in the ACE functions is a set of conditions that must hold for the specified access to be granted.

All access permission checks for these objects are made at the system call level when the object is first accessed. Because System V Interprocess Communication (SVIPC) objects are accessed statelessly, checks are made for every access. For objects with file system names, it is necessary to be able to resolve the name of the actual object. Names are resolved either relatively (to the process' working directory) or absolutely (to the process' root directory). All name resolution begins by searching one of these.

The discretionary access control mechanism allows for effective access control of information resources and provides for separate protection of the confidentiality and integrity of the information. Owner-controlled access control mechanisms are only as effective as users make them. All users must understand how access permissions are granted and denied, and how these are set.

Displaying Access Control Information (aclget Command)

To display the access control information of a file, use the aclget command. The information that you view includes attributes, base permissions, and extended permissions.

For example, to display the access control information for the status file, type:

aclget status

Press Enter. The access control information that displays includes a list of attributes, base permissions, and extended permissions. For an example, see Access Control List Example.

See the aclget command in the AIX 5L Version 5.2 Commands Reference for the complete syntax.

Setting Access Control Information (aclput Command)

To set the access control information for a file, use the aclput command.

Note: The access control list for a file cannot exceed one memory page (approximately 4096 bytes) in size.

For example, to set the access control information for the status file with the access control information stored in the acldefs file, type:

aclput -i acldefs status

Press Enter.

For example, to set the access control information for the status file with the same information used for the plans file, type:

aclget plans | aclput status

Press Enter.

See the aclput command in the AIX 5L Version 5.2 Commands Reference for the complete syntax.

Editing Access Control Information (acledit Command)

To change the access control information of a file, use the acledit command. The command displays the current access control information and lets the file owner change it. Before making any changes permanent, the command asks if you want to proceed.

Note: The EDITOR environment variable must be specified with a complete path name; otherwise, the acledit command will fail.

The access control information that displays includes a list of attributes, base permissions, and extended permissions. For an example, see Access Control List Example.

For example, to edit the access control information of the plans file, type:

acledit plans

Press Enter.

See the acledit command in the AIX 5L Version 5.2 Commands Reference for the complete syntax.