Where should an ACL be stored?
– In trusted part of the system
– Consists of access control entries, or, ACEs
– Along with other object meta-data
– For example, file meta-data has a bunch of information where this can go as well
– Checking requires traversal of the ACL
Where do C-list go?
– A capability is an unforgeable reference/handle for a resource
– User catalogue of capabilities defines what a certain user can access
– Can be stored in objects/resources themselves(Hydra)
– Sharing requires propagation of capabilities
Efficieny, Accountability, Revocation
Access Control Implementation
How is Access Control Implemented in Unix-like Systems?
– In Unix, each resource looks like a file
– Each file has an owner(UID) and access is possible for owner, group and everyone(world).
– Permissions are read, write and execute
– Original ACL implementation had a compact fixed size representation(9 bits)
– Now full ACL support is available in many variants(Linux, BSD, MacOS,..)
– Few other things(sticky bit, setuid,…)
Access Control Implementation
How are files used(system calls for accessing files?)
– Create(filename)/* several ways to do it */
– fd = open(filename, mode)
– read (fd, buf, sizeof(buf))
– write(fd, buf, sizeof(buf))
– close(fd)
