Access control expression

Last updated

An access control expression with respect to a computer file system is a list of Boolean expressions attached to a file object. An access control expression specifies a Boolean formula that defines which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical access control expression specifies an operation and an expression and an operation. For instance, if a file object has an access control expression that contains (read=(g:system OR u:Alice), write=(g:system AND !u:Bob))), this would give any member of the system group or the user named Alice permission to read the file but would allow only members of the system group to write the file, except for the user named Bob.

Contents

Conventional access control lists can be viewed as a subset of access control expressions in which the only combining operation allowed is OR.

Implementations

Few systems implement access control expressions. The MapR file system is one such system.

Move Toward Filesystem Access Control Expressions

Early Unix and Unix-like systems pioneered flexible permission schemes based on user and group membership. Initially, users could only belong to a single group, but this constraint was relaxed to allow membership in multiple groups. With an unlimited number of groups, arbitrarily complex permission schemes could be implemented, but only at the cost of exponentially many groups.

In order to allow more expressivity in the specification of filesystem permissions, a number of competing access control list implementations were developed for Microsoft Windows and Unix and Unix-like systems Linux. Access control lists were a substantial improvement over simple user and group permissions, but still could not easily express some common requirements (such as banning a single user from a group). Access control expressions were developed in response to such needs.

Comparison to access control lists

The permission expressions supported by access control lists are a strict subset of those supported by access control expressions, but they have the virtue of being very fast and direct to implement. The cost of implementing access control expressions is no longer of much concern due to advances in hardware performance.

See also

Related Research Articles

chmod Program to change access permissions of a file or folder

In Unix and Unix-like operating systems, chmod is the command and system call which is used to change the access permissions of file system objects. It is also used to change special mode flags. The request is filtered by the umask. The name is an abbreviation of change mode.

Security-Enhanced Linux Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

An access-control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

ls command to list files in Unix and Unix-like operating systems

In computing, ls is a command to list computer files in Unix and Unix-like operating systems. ls is specified by POSIX and the Single UNIX Specification. When invoked without any arguments, ls lists the files in the current working directory. The command is also available in the EFI shell. In other environments, such as DOS, OS/2, and Microsoft Windows, similar functionality is provided by the dir command. The numerical computing environments MATLAB and GNU Octave include an ls function with similar functionality.

In computer programming, standard streams are preconnected input and output communication channels between a computer program and its environment when it begins execution. The three input/output (I/O) connections are called standard input (stdin), standard output (stdout) and standard error (stderr). Originally I/O happened via a physically connected system console, but standard streams abstract this. When a command is executed via an interactive shell, the streams are typically connected to the text terminal on which the shell is running, but can be changed with redirection or a pipeline. More generally, a child process inherits the standard streams of its parent process.

The Andrew File System (AFS) is a distributed file system which uses a set of trusted servers to present a homogeneous, location-transparent file name space to all the client workstations. It was developed by Carnegie Mellon University as part of the Andrew Project. Originally named "Vice", AFS is named after Andrew Carnegie and Andrew Mellon. Its primary use is in distributed computing.

umask standard UNIX utility

In computing, umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files. It may also affect how the file permissions are changed explicitly. umask may also refer to a function that sets the mask, or it may refer to the mask itself, which is formally known as the file mode creation mask. The mask is a grouping of bits, each of which restricts how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the umask command.

File system concrete format or program for storing files and directories on a data storage device

In computing, a file system or filesystem, controls how data is stored and retrieved. Without a file system, data placed in a storage medium would be one large body of data with no way to tell where one piece of data stops and the next begins. By separating the data into pieces and giving each piece a name, the data is easily isolated and identified. Taking its name from the way paper-based data management system is named, each group of data is called a "file". The structure and logic rules used to manage the groups of data and their names is called a "file system".

Most file systems have methods to assign permissions or access rights to specific users and groups of users. These permissions control the ability of the users to view, change, navigate, and execute the contents of the file system.

File locking is a mechanism that restricts access to a computer file by allowing only one user or process to access it in a specific time.

In Unix-like and some other operating systems, find is a command-line utility that locates files based on some user-specified criteria and then applies some requested action on each matched object.

rm (Unix) basic UNIX command used to remove objects such as files and directories

In computing, rm is a basic command on Unix and Unix-like operating systems used to remove objects such as computer files, directories and symbolic links from file systems and also special files such as device nodes, pipes and sockets, similar to the del command in MS-DOS, OS/2, and Microsoft Windows. The command is also available in the EFI shell.

Comparison of command shells Wikimedia list article

A command shell is a command line interface computer program to an operating system.

The chgrp command may be used by unprivileged users on Unix-like systems to change the group associated with a file system object to one of which they are a member. A file system object has 3 sets of access permissions, one set for the owner, one set for the group and one set for others. Changing the group of an object could be used to change which users can write to a file.

In computing, tee is a command in command-line interpreters (shells) using standard streams which reads standard input and writes it to both standard output and one or more files, effectively duplicating its input. It is primarily used in conjunction with pipes and filters. The command is named after the T-splitter used in plumbing.

Ambient authority is a term used in the study of access control systems.

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent desktop line of Windows operating systems, that adds Integrity Levels (IL)-based isolation to running processes. The IL represents the level of trustworthiness of an object. This mechanism's goal is to use pre-existing integrity control policies and the involved objects' IL to selectively restrict the access permissions in contexts that are considered to be potentially less trustworthy, compared with other contexts running under the same user account that are more trusted.

Modes are the file system permissions given to "user", "group" and "others" classes to access files under Unix. They are shown when listing files in long format, or, if access control lists are in use, using getfacl. Modes can be changed with chmod or with setfacl.

The Cloud Data Management Interface (CDMI) is a SNIA standard that specifies a protocol for self-provisioning, administering and accessing cloud storage.

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

References

    Further reading