Talk:Access-control list

Untitled
Different objects will also need different ACLs, rwx is enough for a file but there will need to be additional administrative privileges, while generalised security ACLs can have fifteen or more privileges set.

This comment appears to be arguing against the use of ACLs, but fails to be very clear nor provide much support for its point. If it is referring to the fact that some objects might have many possible access rights that could be for it, then that problem would not only be shared by capability-based systems, but the goal of making such systems more fine-grained than their ACL-based counterparts would actually make them worse in that regard. If this comment belongs here, could someone rewrite it to be clearer and put it back? Eric22 23:48, 2004 Mar 19 (UTC)

Linux and acl?
SELinux is Mandatory access control, not acl, as far as I know. acl is just implemented - try a modern Linux distribution, mount a ext3 partition with the acl option and open the file properties dialog in KDE 3.5 (ok, that's still beta) - there you will find a standard acl management. --130.243.179.193 03:03, 5 November 2005 (UTC)

Used in legal argument
Finkelstein's "Report on Microsoft Work Group Server Protocol Programme: An Assessment of Interoperability Information" links to this article in Annex B8. Metarhyme 00:47, 24 February 2006 (UTC)

'Protection' does not use ACLs to model resource protection
''ACLs are an abstract way to model and thus discuss the protection of resources in general. This was first done by Butler W. Lampson in his 1971 paper Protection.''

That paper doesn't use ACLs for this, it uses the Access Control Matrix model. It only mentions ACLs as one of several possible implementations of models based on access control matrices (and it is not the case that all such models are equivalent in security). I would fix it, but the correct statement doesn't belong in this article at all; it belongs at Access Control Matrix. DavidHopwood 19:29, 22 July 2006 (UTC)

Unless anyone objects, I will remove the whole paragraph. "Authentication in distributed systems: theory and practice" describes a complicated system with role-based and cryptographic extensions, so it does not justify the claim that plain ACLs are maximally general, anyway. DavidHopwood 19:35, 22 July 2006 (UTC)

Text is hard to understand
ACLs, Capablities and Role based security systems are explained in a quite... complicated way from my point of view. They are telling too much for person who knows nothing about them, thought having much information in them. I'd like if one could explain those more clearly for normal person who knows very little about security, maybe illustrate.


 * ACLs are not for lay persons. Get over it.

(The preceding comment was not signed by anybody.) I agree with the above comment, and have rewritten the introduction to try to provide a more concrete definition of what an ACL is. Ka-Ping Yee 10:37, 3 January 2007 (UTC)

OpenVMS
I agree with earlier comments that this article is too technical, some examples might help. http://deathrow.vistech.net is a public-access OpenVMS system where you can log in and do EDIT/ACL as much as you want. I suspect the OpenVMS implementation of ACLs is as close to the withdrawn POSIX standard as you'll get. I am user DC on the above-mentioned system and would happily show places such as the web server where ACLs control the security. --Brianmc 21:37, 1 February 2007 (UTC)

Inappropriate and Unrelated External link
A user with at least two anonymous IP has been adding the following external link, no matter my removal in one occasion.


 * Access Control Solutions

This appears to be a case of advertising that goes against the External Links policy and I have therefore Undone the latest change. Should the user in question feel that the link is appropriate and relevant to this page, I'd invite him to post his point of view here, so that it can be properly discussed. Thank you! -- manu3d (talk) 11:14, 15 April 2008 (UTC)


 * No worries. That's totally spam.

lack of disadvantage
Why there's no words about the disadvantage of Access control list?Callmejosh (talk) 12:12, 23 April 2008 (UTC)

"File system ACLs" needs to be populated with information. —Preceding unsigned comment added by 130.85.136.210 (talk) 19:53, 15 April 2009 (UTC)

pile of links in the middle of the article
is that ok ? shouldn't the links be listed at the end or something ? Stefan.petrea (talk) 14:56, 7 May 2009 (UTC)


 * What's an artile? Is it on the keyboard near caps lock?

Pronunciation
I feel it's important to note how the word is pronounced in the technical register; "ackle". Is it appropriate to add and if so, where? —Preceding unsigned comment added by 173.2.37.134 (talk) 06:49, 7 March 2011 (UTC)

Unintelligible, sloppy language
The section "Filesystem ACLS" contains this statement:


 * "Each accessible object contains an identifier to its ACL."

I have no idea what that actually means. What is an "identifier to (an) ACL"? "Identifier" usually denotes a short string, usually of alphabetic characters, that acts as a key in a dictionary look-up, and represents the associated dictionary value in the context where the identifier occurs.

Does the object contain an identifier, that acts as a pointer through a table or dictionary lookup, to the object's ACL? I believe an "accessible object" could be a file. Most file systems allow perfectly random contents to be saved in files, e.g., a string of 20 binary zero bytes. Does this file contain zero bytes, or does it contain identifiers? Or does the author mean that the file system associates each accessible object with such an identifier?

But if so, is not this an arbitrary implementation detail? Which implementation of ACLs use such identifiers? Do all implementations use such identifiers?

I anyone knows what the author actually is writing about, could you please translate this statement to plain English? Cacadril (talk) 19:13, 26 January 2012 (UTC)

It dawns on me that perhaps the author is referring to a technique to save storage space in file systems, where often very many objects have identical ACLs. So instead of storing the actual acl with each object, a shorter data item, a pointer or an identifier, is stored with the object, and the actual acl data is stored separately.

If this is the author's point, the statement should be removed. It has no logical function in that context.

Actually, the whole section should be rewritten. Decide what exactly you assume that your reader already knows (and why: is it a logical assumption?), and then build on that to introduce new ideas gradually.

In view of the space-saving technique of storing identical ACLs just once, you may think of this actual stored acl as something that applies to many files. But file systems that use acls have tools that are built to uphold the illusion that each file or directory or whatever, has a separate acl. For instance, tools to modify the acl of a particular file will not modify the acls of other objects that initially had the same acl. The file in question will be associated with a different acl after the operation. If the new value of the acl happens to be the same as some other existing object is having, then the file in question may be associated with the acl of that existing object. Otherwise a new acl is created and the file is associated with it. But all this space-saving machinery is really not part of the concept of "acl". Explain first what an acl is: An access control list. It identifies one or more users (actors, user accounts) or groups of users, and indicates permissions or privileges (or prohibitions) to grant to the identified users. To make it more meaningful, give examples. Much later you may perhaps discuss the space efficiency issues.Cacadril (talk) 19:40, 26 January 2012 (UTC)

Removing alert for originally based
Removing "This article was originally based on material from the Free On-line Dictionary of Computing and is used with permission under the GFDL": it is Deprecated. See the moment where it was with some significance:

http://en.wikipedia.org/w/index.php?title=Access_control_list&direction=next&oldid=3331366

--Krauss (talk) 13:20, 20 July 2013 (UTC)

Example in introduction
The introduction to the article contains the following text:

''Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Allow, deny), this would give permission to access the file.''

From what I think I know of ACLs it seems that an entry contains a user and an operation. If the writer meant that, it could be clearer. More importantly, the pair (Allow, deny) does not seem to be an instance of that rule. Unless the writer meant that it gives user 'Allow' rights to use the operation 'deny', which is a strange, unrepresentative example.

I am not sure enough about ACLs to change this myself. Could someone please chime in? --Wikiedit738 (talk) 07:46, 28 July 2014 (UTC)

ACLs are similar to firewalls?
''Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. '' I'd say that firewalls are configured using access control list. So they are not similar but belong together. — Preceding unsigned comment added by 80.187.102.16 (talk) 07:23, 27 May 2015 (UTC)

Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches),....

I would remove word proprietary. ACLs can be configured on open-source systems - for example Open vSwitch. --Seberm (talk) 21:52, 7 January 2017 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified one external link on Access control list. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20120224213801/http://www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf to https://www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 21:34, 25 June 2017 (UTC)

Disambiguation of "access list""
The term "access list" currently redirects to Access control list. However, the term has a different meaning in MVS/ESA, OS/390 and z/OS. I'm not sure whether to create an access list (disambiguation) page and add a hatnote to Access control list or to simply change the redirect to disambiguation. Shmuel (Seymour J.) Metz Username:Chatul (talk) 15:12, 7 July 2017 (UTC)