ACCESS CONTROL LISTS(ACLs)

Mayank PandeyMayank Pandey
3 min read

Access Control Lists (ACLs) are a fundamental method used in computer systems, networking, and file management to define who or what is allowed to access resources and what operations are permitted on those resources.


πŸ” What Is an Access Control List?

An Access Control List (ACL) is a list of rules that define permissions attached to an object (like a file, directory, or network resource). Each rule in the list typically specifies:

  • Subject: who the rule applies to (a user, group, or system).

  • Object: the resource being protected.

  • Permission: the allowed or denied actions (e.g., read, write, execute, delete).


πŸ“ ACLs in Different Contexts

1. File System ACLs (e.g., Windows, Linux)

ACLs define who can access or manipulate a file or folder.

Example (Linux with POSIX ACLs):

setfacl -m u:john:r-- file.txt

➑️ Grants user "john" read-only permission to file.txt.

Permissions might include:

  • Read (r)

  • Write (w)

  • Execute (x)

2. Network ACLs (e.g., Routers, Firewalls)

Used to permit or deny traffic based on IP addresses, protocols, or ports.

Example (Cisco-style):

access-list 100 permit tcp any host 192.168.1.10 eq 80

➑️ Allows TCP traffic to IP 192.168.1.10 on port 80 (HTTP).

Rules can be:

  • Permit: allow traffic

  • Deny: block traffic

ACLs are typically processed top-down β€” first match wins.

3. Operating Systems or Applications

ACLs are also used in databases, cloud storage (like AWS S3), and services (like Active Directory) to control access to resources.


The getfacl command in Linux is used to view Access Control Lists (ACLs) for files and directories.


πŸ“˜ Syntax

getfacl [options] <file_or_directory>

πŸ” What It Shows

  • Standard permissions (user/group/other)

  • Extended ACL entries, if they exist

  • Default ACLs (for directories)


βœ… Example 1: Basic Usage

getfacl file.txt

Output:

# file: file.txt
# owner: alice
# group: developers
user::rw-
user:bob:r--
group::r--
mask::r--
other::---

🧩 Explanation:

  • user::rw- β€” Owner permissions

  • user:bob:r-- β€” Specific user "bob" has read access

  • group::r-- β€” Group has read access

  • mask::r-- β€” Max allowed permissions for named users and groups

  • other::--- β€” No access for others


βœ… Example 2: Default ACLs (for directories)

getfacl mydir/

Output might include:

default:user:charlie:rw-

➑️ This means new files inside mydir/ will give user "charlie" read/write access.


πŸ”§ Tips

  • Use with -R to recurse into directories:

      getfacl -R mydir/
    
  • Combine with setfacl to manage ACLs.

βœ… How ACLs Work: Step-by-Step

  1. Request: A user or system attempts to access a resource.

  2. Match: The system checks the ACL for rules that match the requester.

  3. Evaluate: The system checks whether the rule allows or denies the requested operation.

  4. Enforce: Access is either granted or denied based on the first matching rule (in many systems).


πŸ”„ ACL vs. Role-Based Access Control (RBAC)

FeatureACLRBAC
FocusObject-based permissionsRole-based permissions
FlexibilityFine-grainedEasier to manage for orgs
ComplexityCan get complex with scaleScales better with roles

🧠 Summary

  • ACLs are lists of permissions applied to resources.

  • They define who can do what with a resource.

  • Used in file systems, networks, apps, and more.

  • They’re processed in order, and the first matching rule often determines access.

  • Good for fine-grained control, but can become hard to manage at scale.

0
Subscribe to my newsletter

Read articles from Mayank Pandey directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Mayank Pandey
Mayank Pandey