Document Type


Publication Date


Publication Title

ACM Operating Systems Review


Department of Computer Science


Historically and currently, access control and authentication is managed through ACLs. Examples include:

• the list of users in /etc/password, the NIS passwd map, or an NT domain

• permissions on Unix files or ACLs on NT objects

• a list of known hosts in .ssh/known hosts

• a list of IP addresses in .rhosts (for rsh) or .htaccess (http)

The limitations of ACLs always cause problems when spanning administrative domains (and often even inside administrative domains). The best example is the inability to express transitive sharing. Alice shares read access to object X with Bob (but not access to X’s ACL), and Bob wants to share some of it with Charlie. Bob can share all of it by giving up his identity. He can share part of it by copying it or acting as an “access oracle” to X. All three mechanisms, however, undermine the underlying security model.



Original Citation

Jon Howell and David Kotz. Restricted delegation: seamlessly spanning administrative boundaries. In ACM Operating Systems Review, April 2000. 10.1145/346152.346268