Document Type

Article

Publication Date

4-2000

Publication Title

ACM Operating Systems Review

Abstract

Historically and currently, access control and authentication is managed through ACLs. Examples include:

• the list of users in /etc/password, the NIS passwd map, or an NT domain

• permissions on Unix files or ACLs on NT objects

• a list of known hosts in .ssh/known hosts

• a list of IP addresses in .rhosts (for rsh) or .htaccess (http)

The limitations of ACLs always cause problems when spanning administrative domains (and often even inside administrative domains). The best example is the inability to express transitive sharing. Alice shares read access to object X with Bob (but not access to X’s ACL), and Bob wants to share some of it with Charlie. Bob can share all of it by giving up his identity. He can share part of it by copying it or acting as an “access oracle” to X. All three mechanisms, however, undermine the underlying security model.

DOI

10.1145/346152.346268

Share

COinS