Unix has [[ACM representation#Access control lists (ACLs)|ACLs]] for every resource. But, for fast access, it does not check the ACL for every read and write operation. In Unix, files abstract all types of resources, including processes. We collect access control information for each file and store as file metadata. >Memory was a problem in the early days. Hence, the ACLs were very compact with a total of 9 bits. ![[attachments/UNIX.png]] The total nine bits - Three bits for *r*, *w*, and *x* permissions. If the bit is set/on, the permission is granted. Command to set/unset access bits `chmod` - Permissions defined for owner, group and others - Check on `open(F, mode)` call only which returns a file descriptor *fd*. So, if you want to access a file, you have to open it. - F = file, mode = how the file will be read by you (read, write, execute) - The OS has a data structure called **Inode table**. OS tries to find the file control block (or *inode*) for the file. The inode also stores metadata of the file, including the ACL. >[!Note] When user starts to read, it creates a *fd* → *fd* is used to index the *Open file table* → *Open file table* has a pointer to the *Inode* → *Inode* points to the metadata that allows the user to read ## Extended ACLs > Having only 9 bits for access control does not enable a fine grained access control. Most UNIX descendants now support extended ACLs, to allow a full fledged ACL. ![[attachments/Screenshot 2023-06-08 at 6.35.21 PM.png]] Generally, ACL is a linked list, where each block in the list is an Access Control Entry (ACE). There are different types of access control entries (ACEs) in the ACL. There are entries for the owner and non-owner named users. You can simplify the ACL by grouping users. There is the owning group and named groups. There are other users which are not explicitly given in a user or group. We also have masks which let us modify the permissions for all users. ### Access check algorithm Process $P$ makes a request for object $O$ ```C 1: if the user-id of P is the owner of O 2: owner entry decides access; 3: elseif user-id of P matches a named user in ACE 4: named user entry decides access; 5: elseif one of the group-id of P matches the owning group and the owning group entry includes the requested permission 6: this entry decides access; 7: elseif one of the group-id of P matches one of the named group entries and this entry contains the requested permission 8: this entry decides access; 9: elseif one of the group-id of P matches the owning group or any of the named group entries but neither the owning or matching named group entries contains the requested permission 10: access is DENIED; 11: else the other entry decides access; 12: if matching entry resulting from above selection is the owner or other entry, and it contains the requested permission 13: access is GRANTED; 14: elseif the matching entry is a named user, owning group or a named group, and the entry contains the permission 15: access is GRANTED; 16: else access is DENIED; ``` Sequentially, access is granted/denied with the access corresponding to the following entry match: 1. $P$ is the *owner* of object $O$ → *owner* entry decides access 2. $P$ is a *named user* in ACE → *named user* entry decides access 3. $P$ belongs to an *owning group* and this owning group has the requested permissions → *owning group* entry decides access 4. $P$ belongs to a *named group* and the corresponding entry has the requested permissions → *named group* entry decides access 1. $P$ belongs to an *owning group* and a *named group*, but neither has the requested permissions → *Denied* access 5. The *other* entry decides access Is access granted or denied? 1. If matching entry is *owner* or *other* and it contains required permissions → Granted 2. If matching entry is a *named user*, *owning group*, or a *named group*, and the entry contains permissions → Granted 3. Else → Denied >In short, we find the user’s user ID and group ID in the ACL. If they match with *owner*, *named user*, *owning group*, *named group*, or *other*, we check corresponding permissions. If permissions have requested permissions, grant access. Else, deny.