Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site linus.UUCP Path: utzoo!linus!jjg From: jjg@linus.UUCP (Jeff Glass) Newsgroups: net.unix-wizards Subject: implementing access control lists in 4.2bsd Message-ID: <425@linus.UUCP> Date: Sun, 16-Jun-85 00:12:59 EDT Article-I.D.: linus.425 Posted: Sun Jun 16 00:12:59 1985 Date-Received: Sun, 16-Jun-85 08:42:33 EDT Reply-To: jjg@linus.UUCP (Jeff Glass) Distribution: net Organization: The MITRE Coporation, Bedford, MA Lines: 43 Keywords: ACL, DAC I would like to ask for your comments on a mod I made recently on our 4.2bsd system (on a 750). since here at MITRE we have many users who are also Multics users, a frequent disparagement of UNIX is that it only has owner-group-other control on files, whereas Multics has access control lists, which are much more flexible. so, I implemented access control lists in UNIX. the implementation allows up to 8 entries in an access control list. an entry may be either for a specific user or group. the user or group may be granted any (or none) of the read-write-execute permissions. the owner of the file (or the superuser) can set the access control list. this is in addition to the conventional user-group-other control. the chmod system call and program are unchanged. the changes to the kernel were very minor: two new system calls were added to get and set the access control list for a file; the access() routine was modified to use the access control list in addition to the user-group-other control; and the routines to create files and directories were trivially modified to clear the access control list for the new file. also, the login program was modified to clear the acl on the terminal line. the access control list is stored in the inode, in what was the ic_spare field. I know that this is reserved for future use, but this was an experiment, so I felt that I could try it and see how it works. anyway, I don't know what I would have to do to increase the inode size. this has been running at our site for a month, with good results. no problems have been found yet. if you are interested, I would be glad to send you the diffs to the kernel code and the sources of the programs to list and modify the access control lists of files. in any case, I would like to hear your comments and suggestions. /jeff security!jjg@mitre-bedford.ARPA (MIL) {allegra,ihnp4,utzoo,philabs,uw-beaver}!linus!security!jjg (UUCP)