Question

in ACL (access control List) : 1.How do you determine who can access object x? 2. How do you determine which objects user y can access? 3. What happens if a file is deleted?

Answer 1

In the Access Control List (ACL),

1) How it is determined who can access object x:
The privileges or permissions determine specific access rights, such as if a user is allowed to read from, write to, or execute object x. ACL also goes through a list of permissions attached to the object. It specifies which users or system processes are granted access to objects. A typical ACL would have entries, where each entry specifies a subject and an operation. There is a mapping of subjects (users or processes) to a certain set of operations performed on specific pre-determined objects (files, processes; functions, variables that are within a program, and system resources such as servers, printers, etc.). It determines who has access to object x, or specific files, or other system resources in general.

As a process, a subject sends a request to access an object. The subject sends this request to a reference monitor which is implemented by security kernel, Trusted Computing Base (TCB). All access to objects is mediated by or goes through the TCB. Reference monitor checks the mapping of subject to the operations it can perform on a specific object, say, x, ensuring if it is allowed or denied or simply authorized to perform the requested operation based on prior approval, and later based on its setup or configuration.

Also, an authentication mechanism is also required to determine who could access object x, determining if a user is allowed to access the system at all in the first place.

2) How it is determined which objects user y can access:
Each object comes with a security attribute of its own identifying its ACL. This list has an entry for each system user (subject), say, y, with access privileges.

Each ACL has one or more Access Control Entries (ACEs) consisting of the name of a user, say, y. For each of these users, the access privileges are defined in a string of bits called an access mask. A system administrator or the object owner creates the access control list for an object and defines the objects, subjects, objects' access to these subjects, and the type of access. Also, each object is associated with a security attribute identifying its ACL. The ACL model is applicable to both, individual entities and the collection of objects. The ACL has one list per object showing all subjects with access and their rights.

3) What happens if a file is deleted:
When a file or an object is deleted, its associated or discretionary control access list is also deleted.