Access Control List. Basically, extended permissions. Some modern Unixes (Linux, UW, and others) have extended the permissions model. This requires new commands beyond chmod, and may be limited to certain types of filesystems. For example, on Red Hat Linux 7, the "chattr +i file" command makes "file" unchangeable and not able to be deleted: "immutable", even by its owner (the owner can, of course, "chattr -i file" to undo this). This can really help in preventing accidental removal of files, but it can be very confusing for users who aren't even aware that such attributes exist. Mac OS X and BSD systems add a "system immutable" bit, which, once set, can only be undone in single user mode. That effectively prevents changes even if the attacker has somehow already gained root (assuming that they are unable to bring the machine to single user mode). On other Unixes, these types of things may be handled by "setacl" commands; check your man pages for details. Sometimes there can be multiple levels: Mac has both chflags and SetFile, which do different things.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-07-05 Tony Lawrence