Discretionary access control
Discretionary access control (DAC) is a fundamental access control policy in computer security systems, where the owner of a resource—such as a file, directory, or device—has the discretion to determine which other users or processes (subjects) can access it and what specific operations they may perform, such as reading, writing, or executing.[1] This model contrasts with more rigid approaches by decentralizing authority to resource owners rather than a central administrator, enabling flexible permission management based on access control lists (ACLs) or capability lists.[1] DAC was formally defined in the U.S. Department of Defense's Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, published in 1985, which established it as a core requirement for systems evaluated at C-level security. In practice, DAC is widely implemented in modern operating systems to enforce user-level security. For instance, Unix-like systems use file permission bits (e.g., owner, group, and others with read/write/execute flags) as a simple form of DAC, allowing file owners to set access rights via commands like[chmod](/page/Chmod).[2] Similarly, Microsoft Windows employs ACLs in the NTFS file system, where owners can grant or revoke permissions to specific users or groups through tools like the Security tab in file properties.[3] These mechanisms support delegation, where owners can propagate rights to others, but they also introduce risks like privilege escalation if owners are compromised.[2]
Compared to mandatory access control (MAC), DAC offers greater usability and adaptability for non-classified environments but provides less assurance against unauthorized data flows, as it relies on user decisions rather than system-enforced labels like security clearances.[4] MAC, as outlined in TCSEC's B-level criteria, restricts subjects from altering access rules, making it suitable for high-security settings like government systems.[5] While DAC dominates commercial operating systems due to its simplicity, hybrid models combining DAC with MAC or role-based access control (RBAC) are common in enterprise environments to balance flexibility and security.[6] Despite its prevalence, DAC's vulnerabilities to Trojan horses and insider threats have driven ongoing research into more robust variants.[7]
Fundamentals
Definition
Discretionary access control (DAC) is a security mechanism that restricts access to objects, such as files or resources, based on the identity of subjects—typically users or processes—and the groups to which they belong, with permissions explicitly set by the object's owner.[1] In this model, the owner has the authority to determine who can access the object and what operations they may perform, enabling flexible management of resources within a system.[8] The core components of DAC include subjects, which are active entities like users or executing processes that initiate access requests; objects, which are passive entities such as files, directories, or devices that hold protected information; and access rights, which specify allowable operations like read, write, execute, or delete.[9] These rights are typically represented through structures like access control lists (ACLs) or capabilities, allowing owners to grant permissions directly.[10] The "discretionary" nature of DAC arises from the owner's ability to freely grant, revoke, or delegate permissions to other subjects without interference from centralized system-wide policies, in contrast to non-discretionary models that enforce fixed rules regardless of owner decisions.[1] This includes mechanisms for permission inheritance or propagation, where a subject with access can pass those rights to others, promoting user-driven sharing while relying on the owner's judgment for security.[8]Key Principles
Discretionary access control (DAC) operates on the principle of ownership, whereby the creator of an object or a designated owner holds full authority to determine and modify access permissions for that object. This ownership grants the owner the exclusive right to specify who may access the object and what operations—such as read, write, or execute—they can perform, ensuring that control remains decentralized and user-driven.[8] In practice, this means the owner can alter permissions at any time without requiring system-wide approval, reflecting the model's emphasis on individual discretion over resources.[11] A core mechanic of DAC is permission propagation, which allows owners to delegate rights to other users or subjects, enabling transitive granting of access. For instance, if user A, the owner, grants read access to user B, user B may then further grant read access to user C, provided the initial delegation includes the ability to propagate permissions. This delegation fosters flexibility in collaborative environments but requires careful management to prevent unintended access chains. The process is governed by the owner's initial authorization, ensuring that all propagated rights trace back to the original discretionary decision.[1][11] The access decision process in DAC relies on matching the requesting subject's identity against the object's permission set to determine authorization. When a subject attempts to perform an operation on an object, the system checks if the subject's identity (or associated group/role) appears in the permission list with the requisite right; if it matches, access is granted, otherwise denied. This evaluation occurs dynamically for each request, without invoking external policies beyond the owner's specifications. Building on subjects and objects as fundamental entities, this process ensures decisions are localized to the object's protection attributes.[8][11] DAC supports varying levels of granularity in permission assignment, allowing owners to apply controls at the level of individual users, groups, or roles, all under their discretionary authority. For example, an owner might grant read access to a specific user, while providing write access to an entire group, enabling tailored security without rigid hierarchies. This flexibility accommodates diverse organizational needs but maintains owner oversight as the unifying constraint.[8] Unlike mandatory access control models, DAC imposes no system-enforced security labels, such as classification levels, that could override owner decisions. Access rights are determined solely by the owner's choices, free from centralized mandates on sensitivity or clearance, which distinguishes DAC's permissive nature from more restrictive paradigms.[1][8]Historical Development
Origins in Computing
The roots of discretionary access control in computing emerged during the 1960s with the development of multi-user time-sharing systems, particularly Multics, a collaborative project involving MIT, Bell Labs, and General Electric starting in 1965. In Multics, file protection mechanisms allowed object owners to specify access permissions, marking an early shift toward owner-controlled sharing in environments where multiple users needed to collaborate on resources without centralized administrative oversight. These mechanisms used access control lists (ACLs) attached to segments (files or procedures), where owners could define precise access modes—such as read (r), write (w), or execute (e)—for specific users or groups, enabling flexible yet controlled information sharing while maintaining user isolation.[12] This approach was motivated by the limitations of earlier batch processing systems, which enforced rigid, non-collaborative access and lacked support for dynamic multi-user interactions prevalent in academic and research environments of the time. Multics designers sought to balance security with usability, allowing users to share files selectively for productivity in shared computing resources, a necessity as computers transitioned from single-user batch jobs to interactive time-sharing capable of supporting dozens of simultaneous users. The system's hierarchical structure further empowered directory owners to propagate access controls to contained objects, fostering an ecosystem of discretionary decisions that contrasted sharply with the inflexible hardware-enforced protections of prior systems.[12] A pivotal practical implementation arrived in the 1970s with Unix, developed at Bell Labs by Ken Thompson and Dennis Ritchie, building directly on lessons from Multics after Bell Labs withdrew from that project in 1969. Early versions of Unix, such as Version 1 in 1971, introduced a simplified discretionary permission model using protection bits on files: six bits controlled read, write, and execute access separately for the file owner and for all other users, with files automatically owned by their creator. This owner-centric design allowed users to set permissions via commands like chmod, enabling straightforward sharing in a multi-user setting without the complexity of full ACLs, though group permissions were added in later releases around 1973 to support project-based collaboration.[13] Theoretical underpinnings for these developments were formalized in the influential 1975 paper by Jerome H. Saltzer and Michael D. Schroeder, which analyzed protection mechanisms and advocated for discretionary controls as essential for usability in complex systems. The authors defined discretionary access as one where the object's creator could alter authorizations, contrasting it with rigid mandatory schemes, and emphasized principles like economy of mechanism and least privilege to make owner-set permissions practical and less error-prone in multi-user contexts. Their work, drawing from Multics experiences, highlighted how discretionary models facilitated intuitive resource management, influencing subsequent operating system designs by prioritizing user autonomy over centralized enforcement.[14]Evolution and Standards
The formalization of discretionary access control (DAC) began in the mid-1980s with the publication of the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, by the U.S. Department of Defense in December 1985.[5] This standard established a framework for evaluating computer system security, defining DAC requirements at the C1 (Discretionary Security Protection) and C2 (Controlled Access Protection) evaluation levels.[5] At C1, systems must implement owner-discretionary protections to restrict access to objects based on user identity, while C2 extends this with mandatory audit capabilities to log security-relevant events, ensuring accountability in DAC enforcement.[5] In the 1990s, the National Institute of Standards and Technology (NIST) advanced access control standardization, notably through the development of role-based access control (RBAC) models, which, although distinct from pure DAC, influenced hybrid approaches by enabling DAC to coexist with role assignments for more scalable user-controlled permissions.[6] NIST's RBAC efforts, formalized in a proposed standard by 2001, demonstrated how RBAC could simulate DAC mechanisms, fostering integrations in enterprise systems.[15] Complementing this, Federal Information Processing Standard (FIPS) 188, issued in September 1994, introduced standardized security labels for information transfer over networks, incorporating permissive and restrictive bit maps that support DAC-like owner-defined access policies by allowing tailored attribute-based restrictions.[16] Internationally, the adoption of ISO/IEC 15408, known as the Common Criteria for Information Technology Security Evaluation, marked a key milestone in the 1990s, providing a harmonized framework across multiple countries for assessing IT security.[17] First published in 1999 and iteratively updated, the standard incorporates DAC as a core security functional requirement in Part 2, evaluating systems for owner-controlled access enforcement within various assurance levels (EAL1 to EAL7).[18] This enables certification of products implementing DAC mechanisms, ensuring interoperability and compliance in global deployments.[19] Post-2000, DAC has adapted to cloud computing environments through hybrid models that blend user-controlled access with attribute- and policy-based enhancements, as outlined in NIST guidelines.[20] For instance, NIST Special Publication 800-146 (2011) highlights DAC integration via standards like XACML for policy specification in infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) models, retaining core owner discretion while addressing scalability in distributed systems.[21] Similarly, NIST SP 800-210 (2020) recommends hybrid access control architectures for cloud systems, where DAC principles underpin user-managed permissions alongside mandatory elements for multi-tenant security.[20] These evolutions maintain DAC's flexibility for modern applications like software-as-a-service (SaaS), emphasizing standards-compliant hybrids to balance control and compliance.[20]Access Control Mechanisms
Access Control Lists
Access control lists (ACLs) serve as a core mechanism for implementing discretionary access control by associating permissions directly with protected objects. Each object, such as a file or resource, maintains its own ACL, which is a structured list of access control entries (ACEs). Each ACE typically specifies a subject—often a user identifier or group—along with the granted access rights, such as read (r), write (w), or execute (x), and may include optional conditions like time-based restrictions or propagation rules. This per-object approach allows fine-grained control, where the ACL represents a column of the abstract access control matrix, listing authorized principals and their privileges for that specific object.[22][11][8] The creation and management of ACLs are controlled by the object's owner, who holds discretionary authority to add, modify, or remove entries, thereby propagating access rights as needed. Owners can grant permissions using commands that verify their ownership before updating the list, supporting both individual users and groups for scalability. Permissions may propagate to child objects through inheritance mechanisms, such as copying ACL entries during object creation or using reference-based defaults that link to a parent object's ACL without duplication. This owner-driven process ensures that access evolves with the object's lifecycle, though it relies on explicit administrative actions to maintain consistency.[11][8] To evaluate an access request, the system scans the target's ACL sequentially for a matching entry based on the requesting subject's identity, granting access if the entry includes the desired right; otherwise, access is denied by default to enforce a fail-safe principle. This algorithm prioritizes explicit allowances, resolving conflicts by the order of entries or predefined rules, such as group precedence over individual matches. In practice, this evaluation occurs at mediation points, like file system calls, ensuring every access is checked against the current ACL state.[11][8] A representative implementation is found in POSIX ACLs, which extend traditional Unix file modes by allowing multiple user and group entries beyond the basic owner-group-other triad. For instance, an ACL might be expressed in text form asuser::rwx, user:[alice](/page/Alice):r-x, group::r--, [mask](/page/Mask)::r-x, other::---, where the mask limits effective permissions for named entries, providing nuanced control while maintaining compatibility with simpler mode bits. This syntax, viewable via tools like getfacl, enables discretionary assignments like granting read access to a specific user without altering broader group rights.[23]
Revocation in ACLs requires explicit removal of matching entries by the owner, which is straightforward for targeted changes but poses challenges when subjects are altered, such as a user departing an organization, necessitating scans across all relevant objects to avoid lingering access. This can lead to dangling references if not systematically managed, potentially exposing resources to former subjects until cleaned up, and highlights the administrative overhead in large-scale systems where propagation amplifies the scope of updates.[11][8]
Capability-Based Systems
In capability-based systems, access rights are managed through unforgeable tokens known as capabilities, which are held by subjects and reference specific objects while specifying the permitted operations, or rights, on those objects. These tokens combine an object identifier—such as a unique pointer or address—with a set of access rights, like read, write, or execute, ensuring that possession of the capability alone authorizes the action without requiring further identity checks. This subject-side approach contrasts with object-centric models by localizing permissions to the holder, promoting portability and reducing reliance on centralized enforcement.[24] Capabilities are issued by the owner of an object, typically through system primitives that create or allocate the token and add it to the subject's capability list (C-list). For instance, in the foundational model, meta-instructions like "create segment" generate initial capabilities with full ownership rights, while "grant" allows the owner to issue copies to other subjects. Delegation occurs by passing these capabilities, often with attenuation—restricting the rights to a subset of the original (e.g., granting read-only instead of read-write)—to enable controlled sharing without escalating privileges. This process supports the discretionary propagation principle, where subjects decide how to distribute access. Revocation is handled through methods like direct deletion from a recipient's C-list or indirection, where capabilities point to a master list or directory that can be invalidated (e.g., by incrementing a version number or removing the target entry), addressing challenges from widespread propagation without immediate global invalidation. Expiration mechanisms, such as time-bound tokens, further aid revocation in propagated scenarios.[24] These systems excel in distributed environments by enabling fine-grained access without constant queries to a central authority, as capabilities serve as self-contained, context-independent proofs of right that can be transmitted across networks. Uniform naming and dynamic sharing reduce overhead in multiprocessor or networked setups, while inherent unforgeability—enforced via hardware tags or cryptographic seals—enhances security in decentralized delegation chains. Seminal examples include the 1966 model by Dennis and Van Horn, which introduced capabilities as a semantic foundation for multiprogrammed systems using C-lists for protection spheres. Practically, KeyKOS, developed in the 1980s, implemented pure capability-based protection on IBM mainframes, where "keys" as authority tokens allowed domains to invoke objects via messages, supporting persistent, secure sharing in commercial services.[24][25]Practical Implementations
In Operating Systems
Discretionary access control (DAC) in operating systems enables resource owners, such as file creators, to specify and manage access permissions for users and groups, forming the core mechanism for securing files, directories, and processes at the kernel level. This owner-driven model contrasts with centralized policy enforcement by relying on user-configurable rights, typically checked during system operations to prevent unauthorized access. In modern OS environments, DAC integrates with file systems to support both basic and advanced permission structures, ensuring flexibility while maintaining security boundaries. In Unix-like operating systems such as Linux, DAC is fundamentally implemented through file permission bits that assign read (r), write (w), and execute (x) rights separately to the file owner, the owner's group, and all other users, conventionally represented in an octal or symbolic notation likerwxrwxrwx. These permissions allow the owner to discretionarily control who can view, modify, or execute files, with the kernel evaluating the effective user ID of a process against these bits during access attempts. This model, inherited from early Unix designs, provides a simple yet effective DAC framework for local file systems like ext4.[26]
Linux extends these basic permissions with access control lists (ACLs) to offer finer-grained control, supporting POSIX ACLs on file systems like ext4 when mounted with ACL support, and NFSv4 ACLs for networked environments that align more closely with Windows-style permissions by allowing allow/deny rules for specific users or groups. NFSv4 ACLs, for instance, provide richer semantics than traditional POSIX modes, enabling inheritance and auditing flags while preserving the discretionary nature of owner-managed access. These extensions maintain backward compatibility with standard permission bits but allow for complex scenarios, such as per-user read access on shared directories.[27][28][29]
In Windows operating systems, DAC is enforced via the NTFS file system using security descriptors that encapsulate discretionary access control lists (DACLs), which consist of access control entries (ACEs) tied to security identifiers (SIDs) representing users, groups, or system principals. These descriptors support explicit allow or deny permissions for actions like read, write, or delete, with inheritance rules propagating settings from parent directories to children, allowing owners to manage access hierarchically. SIDs ensure precise identification in domain environments, making NTFS ACLs a cornerstone of Windows DAC for both local and networked file access.[30][31]
macOS adopts a hybrid DAC approach, building on its Unix heritage with POSIX permission bits for owner, group, and others, augmented by extended ACLs that permit detailed, per-entry controls for multiple users and groups on file systems like APFS and HFS+. These ACLs, managed alongside standard permissions, enable granular rights such as read-only access for specific individuals, enhancing flexibility without overriding owner discretion. Additionally, macOS incorporates quarantine extended attributes, tagging downloaded files with com.apple.quarantine to prompt user verification before execution, thereby integrating discretionary security checks into the file access model.[32][33]
At the kernel level, DAC enforcement occurs during system calls, such as the open() call in Unix/Linux kernels, where the kernel verifies the process's effective user ID or group ID against the resource's permissions before granting a file descriptor, denying access if the check fails. This pre-access validation ensures that discretionary rules are upheld transparently across operations like reading or writing files. In Windows, similar checks happen via the security reference monitor during handle creation.[34]
The setuid (set user ID) bit in Unix/Linux systems exemplifies controlled privilege escalation under DAC, allowing an executable to run with the file owner's effective user ID—often root—rather than the caller's, enabling tasks like password changes while confining elevated access to the program's scope as defined by the owner. This mechanism balances flexibility with risk, as improper use can lead to vulnerabilities, but it remains a standard DAC feature for administrative utilities.[35]
Owners configure DAC permissions using dedicated tools, such as the chmod command in Unix/Linux to modify permission bits symbolically (e.g., chmod u+rwx file) or octally (e.g., chmod 755 file), directly altering owner, group, or other rights on files and directories. In Windows, the icacls utility enables similar discretionary changes by granting, revoking, or displaying ACL entries for specified SIDs, such as icacls file.txt /grant Users:RX, supporting inheritance and propagation options for efficient management. macOS leverages chmod for both POSIX and ACL adjustments, with flags like -N to remove ACLs if needed.[36]
In Network and Database Systems
In network file systems, discretionary access control (DAC) extends owner-defined permissions across distributed environments, allowing file owners to specify access rules that propagate to remote clients. The Network File System version 4 (NFSv4) implements DAC through Access Control Lists (ACLs) and permission bits, where owners set granular read, write, and execute permissions based on user identities, checked during operations like file creation or access. These ACLs are stored on the server and applied consistently across machines, enabling permission propagation without requiring local modifications on clients, though servers may override client-proposed attributes for policy compliance.[37] Similarly, Samba facilitates DAC interoperability between Unix and Windows systems by mapping Windows ACLs to Unix extended attributes, allowing owners to manage permissions via Windows tools while storing them in filesystem xattrs for cross-platform enforcement.[38] In database systems, DAC is enforced through owner-controlled privilege management, where database object owners grant and revoke access to tables, views, and other resources. The SQL standard's GRANT and REVOKE statements form the core mechanism, enabling owners to assign privileges such as SELECT, INSERT, UPDATE, or DELETE to specific users or roles, with the optional WITH GRANT OPTION allowing recipients to further delegate those privileges. For instance, an owner might executeGRANT SELECT ON table_name TO user_role; to permit read access, or revoke it via REVOKE SELECT ON table_name FROM user_role;, which cascades to remove any delegated privileges. PostgreSQL adopts this DAC model, where the object creator becomes the owner and can grant privileges on tables and views to users or roles, ensuring fine-grained control while integrating with its role-based extensions for broader delegation.[39]
In web and cloud environments, DAC manifests through owner-managed sharing mechanisms that allow resource creators to define access for external users or services. Amazon Web Services (AWS) S3 bucket policies and ACLs enable bucket owners to grant read or write permissions to specific AWS accounts, groups, or the public, providing discretionary control over object access without altering underlying storage. For example, an owner can set an ACL to allow read access to a predefined group while retaining full ownership. Google Cloud Storage employs similar ACLs, where object owners permanently hold OWNER permissions and can assign READER or WRITER scopes to users, groups, or domains, facilitating owner-set sharing links that extend to consumer services like Google Drive for collaborative file access.[40]
Distributed and replicated systems introduce challenges to DAC implementation, particularly in synchronizing permissions across nodes and mitigating over-sharing risks. In federated environments, maintaining consistent ACLs during replication requires coordinated policy updates, as independent systems may diverge, leading to unauthorized access if synchronization fails. Over-sharing arises from decentralized decision-making, where owners' permissive grants in one domain can propagate unintended data exposure in replicated copies, complicating auditing and increasing vulnerability in non-centralized flows.[41]
Kerberos tickets incorporate DAC elements in network authentication by embedding user and device claims that inform resource-level authorization decisions. In NFS deployments, Kerberos provides strong mutual authentication via encrypted tickets, after which NFSv4 applies DAC through ACLs to authorize file access based on the authenticated identity, ensuring owner-defined permissions govern operations across the network.[42][43]