Secure systems management

US 20060265597A1
Filed: 05/19/2005
Published: 11/23/2006
Est. Priority Date: 05/19/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus implemented in a computer system, comprising:

a first interface to receive a request from a user process to make a change to a system;

a provider process to make the change to the system;

an authentication module to authenticate a user responsible for the user process;

a user ID (UID) determiner to determine a UID for the user; and

a second interface to assign the UID to the provider process.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To effect a change to the system, a user process makes a request. An interface receives the request, and attempts to authenticate the user. Assuming the user is authenticated, the interface determines the user'"'"'s UID. The interface determines a provider process that can make the requested change, and forwards the request to the provider process. The interface also assigns the user'"'"'s UID to the provider process'"'"'s eUID. The provider process then attempts to make the change, provided the change can be made given the eUID assignment. The provider process then attempts to run under the new eUID, enabling the system to prohibit it from doing something that is not authorized for that user. This protects the system from inadvertently executing management operations by one provider process that is not expected or intended by the user of another provider process.

22 Citations

View as Search Results

25 Claims

1. An apparatus implemented in a computer system, comprising:
- a first interface to receive a request from a user process to make a change to a system;
  
  a provider process to make the change to the system;
  
  an authentication module to authenticate a user responsible for the user process;
  
  a user ID (UID) determiner to determine a UID for the user; and
  
  a second interface to assign the UID to the provider process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. An apparatus according to claim 1, wherein the second interface is operative to forward the UID to the provider process.
  - 3. An apparatus according to claim 2, wherein the second interface is operative to change an effective UID of the provider process to the UID.
  - 4. An apparatus according to claim 3, wherein the second interface is operative to change the effective UID of the provider process to a root UID to enable the provider process to communicate with the first interface.
  - 5. An apparatus according to claim 2, wherein the second interface is further operative to forward the request to the provider process.
  - 6. An apparatus according to claim 1, wherein the provider process is designed to determine if the user process included a permission necessary to make the change to the system.
  - 7. An apparatus according to claim 6, wherein the provider process is further designed to reject the change if the user process lacked the permission.
  - 8. An apparatus according to claim 7, wherein the provider process is further designed to reject the change without causing the provider process to fail.
  - 9. An apparatus according to claim 1, further comprising a client, including the user process requesting the change to the system.

10. A computer-implemented method, comprising:
- receiving a request from a user process to make a change to a system;
  
  authenticating a user responsible for the user process;
  
  determining a user ID (UID) for the user;
  
  forwarding the request to a provider process to make the change to the system; and
  
  assigning the UID to the provider process.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. A method according to claim 10, wherein assigning the UID to the provider process includes forwarding the UID to the provider process.
  - 12. A method according to claim 10, wherein assigning the UID to the provider process includes setting an effective UID for the provider process to the UID.
  - 13. A method according to claim 10, wherein:
    - receiving a request includes receiving the request through a connection to a first interface; and
      
      forwarding the request includes forwarding the request to the provider process through a provider interface.
  - 14. A method according to claim 13, further comprising resetting the provider process to a root UID to communicate with the first interface.
  - 15. A method according to claim 10, further comprising rejecting the change if the user process lacks a permission necessary to make the change.
  - 16. A method according to claim 15, wherein rejecting the change includes rejecting the change without causing the provider process to fail.
  - 17. A method according to claim 15, further comprising notifying the user process that the provider process could not make the change.

18. An article, comprising:
- a storage medium, said storage medium having stored thereon instructions, that, when executed by a machine, result in;
  
  receiving a request from a user process to make a change to a system;
  
  authenticating a user responsible for the user process;
  
  determining a user ID (UID) for the user;
  
  forwarding the request to a provider process to make the change to the system; and
  
  assigning the UID to the provider process.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. An article according to claim 18, wherein assigning the UID to the provider process includes forwarding the UID to the provider process.
  - 20. An article according to claim 18, wherein assigning the UID to the provider process includes setting an effective UID for the provider process to the UID.
  - 21. An article according to claim 18, wherein:
    - receiving a request includes receiving the request through a connection to an first interface; and
      
      forwarding the request includes forwarding the request to the provider process through a provider interface.
  - 22. An article according to claim 21, wherein the storage medium has further instructions stored thereon that, when executed by the machine result in resetting the provider process to a root UID to communicate with the first interface.
  - 23. An article according to claim 18, wherein the storage medium has further instructions stored thereon that, when executed by the machine result in rejecting the change if the user process lacks a permission necessary to make the change.
  - 24. An article according to claim 23, wherein rejecting the change includes rejecting the change without causing the provider process to fail.
  - 25. An article according to claim 23, wherein the storage medium has further instructions stored thereon that, when executed by the machine result in notifying the user process that the provider process could not make the change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Isaacson, Scott A., Anderson, Eric W.B., Whiteley, James Bart, Danoyan, Alexander Y., Carey, Jon Michael

Granted Patent

US 7,702,912 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6281   at program execution time, ...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/08   for authentication of entit...

Secure systems management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure systems management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links