Server impersonation of client processes in an object based computer operating system
First Claim
1. In a computer system, havingmemory means for storing data and data structures;
- a multiplicity of objects comprising data structures stored in said memory means;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; and
a multiplicity of processes running concurrently on said computer system;
said processes including at least one server process and plurality of client processes;
each of said processes having an associated identifier list denoting a set of identifiers;
a method of operating said computer system comprising the steps of;
one of said at least one server process responding to requests by one of said plurality of client processes by performing tasks on behalf of the requesting client process;
said one server process impersonating said requesting client process by adopting a set of identifiers to replace said identifier list associated with said one server process, wherein said adopted set of identifiers is said identifiers in the identifier list associated with said requesting client process when said one server process is responding to a first request by said requesting client process, and wherein said adopted set of identifiers is the union of said identifiers in said identifier list associated with said requesting client process and said identifiers in said identifier list associated with said one server process when said one server process is responding to a second request by said requesting client process; and
said one server process initiating access to a specified one of said multiplicity of objects, said system enabling access by said one server process to said one specified object when said adopted set of identifiers match the identifiers of at least one entry in said one specified object'"'"'s access control list.
2 Assignments
0 Petitions
Accused Products
Abstract
In a multitasking, multiuser computer system, a server process temporarily impersonates the characteristics of a client process when the client process preforms a remote procedure call on the server process. Each process has an identifier list with a plurality of identifiers that characterize the process. The server process generates a new identifier list which is either the same as the client process'"'"'s list, or is the union of the server'"'"'s and the client'"'"'s lists. Each object in the system can have an access control list which defines the identifiers that a process must have in order to access the object. The operation system has access checking software for enabling a selected process access to a specified object when the identifers for the process match the list of identifiers in the access control list of the specified object. The server can therefore access all objects accessible to the client while the server is working for the client. The server can restore its original identifier list after completing the services that it performs for the client.
292 Citations
10 Claims
-
1. In a computer system, having
memory means for storing data and data structures; -
a multiplicity of objects comprising data structures stored in said memory means;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; anda multiplicity of processes running concurrently on said computer system;
said processes including at least one server process and plurality of client processes;
each of said processes having an associated identifier list denoting a set of identifiers;a method of operating said computer system comprising the steps of; one of said at least one server process responding to requests by one of said plurality of client processes by performing tasks on behalf of the requesting client process; said one server process impersonating said requesting client process by adopting a set of identifiers to replace said identifier list associated with said one server process, wherein said adopted set of identifiers is said identifiers in the identifier list associated with said requesting client process when said one server process is responding to a first request by said requesting client process, and wherein said adopted set of identifiers is the union of said identifiers in said identifier list associated with said requesting client process and said identifiers in said identifier list associated with said one server process when said one server process is responding to a second request by said requesting client process; and said one server process initiating access to a specified one of said multiplicity of objects, said system enabling access by said one server process to said one specified object when said adopted set of identifiers match the identifiers of at least one entry in said one specified object'"'"'s access control list. - View Dependent Claims (2)
-
-
3. In a computer system having
memory means for storing data and data structures; -
a multiplicity of objects comprising data structures stored in said memory means;
each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; anda multiplicity of processes running concurrently on said computer system;
said processes including a plurality of server processes and a plurality of client processes;
each of said processes having an associated identifier list denoting a set of identifiers;a method of operating said computer system comprising the steps of; each respective server process responding to requests by respective ones of said plurality of client processes by performing tasks on behalf of the respective requesting client process; and each respective server process, prior to performing said tasks on behalf of the respective requesting client process, impersonating said respective requesting client process by adopting a set of identifiers to replace said identifier list associated with said respective server process;
wherein at least a first one of said plurality of server processes, in response to a first request by said respective requesting client process, adopts a set of identifiers comprising the identifiers in the identifier list associated with said respective requesting client process;wherein at least a second one of said plurality of server processes, in response to a second request by said respective requesting client process, adopts a set of identifiers comprising the union of said identifiers in said identifier list associated with said respective requesting client process and said identifiers in said identifier list associated with said second server process; and each respective server process initiating access to a respective one of said multiplicity of objects, said system enabling access by said respective server process to said one respective object when said set of identifiers adopted by said respective server process match the identifiers of at least one entry in said one respective object'"'"'s access control list. - View Dependent Claims (4)
-
-
5. A computer system, comprising:
-
memory means for storing data and data structures; a multiplicity of objects comprising data structures stored in said memory means; a multiplicity of processes running concurrently on said computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including at least one server process and a plurality of client processes;each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each object'"'"'s access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; access checking means, coupled to said memory means and said multiplicity of processes, for enabling access by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; and impersonation means, responsive to requests from one of said client processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of one of said at least one server process, said impersonation means including first means for generating said adopted set of identifiers by replacing said one server process'"'"' set of identifiers with said set of identifiers denoted by the characteristic denoting means of said requesting client process, and second means for generating said adopted set of identifiers by replacing said server process'"'"' set of identifiers with the union of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said one server process; said one server process including means, coupled to said access checking means, for performing tasks on behalf of said requesting client process including accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means; said impersonation means utilizing one of said first means and second means for generating said adopted set of identifiers in accordance with the tasks to be performed by said one server process on behalf of said requesting client process. - View Dependent Claims (6)
-
-
7. A computer system, comprising:
-
memory means for storing data and data structures; a multiplicity of objects comprising data structures stored in said memory means; a multiplicity of processes running concurrently on said computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including at least one server process and a plurality of client processes;each of a multiplicity of said objects having an associated access control list for limiting access to said each object, each object'"'"'s access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object; access checking means, coupled to said memory means and said multiplicity of processes, for enabling access by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; each of a multiplicity of said objects, comprising impersonation objects, having means for denoting said plurality of identifiers denoted by a specified one of said processes; impersonation object generating means, responsive to requests from one of said client processes, for creating an impersonation object denoting the set of identifiers denoted in the characteristic denoting means of said one client process; and impersonation means for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of one of said at least one server process, wherein said adopted set of identifiers generated by said impersonation means is said set of identifiers denoted in said created impersonation object when said one server process is responding to a first request by said one client process, and wherein said adopted set of identifiers generated by said impersonation means is the union of said identifiers denoted by the characteristic denoting means of said one client process and said identifiers denoted by the characteristic denoting means of said one server process when said one server process is responding to a second request by said one client process; said one server process including means, coupled to said access checking means, for performing tasks on behalf of said one client process including accessing specified ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means; wherein the adopted set of identifiers generated by said impersonation means is selected in accordance with each request from said requesting client process. - View Dependent Claims (8)
-
-
9. A computer system, comprising:
-
memory means for storing data and data structures; a multiplicity of objects comprising data structures stored in said memory means;
each object having an associated access control list for limiting access to said each object, each access control list including a list of entries, wherein each entry includes a conjunction of one or more identifiers required to access said each object;a multiplicity of processes running concurrently on said computer system;
each of said multiplicity of processes including characteristic denoting means for denoting a set of identifiers;
said multiplicity of processes including a plurality of server processes and a plurality of client processes;access checking means, coupled to said memory means and said multiplicity of processes, for enabling access by any one of said processes to a specified one of said multiplicity of objects when said set of identifiers in the characteristic denoting means of said one process match the identifiers of one of said entries in said specified object'"'"'s access control list; each server process including means, coupled to said access checking means, for responding to requests from one of said client processes by performing tasks on behalf of said requesting client process, said tasks including accessing ones of said multiplicity of objects; impersonation means, coupled to said plurality of server processes, for generating an adopted set of identifiers to replace said set of identifiers denoted by the characteristic denoting means of a specified one of said server processes, said impersonation means including first means for generating said adopted set of identifiers by replacing said specified one server process'"'"' set of identifiers with said set of identifiers denoted by the characteristic denoting means of said requesting client process, and second means for generating said adopted set of identifiers by replacing said one server process'"'"' set of identifiers with the union of said identifiers denoted by the characteristic denoting means of said requesting client process and said identifiers denoted by the characteristic denoting means of said specified one server process; said specified one server process accessing ones of said multiplicity of objects using the adopted set of identifiers generated by said impersonation means; said impersonation means utilizing one of said first means and second means for generating said adopted set of identifiers in accordance with each request from said requesting client process. - View Dependent Claims (10)
-
Specification