Method and apparatus for creating a security environment for a user task in a client/server system

US 5,764,889 A
Filed: 09/26/1996
Issued: 06/09/1998
Est. Priority Date: 09/26/1996
Status: Expired due to Fees

First Claim

Patent Images

1. In a server system in which a daemon process listens for a request from a user to execute a specified user task, said request specifying an identity for said user, said system having an operating system kernel, a method for executing said task on behalf of said user with an appropriate security environment for said user, comprising the steps of:

(a) having said daemon process, upon receiving said request from said user;

(1) set an environment variable in accordance with said identity specified in said request; and

(2) issue a system call to said operating system kernel to execute said specified user task in a new address space; and

(b) having said operating system kernel, upon receiving said system call from said daemon process;

(1) create a new address space for said specified user task;

(2) create a security environment for said specified user task in accordance with said environment variable; and

(3) start said specified user task in said new address space.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for enabling a listening daemon in a client/server system to execute a specified task on behalf of a user. Upon receiving a user request, the listening daemon sets an environment variable in accordance with the user identity specified in the request and issues a system call to the operating system kernel to spawn the user task specified in the request. In response to the system call, the operating system kernel creates a new address space for the specified user task and creates a security environment for the user task in accordance with the environment variable before starting the user task in the new address space.

Citations

24 Claims

1. In a server system in which a daemon process listens for a request from a user to execute a specified user task, said request specifying an identity for said user, said system having an operating system kernel, a method for executing said task on behalf of said user with an appropriate security environment for said user, comprising the steps of:
- (a) having said daemon process, upon receiving said request from said user;
  
  (1) set an environment variable in accordance with said identity specified in said request; and
  
  (2) issue a system call to said operating system kernel to execute said specified user task in a new address space; and
  
  (b) having said operating system kernel, upon receiving said system call from said daemon process;
  
  (1) create a new address space for said specified user task;
  
  (2) create a security environment for said specified user task in accordance with said environment variable; and
  
  (3) start said specified user task in said new address space.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 in which said operating system kernel is a POSIX-compliant operating system kernel.
  - 3. The method of claim 1 in which said system call is a spawn() system call.
  - 4. The method of claim 1 in which said user has a user name, said identity comprising said user name.
  - 5. The method of claim 4 in which said environment variable is set equal to said user name.
  - 6. The method of claim 5 in which said new address space and said user name each have a user ID associated therewith, said step (b)(2) of creating said security environment comprising the step of:
    - setting the user ID of said new address space equal to the user ID of the user name specified by said environment variable.
  - 7. The method of claim 6 in which the user ID of said user name is determined by accessing a security database.
  - 8. The method of claim 5 in which said new address space and said user name each have a group ID associated therewith, said step (b)(2) of creating said security environment comprising the step of:
    - setting the group ID of said new address space equal to the group ID of the user name specified by said environment variable.

9. In a server system in which a daemon process listens for a request from a user to execute a specified user task, said request specifying an identity for said user, said system having an operating system kernel, apparatus for executing said task on behalf of said user with an appropriate security environment for said user, comprising:
- (a) means associated with said daemon process, responsive to receiving said request from said user, for;
  
  (1) setting an environment variable in accordance with said identity specified in said request; and
  
  (2) issuing a system call to said operating system kernel to execute said specified user task in a new address space; and
  
  (b) means associated with said operating system kernel, responsive to receiving said system call from said daemon process, for;
  
  (1) creating a new address space for said specified user task;
  
  (2) creating a security environment for said specified user task in accordance with said environment variable; and
  
  (3) starting said specified user task in said new address space.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9 in which said operating system kernel is a POSIX-compliant operating system kernel.
  - 11. The apparatus of claim 9 in which said system call is a spawn() system call.
  - 12. The apparatus of claim 9 in which said user has a user name, said identity comprising said user name.
  - 13. The apparatus of claim 12 in which said environment variable is set equal to said user name.
  - 14. The apparatus of claim 13 in which said new address space and said user name each have a user ID associated therewith, said means (b)(2) for creating said security environment comprising:
    - means for setting the user ID of said new address space equal to the user ID of the user name specified by said environment variable.
  - 15. The apparatus of claim 14 in which the user ID of said user name is determined by accessing a security database.
  - 16. The apparatus of claim 13 in which said new address space and said user name each have a group ID associated therewith, said step (b)(2) of creating said security environment comprising the step of:
    - setting the group ID of said new address space equal to the group ID of the user name specified by said environment variable.

17. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for executing a task on behalf of a user with an appropriate security environment for said user in a server system in which a daemon process listens for a request from a user to execute a specified user task, said request specifying an identity for said user, said system having an operating system kernel, said method steps comprising:
- (a) having said daemon process, upon receiving said request from said user;
  
  (1) set an environment variable in accordance with said identity specified in said request; and
  
  (2) issue a system call to said operating system kernel to execute said specified user task in a new address space; and
  
  (b) having said operating system kernel, upon receiving said system call from said daemon process;
  
  (1) create a new address space for said specified user task;
  
  (2) create a security environment for said specified user task in accordance with said environment variable; and
  
  (3) start said specified user task in said new address space.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The program storage device of claim 17 in which said operating system kernel is a POSIX-compliant operating system kernel.
  - 19. The program storage device of claim 17 in which said system call is a spawn() system call.
  - 20. The program storage device of claim 17 in which said user has a user ID, said identity comprising said user ID.
  - 21. The program storage device of claim 20 in which said environment variable is set equal to said user ID.
  - 22. The program storage device of claim 21 in which said new address space and said user name each have a user ID associated therewith, said step (b)(2) of creating said security environment comprising the step of:
    - setting the user ID of said new address space equal to the user ID of the user name specified by said environment variable.
  - 23. The program storage device of claim 22 in which the user ID of said user name is determined by accessing a security database.
  - 24. The program storage device of claim 21 in which said new address space and said user name each have a group ID associated therewith, said step (b)(2) of creating said security environment comprising the step of:
    - setting the group ID of said new address space equal to the group ID of the user name specified by said environment variable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bender, Ernest Scott, Spiegel, Michael Gary, Ault, Donald Fred
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
HUA, LY

Application Number

US08/721,145
Time in Patent Office

621 Days
Field of Search

395/186, 395/187.01, 395/200.01, 395/680, 380/21
US Class Current

726/17
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

G06F 9/468   Specific access rights for ...

Method and apparatus for creating a security environment for a user task in a client/server system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for creating a security environment for a user task in a client/server system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links