Setuid-filter method for providing secure access to a credentials store for computer systems
First Claim
1. A method for use in a computer system that effects secure access to a store, comprising:
- receiving a request to access a store from a first process initiated by a requester;
initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester;
changing a context of said second process to the user id of said store;
providing said store with an exclusive user id, said exclusive user id being different from a user id of the requestor;
said second process receiving tokenized credentials corresponding to the user id and password of the requestor from said first process responsive to said request without the use of files and without interaction with said requester;
said second precess converting the tokenized credentials to the user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store;
said second process passing a user id and password associated with said store to said first process if said user id and password of the requestor are found in said credential store;
communicating between said first process and said store via inter-process pipes; and
said first process obtaining data from said store via said inter-process pipes responsive to said store access request using said user id and password associated with said store.
1 Assignment
0 Petitions
Accused Products
Abstract
A method that provides access to Privileged Accounts to users by way of a two-way-encrypted credential store. In accordance with this invention, a process that needs to retrieve credentials for a third party system causes the operating system to launch a second process. This second process runs under a secured user id without interactive access. The requesting process can then pass generalized command streams to the second process, including tokenized credential retrieval requests. These tokenized credential retrieval requests are processed to authenticate the requests, perform audit logging of requests and retrieval of credentials. Tokenized credential requests transformed by the second process into credentials, which can be embedded within a command stream and then either forwarded to a sub-process or returned to the requesting process.
-
Citations
12 Claims
-
1. A method for use in a computer system that effects secure access to a store, comprising:
-
receiving a request to access a store from a first process initiated by a requester; initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester; changing a context of said second process to the user id of said store; providing said store with an exclusive user id, said exclusive user id being different from a user id of the requestor; said second process receiving tokenized credentials corresponding to the user id and password of the requestor from said first process responsive to said request without the use of files and without interaction with said requester; said second precess converting the tokenized credentials to the user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store; said second process passing a user id and password associated with said store to said first process if said user id and password of the requestor are found in said credential store; communicating between said first process and said store via inter-process pipes; and said first process obtaining data from said store via said inter-process pipes responsive to said store access request using said user id and password associated with said store. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system comprising:
-
a data store having an exclusive user id in the computer system; a system for providing secure access to said data store, said system being configured to receive a request for access to said data store from a first process initiated by a requester, said exclusive user id being inaccessible to said requester, said exclusive user id being different from a user id of the requestor, said first process being configured to initiate a second process responsive to said request for access to said data store, wherein data generated by said second process is accessible to said first process but inaccessible to the requester, said second process being responsive to said request for access to said data store by changing its user id to the exclusive user id, said second process being operable to receive tokenized credentials corresponding to the user id and password of the recquestor from said first process responsive to said request without the use of files and without interaction with said requester, said second process converting the tokenized credentials to the user id and password of the requestor and being operable to perform a lookup of said user id and password of the requestor in a credential store, said second process being operable to pass a user id and password associated with said data store to said first process if said user id and password of the requestor are found in said credential store; and inter-process pipes between said first process and said data store for communicating and responding to requests for data by said first process using said user id and password associated with said data store, said inter-process pipes being inaccessible to the requester. - View Dependent Claims (7, 8)
-
-
9. A method for use in a computer system that operates under the UNIX operating system that effects secure access to a store, comprising:
-
executing a shell script which creates a data stream containing a tokenized user id and password in order to initiate a request to access a store from a first process initiated by a requester, said tokenized user id and password corresponding to the user id and password of the requestor; said first process initiating a second process responsive to said store access request, said second process and said store being in a protected area, wherein data generated by said second process is accessible to said first process but inaccessible to the requester; said second process obtaining the tokenized user id and password of the requestor from said first process along said data stream; changing a context of said second process to the effective user id of said store using the UNIX set user id facility, said user id of said store being different from a user id of the requestor; said second process providing said store with said effective user id, said effective user id being different from said user id of the requestor; said second process receiving said tokenized user id and password from said first process responsive to said request without the use of files and without interaction with said requester; said second process converting the tokens to said user id and password of the requestor and performing a lookup of said user id and password of the requestor in a credential store; said second process passing a user id and password associated with said store to said first process along a second data stream if said user id and password of the requestor are found in said credential store; communicating between said first process and said store via a sending inter-process pipe and a receiving inter-process pipe, said first and second inter-process pipes being inaccessible to the requester; and said first process obtaining data from said store via said second inter-process pipe responsive to said store access request via said first inter-process pipe using said user id and password associated with said store; receiving a request to access a store from a first process initiated by a requester; initiating a second process responsive to said store access request, wherein data generated by said second process is accessible to said first process but inaccessible to the requester. - View Dependent Claims (10, 11, 12)
-
Specification