Synthesized root privileges

US 8,271,785 B1
Filed: 04/26/2005
Issued: 09/18/2012
Est. Priority Date: 12/20/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, comprising:

a receiver to receive a request from a user process to access a resource;

an object set, including at least a first object representing a user and a second object representing the resource;

an authenticator to authenticate the user using the first object in the object set;

a determiner to determine if there is a relationship between the first object and the second object in the object set; and

a permission setter to set a permission level for the user process to use the resource according to the relationship,wherein the resource is an application to which certain users are to be granted administrative access based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Users provide their standard username and password and are authenticated to the system. The system then determines from an object set, such as a container hierarchy, whether the user should have special administrative privileges for any of the resources on the machine to which they are logging in. These administrative privileges can be determined from configurable sets of pre-existing relationships between the user and resources on the system, stored within the object set. If the user is an administrator, then the system sets the UID number for that user to the UID number for administrator users. The system can even be configured to set the administrative UID to be the UID for the super-user “root” (typically, zero). If the user has no administrative privileges, the system sets the UID number for that user to the user'"'"'s standard UID number.

Citations

30 Claims

1. An apparatus, comprising:
- a receiver to receive a request from a user process to access a resource;
  
  an object set, including at least a first object representing a user and a second object representing the resource;
  
  an authenticator to authenticate the user using the first object in the object set;
  
  a determiner to determine if there is a relationship between the first object and the second object in the object set; and
  
  a permission setter to set a permission level for the user process to use the resource according to the relationship,wherein the resource is an application to which certain users are to be granted administrative access based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 25, 26)
- - 2. An apparatus according to claim 1, wherein the permission setter includes an eUID setter to set an effective user ID (eUID) for a use of the resource by the user.
  - 3. An apparatus according to claim 2, wherein the eUID setter to set the eUID to a root user ID if the determiner determines that there is a relationship between the first object and the second object in the object set.
  - 4. An apparatus according to claim 2, wherein:
    - the apparatus further comprises a UID determiner to determine a user ID (UID) from the first object, if the determiner determines that there is no relationship between the first object and the second object in the object set; and
      
      the eUID setter is to set the eUID for the use of the resource by the user to the UID from the first object.
  - 5. An apparatus according to claim 1, further comprising:
    - a UID determiner to determine a user ID (UID) from the first object; and
      
      a UID setter to set a user ID (UID) for the use of the resource by the user to the UID from the first object.
  - 6. An apparatus according to claim 1, wherein:
    - the receiver is to receive a second request from the user process to access a second application;
      
      the object set further includes a third object representing the second application;
      
      the determiner is to determine if there is a second relationship between the first object and the third object in the object set; and
      
      the permission setter is to set a second permission level for the user process to use the second application according to the second relationship.
  - 7. An apparatus according to claim 6, wherein:
    - the determiner is to determine that the first object indicates that the user is a root user of the application, and that the user is not a root user of the second application;
      
      the apparatus further comprises a UID determiner to determine a user ID (UID) from the first object; and
      
      the permission setter includes an effective user ID (eUID) setter to set an eUID for use of the application by the user to a root user UID, and to set an eUID for use of the second application by the user to the UID from the first object.
  - 8. An apparatus according to claim 1, wherein the object set includes a container hierarchy, the container hierarchy including at least a first container, the first container including at least a second container, the first object and the second object each in one of the first container and the second container.
  - 25. An apparatus according to claim 1, wherein the certain users each use different usernames.
  - 26. An apparatus according to claim 1, wherein the determiner is to determine if there is a relationship between the first object and the second object in the object set by accessing information in the first object in the object set.

9. A computer-implemented method, comprising:
- receiving a request by a user to access a resource;
  
  accessing an object set, the object set including at least a first object representing the user and a second object representing the resource;
  
  authenticating the user using the first object in the object set;
  
  determining if there is a relationship between the first object and the second object in the object set, including determining if the first object indicates that the user is a root user of the resource based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set; and
  
  if there is a relationship between the first object and the second object in the object set, using the relationship to control a permission level for the user with respect to the resource, including permitting the user to act as the root user of the resource.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 27, 29)
- - 10. A method according to claim 9, wherein permitting the user to act as the root user of the resource includes setting an effective user ID (eUID) for use of the resource by the user to a root user ID.
  - 11. A method according to claim 9, further comprising, if there is no relationship between the first object and the second object in the object set:
    - determining a user ID (UID) from the first object in the object set; and
      
      setting an effective user ID (eUID) for use of the resource by the user to the UID from the first object in the object set.
  - 12. A method according to claim 9, further comprising:
    - determining a user ID (UID) from the first object in the object set; and
      
      setting a user ID (UID) for use of the resource by the user to the UID from the first object in the object set.
  - 13. A method according to claim 9, wherein receiving a request includes receiving the request by the user to access a first application.
  - 14. A method according to claim 13, further comprising:
    - receiving a second request by the user to access a second application;
      
      accessing the object set, the object set including at least the first object representing the user, the second object representing the first application, and a third object representing the second application;
      
      authenticating the user using the first object in the object set;
      
      determining if there is a relationship between the first object and the third object in the object set; and
      
      if there is a relationship between the first object and the third object in the object set, using the relationship to control a second permission level for the user with respect to the second application.
  - 15. A method according to claim 14, wherein:
    - determining if there is a relationship between the first object and the second object in the object set includes identifying that the first object indicates that the user is a root user of the first application;
      
      setting an effective user ID (eUID) for use of the first application by the user to a root user ID;
      
      determining that there is no relationship between the first object and the third object in the object set;
      
      determining a user ID (UID) from the first object in the object set; and
      
      setting an effective user ID (eUID) for use of the second application by the user to the UID from the first object in the object set.
  - 16. A method according to claim 9, wherein:
    - accessing an object set includes accessing a container hierarchy, the container hierarchy including at least a first container, the first container including at least a second container, and the first object and the second object each in one of the first container and the second container;
      
      authenticating the user includes authenticating the user using the first object in the container hierarchy; and
      
      determining if there is a relationship between the first object and the second object in the object set includes determining if there is a relationship between the first object and the second object in the container hierarchy.
  - 27. A method according to claim 9, wherein determining if there is a relationship between the first object and the second object in the object set includes determining if there is a relationship between the first object and the second object in the object set by accessing information in the first object in the object set.
  - 29. A method according to claim 9, wherein receiving a request by a user to access a resource includes receiving the request by the user to access an application to which certain users are to be granted administrative access based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set, and wherein the certain users each use different usernames.

17. An article, comprising:
- a non-transitory storage medium, said non-transitory storage medium having stored thereon instructions, that, when executed by a machine, result in;
  
  receiving a request by a user to access a resource;
  
  accessing an object set, the object set including at least a first object representing the user and a second object representing the resource;
  
  authenticating the user using the first object in the object set;
  
  determining if there is a relationship between the first object and the second object in the object set, including determining if the first object indicates that the user is a root user of the resource based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set; and
  
  if there is a relationship between the first object and the second object in the object set, using the relationship to control a permission level for the user with respect to the resource, including permitting the user to act as the root user of the resource.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 28, 30)
- - 18. An article according to claim 17, wherein permitting the user to act as the root user of the resource includes setting an effective user ID (eUID) for use of the resource by the user to a root user ID.
  - 19. An article according to claim 17, wherein the non-transitory storage medium has further instructions stored thereon that, when executed by the machine result in, if there is no relationship between the first object and the second object in the object set:
    - determining a user ID (UID) from the first object in the object set; and
      
      setting an effective user ID (eUID) for use of the resource by the user to the UID from the first object in the object set.
  - 20. An article according to claim 17, wherein the non-transitory storage medium has further instructions stored thereon that, when executed by the machine result in:
    - determining a user ID (UID) from the first object in the object set; and
      
      setting a user ID (UID) for use of the resource by the user to the UID from the first object in the object set.
  - 21. An article according to claim 17, wherein receiving a request includes receiving the request by the user to access a first application.
  - 22. An article according to claim 21, wherein the non-transitory storage medium has further instructions stored thereon that, when executed by the machine result in:
    - receiving a second request by the user to access a second application;
      
      accessing the object set, the object set including at least the first object representing the user, the second object representing the first application, and a third object representing the second application;
      
      authenticating the user using the first object in the object set;
      
      determining if there is a relationship between the first object and the third object in the object set; and
      
      if there is a relationship between the first object and the third object in the object set, using the relationship to control a second permission level for the user with respect to the second application.
  - 23. An article according to claim 22, wherein:
    - determining if there is a relationship between the first object and the second object in the object set includes identifying that the first object indicates that the user is a root user of the first application;
      
      setting an effective user ID (eUID) for use of the first application by the user to a root user ID;
      
      determining that there is no relationship between the first object and the third object in the object set;
      
      determining a user ID (UID) from the first object in the object set; and
      
      setting an effective user ID (eUID) for use of the second application by the user to the UID from the first object in the object set.
  - 24. An article according to claim 17, wherein:
    - accessing an object set includes accessing a container hierarchy, the container hierarchy including at least a first container, the first container including at least a second container, and the first object and the second object each in one of the first container and the second container;
      
      authenticating the user includes authenticating the user using the first object in the container hierarchy; and
      
      determining if there is a relationship between the first object and the second object in the object set includes determining if there is a relationship between the first object and the second object in the container hierarchy.
  - 28. An article according to claim 17, wherein determining if there is a relationship between the first object and the second object in the object set includes determining if there is a relationship between the first object and the second object in the object set by accessing information in the first object in the object set.
  - 30. An article according to claim 17, wherein receiving a request by a user to access a resource includes receiving the request by the user to access an application to which certain users are to be granted administrative access based on information in the first object in the object set, dependent on the resource, and independent of a username or user ID (UID) associated with the first object in the object set, and wherein the certain users each use different usernames.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Novell Incorporated (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Danoyan, Alexander Y., Isaacson, Scott A.
Primary Examiner(s)
Armouche, Hadi

Application Number

US11/115,810
Time in Patent Office

2,702 Days
Field of Search

713166-167, 713/182, 726 6- 7, 726 26- 29
US Class Current

713/167
CPC Class Codes

G06F 21/31 User authentication

G06F 21/604 Tools and structures for ma...

Synthesized root privileges

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Synthesized root privileges

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links