Posixly secure open and access files by inode number
First Claim
1. A method comprising:
- receiving, by a process executed by a processor, a request for a ticket for traversing a file system;
generating, by the process, a secure key for a unique handle based on the request for the ticket;
generating an authentication code for the ticket using a numeric file identifier and the secure key;
in response to reading a directory with portable operating system interface (POSIX) x (execute) and r (read) permissions according to directory permission bits or an access control list (ACL), returning the ticket including ticket information comprising the numeric file identifier, generation information and the authentication code;
in response to a request to open a directory, validating the ticket information based on the secure key by;
regenerating the authentication code using the numeric file identifier, the generation information and the secure key, and comparing the authentication code with the regenerated authentication code;
opening a directory for reading using the validated ticket information and the unique handle; and
generating a plurality of tickets for the unique handle for access to a block of elements.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for secure portable operating system interface (POSIX) directory traversing for opening and accessing files by inode number. The method includes receiving, by a process executed by a processor, a request for a ticket for traversing a file system. The process generates a secure key for a unique handle object based on the request for the ticket. An authentication code is generated for the ticket using a numeric file identifier and the secure key. In response to reading a directory with POSIX x and r permissions according to directory permission bits or an access control list (ACL), the ticket is returned including ticket information including the numeric file identifier, generation information and the authentication code. In response to a request to open a directory, the ticket information is validated based on the secure key. A directory is opened for reading using the validated ticket information and the unique handle.
29 Citations
18 Claims
-
1. A method comprising:
-
receiving, by a process executed by a processor, a request for a ticket for traversing a file system; generating, by the process, a secure key for a unique handle based on the request for the ticket; generating an authentication code for the ticket using a numeric file identifier and the secure key; in response to reading a directory with portable operating system interface (POSIX) x (execute) and r (read) permissions according to directory permission bits or an access control list (ACL), returning the ticket including ticket information comprising the numeric file identifier, generation information and the authentication code; in response to a request to open a directory, validating the ticket information based on the secure key by;
regenerating the authentication code using the numeric file identifier, the generation information and the secure key, and comparing the authentication code with the regenerated authentication code;opening a directory for reading using the validated ticket information and the unique handle; and generating a plurality of tickets for the unique handle for access to a block of elements. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for secure portable operating system interface (POSIX) directory traversing for opening and accessing files by inode number, the computer program product comprising a computer readable storage device having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to:
-
receive, by the processor, a request for a ticket for traversing a file system; generate, by the processor, a secure key for a unique handle based on the request for the ticket; generate, by the processor, an authentication code for the ticket using a numeric file identifier and the secure key; in response to reading a directory with POSIX x and r permissions according to directory permission bits or an access control list (ACL), return, by the processor, the ticket including ticket information comprising the numeric file identifier, generation information and the authentication code; in response to a request to open a directory, validate, by the processor, the ticket information based on the secure key by regenerating the authentication code using the numeric file identifier, the generation information and the secure key, and comparing the authentication code with the regenerated authentication code; open, by the processor, a directory for reading using the validated ticket information and the unique handle; and generate, by the processor, a plurality of tickets for the unique handle for access to a block of elements. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus comprising:
-
a ticket hardware processor configured to receive a request for a ticket for traversing a file system; a cryptographic hardware processor configured to generate a secure key for a unique handle based on the request for the ticket, and to generate an authentication code for the ticket using a numeric file identifier and the secure key; the ticket hardware processor further configured to return the ticket including ticket information in response to a request to read a directory with portable operating system interface (POSIX) x (execute) and r (read) permissions according to directory permission bits or an access control list (ACL), wherein the ticket information comprises the numeric file identifier, generation information and the authentication code; a validation hardware processor configured to validate the ticket information based on the secure key in response to a request to open a directory by;
regenerating the authentication code using the numeric file identifier, the generation information and the secure key, and comparing the authentication code with the regenerated authentication code; andthe ticket hardware processor is further configured to generate a plurality of tickets for the unique handle for access to a block of elements; wherein a directory of the file system is opened for reading using the validated ticket information and the unique handle. - View Dependent Claims (15, 16, 17, 18)
-
Specification