Virtualizing super-user privileges for multiple virtual processes
First Claim
1. A computer-implemented method for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the method comprising:
- associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server;
designating the user as a virtual super-user;
intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises;
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and
in response to the intercepted call to the operating system pertaining to the first virtual private server;
granting actual super-user privileges to the user; and
allowing execution of the call to the operating system.
6 Assignments
0 Petitions
Accused Products
Abstract
Super-user privileges are virtualized by designating a virtual super-user for each of a plurality of virtual processes and intercepting system calls for which actual super-user privileges are required, which are nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In one embodiment, a computer operating system includes multiple virtual processes, such as virtual private servers. Each virtual process can be associated with one or more virtual super-users. When an actual process makes a system call that requires actual super-user privileges, the call is intercepted by a system call wrapper.
-
Citations
14 Claims
-
1. A computer-implemented method for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the method comprising:
-
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server; designating the user as a virtual super-user; intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises; loading a system call wrapper; saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and in response to the intercepted call to the operating system pertaining to the first virtual private server; granting actual super-user privileges to the user; and allowing execution of the call to the operating system.
-
-
2. A computer program product for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the computer program product comprising a computer-readable medium storage device and computer program code encoded on the medium storage device for:
-
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server; designating the user as a virtual super-user; intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises; loading a system call wrapper; saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and granting actual super-user privileges to the user, and allowing execution of the call to the operating system, in response to the intercepted call to the operating system pertaining to the first virtual private server.
-
-
3. A system for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the system comprising:
-
means for associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server; means for designating the user as a virtual super-user; means for intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process executed by the operating system, the process owned by the user, wherein the means for intercepting the call to the operating system is configured to; load a system call wrapper; save a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and replace the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed if the call to the operating system is invoked; and means for granting virtual super-user privileges to the user and allowing execution of the call to the operating system in response to the intercepted call to the operating system pertaining to the first virtual private server, wherein a virtual super-user has a subset of the privileges of an actual super-user but a superset of the privileges of a user other than the actual super-user.
-
-
4. A method performed by a computing system having a processor and memory for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
-
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server; associating an identifier with the first user wherein the first user owns a first set of resources; associating a second user with the second virtual private server; associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources; intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and in response to the intercepted call to the operating system, determining that the process is permitted to access the first set of resources but is not permitted to access the second set of resources. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-readable storage device storing computer-executable instructions that, when executed, perform a method for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
-
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server; associating an identifier with the first user wherein the first user owns a first set of resources; associating a second user with the second virtual private server; associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources; intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and in response to the intercepted call to the operating system, determining that the process can access the first set of resources but not the second set of resources.
-
-
14. A system for virtualizing user privileges in a computer operating system including multiple virtual private servers, the system comprising:
-
means for associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server; means for associating an identifier with the first user wherein the first user owns a first set of resources; means for associating a second user with the second virtual private server; means for associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources; means for intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and means for determining, in response to the intercepted call to the operating system, that the process can access the first set of resources but not the second set of resources.
-
Specification