Browse Prior Art Database

A method for processing resources that do not have a hierarchical authorization relationship

IP.com Disclosure Number: IPCOM000028723D
Original Publication Date: 2004-May-27
Included in the Prior Art Database: 2004-May-27
Document File: 2 page(s) / 48K

Publishing Venue

IBM

Abstract

Applications may access resources that have differing authorization and environmental requirements. The normal method for satisfying these differing requirements is to run the application with an authorization such as root, that has access to all of the resources. If there is no single root authorization that can be used to access all of the application's resources, the application cannot fulfill its requirements by running as a root user. This disclosure addresses this problem.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

A method for processing resources that do not have a hierarchical authorization relationship

Applications may access resources that have differing authorization and environmental requirements. The normal method for satisfying these differing requirements is to run the application with an authorization such as root, that has access to all of the resources. A resource authorization in which this is true is defined as a hierarchical authorization relationship.

In a non-hierarchical authorization relationship, the application cannot run as root and access all resources.

One solution to this problem is for the application to switch to from root user to the user that does have the required access. However this may prevent the application from accessing other resources that do require root user authorization.

In the solution described in this disclosure, the application spawns a child process that will switch to the required user and then access the resources. It should be noted that there is nothing new in having a server spawn a child process to perform part of its processing. The innovative part of this disclosure is using the spawning mechanism to solve the non-hierarchical authorization relationship problem.

In our implementation, the application determines the required user identification, binds to a system assigned port, and then spawns the child process, passing the user identification and system assigned port. The application and the spawned child process communicate via TCP/IP over the system assigned por...