Slashdot Mirror
Microsoft Patents sudo
Jimmy O Regan writes "Justin Mason (of SpamAssassin fame) has this blog entry: US Patent 6,775,781, filed by Microsoft, is a patent on the concept of 'a process configured to run under an administrative privilege level' which, based on authorization information 'in a data store', may perform actions at administrative privilege on behalf of a 'user process'."
So of course this is completely unenforcable...I wonder if they'll even try. What is the process to go about for getting this patent revoked?
In reading the patent, it does look pretty obvious that it's doing what SUDO is doing... I think this should be blown up with little effort.
Is there any penalty for filing patents for which you KNOW prior art exists? If not, there definitely should be.
-- "A chicken is an egg's way of making another egg."
No, sudo asks for the password of the currently running user, and then if correct, checks a data store - /etc/sudoers - to see if that user is allowed to use sudo, and only then runs the administrative command. The root logon is not involved; it's actually disabled on some of my boxes.
I can see missing prior work as prior art. But missing the famous setuid patent seems just silly.
http://www.sudo.ws/sudo/history.html
Prior art.
The underlying premise of patents will no doubt survive, as it makes a lot of sense in some areas (like engineering). But software and business process patents will probably disappear.
sudo - through the use of it's data-store the "sudoers" file, can be configured multiple ways.
#1 - To require the "root" password.
#2 - To require the password of the userid that the user is running as.
#4 - To require the password of the userid the user wishes to switch to.
#5 - To not require any password at all.
When not requiring a password, it can be configured by the userid, or the command that is being run.
All in all, it's very configurable, and definately fits the prior art criteria.
Who is general failure, and why is he reading my hard drive?
No, because set uid bit by itself does not validate the parent process/user against any data store like sudo command does (eg: against /etc/sudoers)
Never meddle in the affairs of dragons,
for you are crunchy and good with catsup.
I know you were trying to be funny but seriously, it is a feature of Windows 2000/XP all you have to do is shift + right click any executable and select "Run as..." or use the runas command from the command prompt. Sorry but I had to be fair to Microsoft.
HELLO? When was FAT patented...NEVER. Microsoft didn't even invent fat. Please think before you post.
Ignorant people shouldn't yak.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I don't think there's an out this time. Usually, when you get posts saying "Microsoft patents clicking!!" there's usually something in the patent that says "clicking on an icon by using a joystick, underwater, over the internet" or something ridiculous that means the patent doesn't have prior art, but the idea itself does, and will probably be used to try and stretch the patent as far as the courts will let it.
But this time, it looks like they are doing exactly what sudoes. Maybe finally all the anti-Slashdot-stereotype trolls will be wrong.
Here's my read:
CLAIMS:
1. Processing a request from a non-admin user to do admin tasks. check.
2. Determining if the user can do such a request. Check.
3. Checking a data source to do #2. Check. (etc/passwd, others)
4. Checking a data source to see which one of many admin tasks the user can do. This might be a bit iffy, because I'm not incredibly familiar with sudo. I would assume it's possible to restrict the usage of sudo for different tasks, and if so, Check.
5. Multiple users. Check.
6. Groups. Check.
7. Using it for Methods. I think the Linux kernel might allow only certain system calls to be done by an administrator. If so, check.
8. Groups for #7. Check-maybe.
9,10. Combining classes and methods. Here it seems they get really specific, and it doesn't look like they define "class" or "method." Maybe.
11-13. Passwords. Check.
14-23. A computer to do the above. Check.
24-34. A security framework to do the above. Check.
35-49. Doing it over a network. Check. Now, here, a network seems to involve "hyperlinked documents creating a user interface." Certainly this idea is older than 2000. Check.
50-62. Again, having a computer to do 1-49.
63-end. Yeesh. Having a computer to do everything from 1-62. I guess they are covering every single combination.
So there's the claims. There's nothing in there that sudo really doesn't do, because I think the vauge language MS is using can be applied to a lot of different methods of unix-style security.
So who's going to care? No one, especially not at the Patent Office.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
Setuid was already patented.
T O1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm &r=1&f=G&l=50&s1=4135240.WKU.&OS=PN/4135240&RS=PN/ 4135240
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=P
You can change the config in the sudo.conf file to ask for user passwords, or to run without it for certain users, etc.
They claim they did.
http://www.microsoft.com/mscorp/ip/tech/fat.asp
What an auspicious start. Maybe M$ will decide to patent some of the new features.
Of course, it's quite possible that the prior art involved is that of the programmers working on the original Xenix product for MS.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
Onto the description which is not as sound as commenting on the actual claims but at least provides an idea of what they want to patent. First thing to note is they are once again on the appliance angle. They aren't discussing a PC. They're discussing an XBox or NAS.
Now hitting the Detailed Description, here is where they slide in that the patent can cover general purpose PCs. Lots of discussion about Web-based administration. So it's not just sudo but Webmin+sudo.
If anyone wants to take this to the next level go for it. I did my best to RTFP and this is as far as I think I'm going to take it. It was kinda cute to note how general things were in the patent e.g. "data store" that can cover the registry or a text file but there are other things to read tonight.
I don't want knowledge. I want certainty. - Law, David Bowie
Actually,
nobody did.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
the University of Waterloo had a similar concept
with something called "suw"
basically a su command that allowed authorized individuals to have
their own root password. the root login account
itself had unusable password.
each authorized users suw password was of course kept in
a "data store" (a private passwd style file)
and logging of its usage was done to provide an audit
trail.
this is at least 16 or more years old.
-k
The summary is mostly irrelivant as to what legal protection the patent has. The legal protection comes from the part marked "claims". And if you look at claim 1:
You need an "admin. security process" that is "executing ... under ... admin. priv. level".
It, the "admin. security process" then needs to "accept request[s] from a user process".
So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.
In any case, everyone here who's uptight about the patent, there's at least two things you can do. 1) you can collect together all your sudo data, and optionally if you want explain how you think it describes a system that operates the same as the claimed system, and send it to the patent office to be placed into the legal record of this patent. That's the low cost (or maybe no cost, check the patent office web site for details) option available for you. Or, 2) you can collect together all your sudo data, and explain carefully how you think it describes what the claims describe, and file with the patent office for what is known as a reexamination of the patent. Yes, that's correct, you, someone unrelated to either MS or the patent office, or this patent, can actually send in your information and ask that the patent office reconsider their decision. Again, check the web site for details. So, instead of belly aching about how bad a job the patent office is or is not doing, why not simply help them out by sending them the info you know about, and then they have a better chance of doing a better job. And who knows, you might actually get this patent killed in the process.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
No, because set uid bit by itself does not validate the parent process/user against any data store
It certainly does. It verifies that the parent's uid has valid execute permission on the new program by comparing the owner and the x bits. This information is stored in the inode, which is in a filesystem (usually but not always a disk). A unix filesystem would certainly qualify as a "data store".
So unix systems have two different instances of prior art, the setuid (and setgid) bit, and the somewhat later sudo command.
Of course, the main question is whether anyone will be able to afford the effort to get this patent invalidated. Or will Microsoft be able to bankrupt anyone who tries?
I suppose IBM could decide that this is a challenge to the security setup in their aix and linux systems. They probably have the money to successfully fight this one. I don't think I do.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
'... In software, assume that everything is already patented. You can't build anything, no matter how new it is, without infringing someone's patent. patents and linux ...'
[tim bray]
must make a mention of tim brays article on software patents that I've recycled from a while ago.
peterrenshaw ~ Another Scrappy Startup
http://www.symark.com/powerbroker.htm Powerbroker is a sudo-like commercial app. It does a means to run as a daemon process in a client-server type environment to allow the configured policy to work between different systems. Googling on it turns up posts from the mid 90's so it's been around for a while.
Software patents are turning the USPO into a laughing stock. I can understand the USPO not being able to thoroughly examine patents for some esoteric science. Sudo is not an esoteric science. If the USPO is going to issue software patents they should have somebody who knows something about software. This sort of patent should have been caught by anybody who has any knowlege of Unix-like operating systems.
The most interesting part is the images. There you can actually see the Gnome logo. (There is an extra karma bunus for the first who find the KDE logo;)
/.'ers -- can you think of prior art for this? Codetek's Virual Desktop is similar, but it uses application icons to represent windows, instead of shrunken pictures of the actual windows. However, from this FAQ, it appears the Codetek has at least tried to show shruken pictures in their pager, and found it was too processor intensive.
Listen, I hate MS as much as the next guy -- but did you read the rest of the patent? In the "BRIEF DESCRIPTION OF THE DRAWINGS" section, it reads:
[0013] FIG. 1A [referring to the KDE front panel] is a pictorial diagram illustrating a desktop of a graphical user interface according to the prior art.
[0014] FIG. 1B [referring to the Gnome front panel] is a pictorial diagram illustrating one implementation of a panel containing a desk guide used to switch among multiple virtual desktop according to the prior art.
In the "BACKGROUND OF THE INVENTION" section, it points out that in KDE, the pager doesn't show you the pictures of the desktops: "As more and more application windows 102 are dispersed throughout these virtual desktops, it may be difficult for a user to remember which desktop contains which application window." You have to click on each desktop until you find it.
For the GNOME pager, it says that "running application windows appear as small, raised squares... it is still not possible for a user to determine from these small raised squares the desired application window for which he may be looking"
The patent is apparently for MS's improvment of the concept by actually showing small recognizable representations of each desktop in a "preview" pane that shows all the desktops, and for being able to transfer application windows from a different virtual desktop to the current one, without actually bringing up the other desktop.
Ok,
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
OK, so they didn't patent sudo. They patented xinetd. Either way, it's a stupid patent. One of the big problems with the USPTO is that (IIRC) it is funded by the patent fees it collects from applicants. Therefore, it is in their interest to grant patents -- no matter how stupid -- because more applications means more money for them. Maybe if they had to return the fees if a patent is overturned, they wouldn't have such a "shoot first and let God sort 'em out" attitude.
Yeah, I think you're right. The US gets a little bit slower every day because of all this patent/copyright warfare. But it's mostly just companies within the US fighting with each other and slowing down innovation and general economic health within America. The US is trying to reach out and impose this structure on the rest of the world, but there is enough sensible resistence out there to make world-wide (submission) adoption highly questionable.
It's a good point you make.