Slashdot Mirror
Microsoft Patents sudo
Jimmy O Regan writes "Justin Mason (of SpamAssassin fame) has this blog entry: US Patent 6,775,781, filed by Microsoft, is a patent on the concept of 'a process configured to run under an administrative privilege level' which, based on authorization information 'in a data store', may perform actions at administrative privilege on behalf of a 'user process'."
So of course this is completely unenforcable...I wonder if they'll even try. What is the process to go about for getting this patent revoked?
In reading the patent, it does look pretty obvious that it's doing what SUDO is doing... I think this should be blown up with little effort.
Is there any penalty for filing patents for which you KNOW prior art exists? If not, there definitely should be.
-- "A chicken is an egg's way of making another egg."
No, sudo asks for the password of the currently running user, and then if correct, checks a data store - /etc/sudoers - to see if that user is allowed to use sudo, and only then runs the administrative command. The root logon is not involved; it's actually disabled on some of my boxes.
I can see missing prior work as prior art. But missing the famous setuid patent seems just silly.
http://www.sudo.ws/sudo/history.html
Prior art.
The underlying premise of patents will no doubt survive, as it makes a lot of sense in some areas (like engineering). But software and business process patents will probably disappear.
sudo - through the use of it's data-store the "sudoers" file, can be configured multiple ways.
#1 - To require the "root" password.
#2 - To require the password of the userid that the user is running as.
#4 - To require the password of the userid the user wishes to switch to.
#5 - To not require any password at all.
When not requiring a password, it can be configured by the userid, or the command that is being run.
All in all, it's very configurable, and definately fits the prior art criteria.
Who is general failure, and why is he reading my hard drive?
No, because set uid bit by itself does not validate the parent process/user against any data store like sudo command does (eg: against /etc/sudoers)
Never meddle in the affairs of dragons,
for you are crunchy and good with catsup.
I know you were trying to be funny but seriously, it is a feature of Windows 2000/XP all you have to do is shift + right click any executable and select "Run as..." or use the runas command from the command prompt. Sorry but I had to be fair to Microsoft.
HELLO? When was FAT patented...NEVER. Microsoft didn't even invent fat. Please think before you post.
Ignorant people shouldn't yak.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I don't think there's an out this time. Usually, when you get posts saying "Microsoft patents clicking!!" there's usually something in the patent that says "clicking on an icon by using a joystick, underwater, over the internet" or something ridiculous that means the patent doesn't have prior art, but the idea itself does, and will probably be used to try and stretch the patent as far as the courts will let it.
But this time, it looks like they are doing exactly what sudoes. Maybe finally all the anti-Slashdot-stereotype trolls will be wrong.
Here's my read:
CLAIMS:
1. Processing a request from a non-admin user to do admin tasks. check.
2. Determining if the user can do such a request. Check.
3. Checking a data source to do #2. Check. (etc/passwd, others)
4. Checking a data source to see which one of many admin tasks the user can do. This might be a bit iffy, because I'm not incredibly familiar with sudo. I would assume it's possible to restrict the usage of sudo for different tasks, and if so, Check.
5. Multiple users. Check.
6. Groups. Check.
7. Using it for Methods. I think the Linux kernel might allow only certain system calls to be done by an administrator. If so, check.
8. Groups for #7. Check-maybe.
9,10. Combining classes and methods. Here it seems they get really specific, and it doesn't look like they define "class" or "method." Maybe.
11-13. Passwords. Check.
14-23. A computer to do the above. Check.
24-34. A security framework to do the above. Check.
35-49. Doing it over a network. Check. Now, here, a network seems to involve "hyperlinked documents creating a user interface." Certainly this idea is older than 2000. Check.
50-62. Again, having a computer to do 1-49.
63-end. Yeesh. Having a computer to do everything from 1-62. I guess they are covering every single combination.
So there's the claims. There's nothing in there that sudo really doesn't do, because I think the vauge language MS is using can be applied to a lot of different methods of unix-style security.
So who's going to care? No one, especially not at the Patent Office.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
What an auspicious start. Maybe M$ will decide to patent some of the new features.
Actually,
nobody did.
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
the University of Waterloo had a similar concept
with something called "suw"
basically a su command that allowed authorized individuals to have
their own root password. the root login account
itself had unusable password.
each authorized users suw password was of course kept in
a "data store" (a private passwd style file)
and logging of its usage was done to provide an audit
trail.
this is at least 16 or more years old.
-k
The summary is mostly irrelivant as to what legal protection the patent has. The legal protection comes from the part marked "claims". And if you look at claim 1:
You need an "admin. security process" that is "executing ... under ... admin. priv. level".
It, the "admin. security process" then needs to "accept request[s] from a user process".
So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.
In any case, everyone here who's uptight about the patent, there's at least two things you can do. 1) you can collect together all your sudo data, and optionally if you want explain how you think it describes a system that operates the same as the claimed system, and send it to the patent office to be placed into the legal record of this patent. That's the low cost (or maybe no cost, check the patent office web site for details) option available for you. Or, 2) you can collect together all your sudo data, and explain carefully how you think it describes what the claims describe, and file with the patent office for what is known as a reexamination of the patent. Yes, that's correct, you, someone unrelated to either MS or the patent office, or this patent, can actually send in your information and ask that the patent office reconsider their decision. Again, check the web site for details. So, instead of belly aching about how bad a job the patent office is or is not doing, why not simply help them out by sending them the info you know about, and then they have a better chance of doing a better job. And who knows, you might actually get this patent killed in the process.
No, because set uid bit by itself does not validate the parent process/user against any data store
It certainly does. It verifies that the parent's uid has valid execute permission on the new program by comparing the owner and the x bits. This information is stored in the inode, which is in a filesystem (usually but not always a disk). A unix filesystem would certainly qualify as a "data store".
So unix systems have two different instances of prior art, the setuid (and setgid) bit, and the somewhat later sudo command.
Of course, the main question is whether anyone will be able to afford the effort to get this patent invalidated. Or will Microsoft be able to bankrupt anyone who tries?
I suppose IBM could decide that this is a challenge to the security setup in their aix and linux systems. They probably have the money to successfully fight this one. I don't think I do.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
http://www.symark.com/powerbroker.htm Powerbroker is a sudo-like commercial app. It does a means to run as a daemon process in a client-server type environment to allow the configured policy to work between different systems. Googling on it turns up posts from the mid 90's so it's been around for a while.
Software patents are turning the USPO into a laughing stock. I can understand the USPO not being able to thoroughly examine patents for some esoteric science. Sudo is not an esoteric science. If the USPO is going to issue software patents they should have somebody who knows something about software. This sort of patent should have been caught by anybody who has any knowlege of Unix-like operating systems.