A method for assigning privileges in linux system based on capability mechanism

A privilege and capability technology, applied in the field of Linux system privilege allocation based on the capability mechanism, can solve the problems of insufficient fine-grainedness, complicated allocation and use of the capability mechanism, etc., and achieve the effect of easy management.

Active Publication Date: 2017-10-31
INST OF INFORMATION ENG CHINESE ACAD OF SCI
View PDF2 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] However, the capability mechanism has its own limitations, which has led to the fact that in the current Linux ecosystem, the set-UID mechanism is still the mainstream: (1) The allocation and use of the capability mechanism is too complicated. There are 36 capabilities designed in the Linux system, and there will be more in the future. It is likely to continue to increase (for example, the fine-grainedness of the privilege unit CAP_SYS_ADMIN is not enough), users need to clearly know the function and usage of each privilege

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method for assigning privileges in linux system based on capability mechanism
  • A method for assigning privileges in linux system based on capability mechanism

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] The construction of the system of the present invention is divided into two modes: working mode and security mode. In working mode, the TPM measures the configuration files and privileged applications when the system starts. After the measurement is successful, the logged-in user can automatically assume the corresponding role and obtain the corresponding capabilities when executing the corresponding privileged programs, but the user is not allowed to modify the configuration files and privileged applications. Moreover, users cannot change their own capabilities during their existence, so as to limit user rights; in safe mode, TPM does not measure when the system starts. This mode is mainly used to create or update configuration files, and to label privileged applications (that is, to add corresponding file capabilities to privileged applications), etc. See system architecture figure 1 , the implementation steps are described in detail below:

[0035] In safe mode:

...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a Linux system privilege distribution method based on a capability mechanism. The Linux system privilege distribution method based on the capability mechanism includes that 1) setting a user role configuration file and a role capability configuration file under a safe mode; 2) marking a privileged application according to the capability needed for the privileged application of the system; enabling a TPM of a server to carry out measurement and write protection on the configuration files and marked privileged application; 3) opening TPM measurement, and entering the system working mode; enabling the TPM to measure and verify the configuration files, after passing the verification, inquiring the configuration files according to a user name to obtain the corresponding role, and reading a capability set included in the role; 4) enabling the PAM to mark the capability of a current program according to the role, when invoking an application, if the application is the privileged application, judging whether the marked capability set of the application is matched with the marked capability set of the program, if so, enabling the program to obtain the capability of the privileged application and carry out the privileged application, otherwise, refusing to carry out. The Linux system privilege distribution method based on the capability mechanism is easy to manage and perform right control.

Description

technical field [0001] The invention relates to the field of authority control of system security, and relates to a method for distributing privileges of a Linux system based on a capability mechanism. Background technique [0002] With the popularity of linux system, the attack and protection of linux system has become the main research content in the field of system security in recent years. The traditional security mechanism of linux is to restrict ordinary users to only hold the most basic permissions and grant all permissions to a privileged user root user, and when ordinary users need to complete privileged operations such as changing the user's own password, linux introduces Set-UID The mechanism enables ordinary users to temporarily obtain root by executing privileged applications (privileged applications refer to programs marked with set-UID bits, and the owner of such programs is the root user. Executing such programs can allow ordinary users to temporarily obtain ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/45
CPCG06F21/44G06F2221/2141
Inventor 涂碧波李艳昭孟丹
Owner INST OF INFORMATION ENG CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products