CN103971064B - The user authority control method of Linux system - Google Patents
The user authority control method of Linux system Download PDFInfo
- Publication number
- CN103971064B CN103971064B CN201410203161.0A CN201410203161A CN103971064B CN 103971064 B CN103971064 B CN 103971064B CN 201410203161 A CN201410203161 A CN 201410203161A CN 103971064 B CN103971064 B CN 103971064B
- Authority
- CN
- China
- Prior art keywords
- user
- file
- access rights
- access
- linux system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The present invention proposes the user authority control method of a kind of linux system, including: kernel source code amendment step, kernel source code is modified, so that the Cgroup/device subsystem in linux system can directly access file;File permission judges that step, user use Cgroup/device subsystem to access file, and according to user right configuration information, it is judged that whether user has access rights to this document.First the kernel source code of linux system is modified by the present invention, so that the Cgroup/device subsystem in linux system can directly access file, further according to user's access rights to file, determine user's whether Internet access file, thus use Cgroup/device subsystem can control user's access rights to file.
Description
Technical field
The present invention relates to (SuSE) Linux OS field, the user right particularly relating to a kind of linux system controls
Method.
Background technology
In (SuSE) Linux OS, Cgroup/device subsystem cannot directly access file, it is impossible to controls literary composition
The access rights of part, can only be used for controlling the access rights of block device and character device.
Additionally, during file that user is in the access device, it is necessary to the hanging equipment at file place is downloaded to one
In already present catalogue, then access this equipment by this catalogue.Cgroup/device subsystem sets at block
Standby and/or time character device is in carry state, it is impossible to limit user's access rights to equipment, i.e. cannot control
The user processed access rights to equipment.
Summary of the invention
It is contemplated that at least solve technical problem present in prior art, the most innovatively propose one
The user authority control method of linux system, solves (SuSE) Linux OS and cannot use Cgroup/device
Subsystem directly accesses file, it is impossible to control user's access to file by Cgroup/device subsystem
The problem of authority.
In order to realize the above-mentioned purpose of the present invention, the user right that the invention provides a kind of linux system controls
Method, including: kernel source code amendment step, kernel source code is modified, so that in linux system
Cgroup/device subsystem can directly access file;User judges step to the access rights of file, uses
Family uses described Cgroup/device subsystem to access file, and according to user right configuration information, it is judged that institute
State whether user has access rights to described file.
In one embodiment, described user, the access rights of file are judged in step, if described user
Do not have access rights to described file, then user haves no right to access described file.
In one embodiment, described user, the access rights of file are judged in step, if described user
Described file is had access rights, the user authority control method of the most described linux system, also include: use
Family judges step to the access rights of equipment, according to described user right configuration information, it is judged that described user couple
Whether the equipment storing described file has access rights.
In one embodiment, described user, the access rights of equipment are judged in step, including: if institute
State user and the equipment storing described file is had access rights, equipment described in the most described user's Internet access;
If described user does not have access rights to the equipment storing described file, the most described user haves no right described in access
Equipment.
In one embodiment, also include: user right configuration information obtaining step, from user right data
Storehouse is downloaded user right information, and described user right information is processed, it is thus achieved that be described
The user right configuration information that Cgroup/device subsystem can identify.
In one embodiment, also include: user right configuration step, described Cgroup/device subsystem
Blacklist mode is used to configure user right.
In one embodiment, described user, the access rights of file are judged in step, including according to
Lower project judges whether user has access rights to file: judge the described user read-write to described file
Whether operation is consistent with the read-write properties of described file;Judge whether described user belongs to addressable described literary composition
The user of part/genus group;Judge whether the filename of described file belongs to the file of described user-accessible file
Name.
In one embodiment, described user, the access rights of equipment are judged in step, including: judge
Store the numbering of equipment of described file whether in the list of devices of described user, described list of devices by with
Numbering composition in the equipment storing described user-accessible file.
In one embodiment, described user, the access rights of file are judged in step, below meeting
During condition, it is judged that described user has access rights to described file: the described user read-write to described file
Operation is consistent with the read-write properties of described file;Described user belongs to the user/genus of addressable described file
Group;The filename of described file belongs to the filename of described user-accessible file.
In one embodiment, described user, the access rights of equipment are judged in step, below meeting
During condition, it is judged that described user has access rights to the equipment storing described file: store described file
The numbering of equipment is in the list of devices of described user.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
1, first the kernel source code of linux system is modified, so that in linux system
Cgroup/device subsystem can directly access file, further according to user's access rights to file, determines
User's whether Internet access file, thus uses Cgroup/device subsystem can control user to file
Access rights;
2, when user has access rights to file, further according to user's equipment to storage this document
Access rights determine user's whether Internet access equipment, it can be seen that, even if equipment is in carry state,
The present invention can also control user's access to equipment;
3, this Cgroup/device subsystem uses blacklist mode to configure user right, facilitates user right
Configuration.
The additional aspect of the present invention and advantage will part be given in the following description, and part will be retouched from following
Become obvious in stating, or recognized by the practice of the present invention.
Accompanying drawing explanation
Above-mentioned and/or the additional aspect of the present invention and advantage are from combining general the accompanying drawings below description to embodiment
Become obvious and easy to understand, wherein:
Fig. 1 is the flow chart of the user authority control method of the linux system that embodiments of the invention 1 provide;
Fig. 2 is the flow chart of the user authority control method of the linux system that embodiments of the invention 2 provide.
Detailed description of the invention
Embodiments of the invention are described below in detail, and the example of described embodiment is shown in the drawings, wherein certainly
Begin to same or similar label eventually represent same or similar element or there is the unit of same or like function
Part.The embodiment described below with reference to accompanying drawing is exemplary, is only used for explaining the present invention, and can not
It is interpreted as limitation of the present invention.
In describing the invention, can at such as one group of computer in the step shown in the flow chart of accompanying drawing
Perform the computer system of instruction performs, and, although show logical order in flow charts, but
In some cases, can be to be different from the step shown or described by order execution herein.
Fig. 1 shows the flow process of the user authority control method of the linux system that embodiments of the invention 1 provide
Figure.As it is shown in figure 1, the method comprises the following steps:
S100, kernel source code amendment step, modifies to kernel source code, so that in linux system
Cgroup/device subsystem can directly access file;
S200, user judge that to the access rights of file step, user use described Cgroup/device subsystem
System accesses file, and according to user right configuration information, it is judged that whether user has access rights to file.
In one embodiment of the invention, by kernel source code file security/device_cgroup.c
In function devcgroup_inode_permission modify, so that in linux system
Cgroup/device subsystem can directly access file.
In one embodiment of the invention, if if user does not have access right to this document in step S200
Limit, then user haves no right to access this document.It is to be noted that above-mentioned user right configuration information include but not
It is limited to filename and/or the list of devices of storage user-accessible file of user-accessible file.Cgroup is
The abbreviation of control group, is that the one that linux kernel source code provides can limit, record and isolated process
The mechanism of the physical resource that group is used.
At present, in linux system, block device and character device can only be visited by Cgroup/device subsystem
Ask, it is impossible to directly access file, thus limit user's access rights to file.The present invention is first to Linux
The kernel source code of system is modified, so that the Cgroup/device subsystem in linux system can directly be visited
Ask file, further according to user's access rights to file, determine user's whether Internet access file, thus
Use Cgroup/device subsystem can control user's access rights to file.
In one embodiment of the invention, above-mentioned steps S200 includes judging user couple according to following items
Whether file has access rights:
Judge whether the read-write operation of file is consistent by user with the read-write properties of this document;
Judge user whether belong to the user/genus group of addressable this document/other;
Judge whether the filename of this document belongs to the filename of user-accessible file.
If meeting following condition, then judge that user has access rights to this document:
The read-write operation of described file is consistent by user with the read-write properties of described file, such as, if this article
The read-write properties of part are read-only, then user performs read operation only to file;If the read-write properties of this document are
Only write, then user performs write operation only to file;If the read-write properties of this document are readable writeable, then use
Family both can perform read operation to this document, it is possible to performs write operation;
User belong to the user/genus group of addressable described file/other;
The filename of file belongs to the filename of described user-accessible file.
Fig. 2 shows the flow process of the user authority control method of the linux system that embodiments of the invention 2 provide
Figure.The step that in Fig. 2, label is identical with Fig. 1 has identical function, for simplicity's sake, omits these
The detailed description of step.As in figure 2 it is shown, the differring primarily in that of method shown in Fig. 2 and method shown in Fig. 1,
In step s 200, if user has access rights to file, then the user right controlling party of this linux system
Method, also includes:
S300, user judge step to the access rights of equipment, according to user right configuration information, it is judged that use
Whether family has access rights to the equipment of storage this document.If user has visit to the equipment of storage this document
Ask authority, then this equipment of user's Internet access;If user does not have access right to the equipment of storage this document
Limit, then user haves no right to access this equipment.
At present, the Cgroup/device subsystem in linux system is in carry shape at block device or character device
During state, it is impossible to limit user's access rights to equipment.The present invention has access rights user to file
Time, according to user, the access rights of equipment of storage this document are determined user's whether Internet access further
Equipment, it can be seen that, even if equipment is in carry state, the present invention can also control user's visit to equipment
Ask.
In one embodiment of the invention, above-mentioned steps S400 includes: judge the equipment of storage this document
Whether numbering is in the list of devices of user, and this list of devices is by for storing setting of this user-accessible file
Standby numbering composition.If the numbering of the equipment of storage this document is in the list of devices of user, then it represents that user
May have access to this equipment, otherwise represent this equipment of user's inaccessible.
In another embodiment of the invention, the user authority control method of this linux system, also include:
S400, user right configuration information obtaining step, download user right letter from user rights database
Breath, and user right information is processed, it is thus achieved that the user that this Cgroup/device subsystem can identify
Privileges configuration information.Owing to user right information is generally stored inside in long-range user rights database, this
Outward, in user rights database, the user right information of storage can not be directly by linux system
Cgroup/device subsystem is identified, therefore during obtaining user right configuration information, needs head
From user rights database, first download user right information, then user right information is processed, conversion
Become the user right configuration information that Cgroup/device subsystem can identify.
In one more embodiment of the present invention, the user authority control method of this linux system, also include:
S500, user right configuration step, Cgroup/device subsystem uses blacklist mode to configure use
Family authority.Traditional Cgroup/device subsystem uses white list mode, i.e. Cgroup/device subsystem
The user configuration information of middle acquiescence is set to admissible, and in the present invention, Cgroup/device subsystem uses black
List mode, i.e. in Cgroup/device subsystem, the user configuration information of acquiescence is unallowed, thus side
Just user right is configured.This is because, the peripheral hardware of system is a lot, if using the side of white list
Formula, will arrange a lot of project, will enter user right easily if arranging blacklist on the contrary
Row configuration.
In the description of this specification, reference term " embodiment ", " some embodiments ", " example ",
The description of " concrete example " or " some examples " etc. means to combine this embodiment or example describes specific features,
Structure, material or feature are contained at least one embodiment or the example of the present invention.In this specification
In, the schematic representation of above-mentioned term is not necessarily referring to identical embodiment or example.And, describe
Specific features, structure, material or feature can in one or more any embodiment or example with close
Suitable mode combines.
Although an embodiment of the present invention has been shown and described, those of ordinary skill in the art can manage
Solve: these embodiments can be carried out in the case of without departing from the principle of the present invention and objective multiple change,
Amendment, replacement and modification, the scope of the present invention is limited by claim and equivalent thereof.
Claims (10)
1. the user authority control method of a linux system, it is characterised in that including:
Kernel source code amendment step, modifies to kernel source code, so that in linux system
Cgroup/device subsystem can directly access file;
User judges that to the access rights of file step, user use described Cgroup/device subsystem to access
File, and according to user right configuration information, it is judged that whether described user has access right to described file
Limit.
The user authority control method of linux system the most according to claim 1, it is characterised in that
The access rights of file are judged in step by described user, if described user does not have access right to described file
Limit, then user haves no right to access described file.
The user authority control method of linux system the most according to claim 1, it is characterised in that
The access rights of file are judged in step by described user, if described user has access right to described file
Limit, the user authority control method of the most described linux system, also include:
User judges step to the access rights of equipment, according to described user right configuration information, it is judged that described
Whether user has access rights to the equipment storing described file.
The user authority control method of linux system the most according to claim 3, it is characterised in that
The access rights of equipment are judged in step by described user, including:
If described user has access rights to the equipment storing described file, the most described user's Internet access institute
State equipment;If described user does not have access rights to the equipment storing described file, the most described user haves no right
Access described equipment.
The user authority control method of linux system the most according to claim 1, it is characterised in that also
Including:
User right configuration information obtaining step, downloads user right information from user rights database, and
Described user right information is processed, it is thus achieved that the user that described Cgroup/device subsystem can identify
Privileges configuration information.
The user authority control method of linux system the most according to claim 5, it is characterised in that also
Including:
User right configuration step, described Cgroup/device subsystem uses blacklist mode to configure user
Authority.
The user authority control method of linux system the most according to claim 1, it is characterised in that
The access rights of file are judged in step by described user, judge that user is to file including according to following items
Whether there are access rights:
Judge whether the read-write operation of described file is consistent by described user with the read-write properties of described file;
Judge whether described user belongs to the user/genus group of addressable described file;
Judge whether the filename of described file belongs to the filename of described user-accessible file.
The user authority control method of linux system the most according to claim 3, it is characterised in that
The access rights of equipment are judged in step by described user, including: judge to store the volume of the equipment of described file
Whether number in the list of devices of described user, described list of devices stores described user-accessible literary composition by being used for
The numbering composition of the equipment of part.
The user authority control method of linux system the most according to claim 7, it is characterised in that
The access rights of file are judged in step by described user, when meeting following condition, it is judged that described user couple
Described file has access rights:
The read-write operation of described file is consistent by described user with the read-write properties of described file;
Described user belongs to the user/genus group of addressable described file;
The filename of described file belongs to the filename of described user-accessible file.
The user authority control method of linux system the most according to claim 8, it is characterised in that
Described user, the access rights of equipment are judged in step, when meeting following condition, it is judged that described user
The equipment storing described file is had access rights:
Store the numbering of equipment of described file in the list of devices of described user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203161.0A CN103971064B (en) | 2014-05-14 | 2014-05-14 | The user authority control method of Linux system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203161.0A CN103971064B (en) | 2014-05-14 | 2014-05-14 | The user authority control method of Linux system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103971064A CN103971064A (en) | 2014-08-06 |
| CN103971064B true CN103971064B (en) | 2016-09-21 |
Family
ID=51240544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410203161.0A Active CN103971064B (en) | 2014-05-14 | 2014-05-14 | The user authority control method of Linux system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103971064B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105404821B (en) * | 2015-10-23 | 2018-05-04 | 上海帝联信息科技股份有限公司 | The file access control method and device of operating system |
| CN105335502B (en) * | 2015-10-28 | 2018-09-25 | 迈普通信技术股份有限公司 | A kind of management method and device of file attribute |
| CN106055986A (en) * | 2016-05-06 | 2016-10-26 | 北京优炫软件股份有限公司 | Method and device for permission control |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102707990A (en) * | 2012-05-14 | 2012-10-03 | 华为技术有限公司 | Container based processing method, device and system |
| CN103049546A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Method and device for managing and accessing system logs |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN103645957A (en) * | 2013-12-25 | 2014-03-19 | 北京搜狐新媒体信息技术有限公司 | Resource management and control method for virtual machines, and resource management and control device for virtual machines |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9027151B2 (en) * | 2011-02-17 | 2015-05-05 | Red Hat, Inc. | Inhibiting denial-of-service attacks using group controls |
-
2014
- 2014-05-14 CN CN201410203161.0A patent/CN103971064B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102707990A (en) * | 2012-05-14 | 2012-10-03 | 华为技术有限公司 | Container based processing method, device and system |
| CN103049546A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Method and device for managing and accessing system logs |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN103645957A (en) * | 2013-12-25 | 2014-03-19 | 北京搜狐新媒体信息技术有限公司 | Resource management and control method for virtual machines, and resource management and control device for virtual machines |
Non-Patent Citations (1)
| Title |
|---|
| Linux字符设备驱动程序工作机理;贺纲等;《信息工程大学学报》;20010630;第2卷(第2期);37-40 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103971064A (en) | 2014-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102257320B1 (en) | Monitoring of memory page transitions between hypervisors and virtual machines | |
| US20130275973A1 (en) | Virtualisation system | |
| US9146735B2 (en) | Associating workflows with code sections in a document control system | |
| US20160357781A1 (en) | Filename-based inference of repository actions | |
| CN104769598B (en) | System and method for detecting unauthorized applications | |
| CN105631337B (en) | Control the system and method for the machine image access operating-system resources of machine code | |
| JP2007509435A5 (en) | ||
| CN104112089A (en) | Multi-strategy integration based mandatory access control method | |
| CN103198090A (en) | A method and a system for optimizing storage allocation in a virtual desktop environment | |
| US20160180107A1 (en) | Method and system for policy based data access control | |
| CN103971064B (en) | The user authority control method of Linux system | |
| US9836585B2 (en) | User centric method and adaptor for digital rights management system | |
| NO331572B1 (en) | Licensing Programming Interface | |
| Kadri et al. | Containers in bioinformatics: applications, practical considerations, and best practices in molecular pathology | |
| CN107077573A (en) | Access control based on requester position | |
| US9111114B1 (en) | Method of transforming database system privileges to object privileges | |
| CN101231599B (en) | Method for positioning specific memory illegally rewritten by function | |
| GB2515736A (en) | Controlling access to one or more datasets of an operating system in use | |
| CN108205630A (en) | Resource access method and device based on SeLinux under a kind of multi-user | |
| JP2008234188A (en) | Information processor | |
| US7761483B2 (en) | System and method for providing data handling within a human capital management system | |
| US20140115005A1 (en) | System and methods for live masking file system access control entries | |
| US20230237186A1 (en) | Access Control Framework For Graph Entities | |
| JP2006344104A (en) | File management program and file management device | |
| JP2017174136A (en) | Information management device, information management method, and information management program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |