CN109598118A - A kind of subdirectory access control method and relevant apparatus - Google Patents
A kind of subdirectory access control method and relevant apparatus Download PDFInfo
- Publication number
- CN109598118A CN109598118A CN201811455479.2A CN201811455479A CN109598118A CN 109598118 A CN109598118 A CN 109598118A CN 201811455479 A CN201811455479 A CN 201811455479A CN 109598118 A CN109598118 A CN 109598118A
- Authority
- CN
- China
- Prior art keywords
- information
- subdirectory
- requestor
- requested
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of subdirectory access control method and relevant apparatus, catalogue to be monitored is preset in monitoring, when the requested operation of the subdirectory under the catalogue, the requestor information of acquisition request operation, and determine the subdirectory information of requested operation, then determine whether requesting party is legal using the blacklist or white list of corresponding subdirectory information.It is different from the prior art, it is no longer that the corresponding permission of all subdirectory informations is set for each user or process in this programme, but it is arranged that there is corresponding authority or which user or process not to have corresponding authority by which user or process for subdirectory information, to when having multiple users or process, also only needing to be traversed for primary all subdirectories can complete to be arranged, it is arranged again without traversing all subdirectory information for each user or process, so as to effectively reduce the workload of access control right setting, keep priority assignation process more efficient and convenient.
Description
Technical field
The present invention relates to Linux access control technologies, more specifically to a kind of subdirectory access control method, are
System, device and computer readable storage medium.
Background technique
For the access of (SuSE) Linux OS, it usually needs access control audit, i.e., for Linux disk system
When upper disk file accesses, the request of access user or process are checked, intercept, analyze, recorded, and selection pair
Request lets pass or prevents to request corresponding operation.
At present the access control mechanisms of (SuSE) Linux OS can only for user access control or for process into
Row access control, for example, the chmod permission of Linux file, is the power such as reading and writing that user adds each file using chmod
Limit;For another example linux kernel IP module captures I/O request, whether the corresponding process of analysis I/O request needs to let pass or prevent.
But when having multiple users or a process, and each user or process be to the permission of heap file it is identical, just need
The permission of respective file is added for each user or process, and be repeated as many times, it is known that the permission of each user is provided with,
Therefore repeated workload will be very big, is inconvenient priority assignation process.
Therefore, how access control right is easily set, is those skilled in the art's problem to be solved.
Summary of the invention
The purpose of the present invention is to provide a kind of subdirectory access control method, system, device and computer-readable storages
Medium, to solve how access control right is easily arranged.
To achieve the above object, the embodiment of the invention provides following technical solutions:
A kind of subdirectory access control method, comprising:
Catalogue to be monitored is preset in monitoring;
When the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request operates the requesting party of subdirectory
Information;
Determine the subdirectory information of requested operation;
Whether the requestor information is determined using the black list information or white list information of the correspondence subdirectory information
For the legitimate request side that can execute respective operations to the subdirectory.
Wherein, catalogue to be monitored is preset in the monitoring, comprising:
Catalogue to be monitored is preset using fanotify mechanism monitors.
Wherein, the subdirectory information of the requested operation of the determination, comprising:
The requested subdirectory information deleted or be requested renaming is determined using inotify mechanism.
Wherein, described to utilize the corresponding specific item when the subdirectory information is the requested subdirectory information deleted
The black list information or white list information for recording information determine whether the requestor information is that can execute correspondence to the subdirectory
After the legitimate request side of operation, further includes:
When the requestor information is illegal requesting party, the backup of the subdirectory is obtained, it is extensive using the backup
The multiple deleted subdirectory.
Wherein, described to utilize the corresponding son when the subdirectory information is the subdirectory information of requested renaming
The black list information or white list information of directory information determine the requestor information whether be can to the subdirectory execute pair
After the legitimate request side that should be operated, further includes:
When the requestor information is illegal requesting party, restore the Old Name of the subdirectory.
Wherein, the subdirectory information of the requested operation of the determination, comprising:
Requested modification is determined using fanotify mechanism or is requested newly-built subdirectory information.
Wherein, described to determine the requesting party using the black list information or white list information of the corresponding subdirectory information
Information whether be can to the subdirectory execute respective operations legitimate request side after, further includes:
When the requestor information is illegal requesting party, the illegal requesting party is prevented using fanotify mechanism
Operation to the subdirectory.
Wherein, described to determine the requesting party using the black list information or white list information of the corresponding subdirectory information
Whether information is the legitimate request side that respective operations can be executed to the subdirectory, comprising:
Described in being matched in the black list information of the correspondence subdirectory information or white list information using regular expression
Whether requestor information is the legitimate request side that respective operations can be executed to the subdirectory with the determination requestor information.
Wherein, whether the determination requestor information is the legitimate request that respective operations can be executed to the subdirectory
After side, further includes:
It, then will the corresponding requestor information and the subdirectory information when the requestor information is legitimate request side
Operation requests information cache so that the subdirectory again by the legitimate request side request the operation requests when, utilize
Cache information passes through the operation requests.
Wherein, described to determine the requesting party using the black list information or white list information of the corresponding subdirectory information
Information whether be can to the subdirectory execute respective operations legitimate request side after, further includes:
The processing result of the subdirectory information is recorded, the processing result includes the subdirectory information and the son
The corresponding operation requests information of directory information, requestor information corresponding with the subdirectory information are with the requestor information
No legal result information.
Wherein, after the processing result for recording the subdirectory information, further includes:
The processing result is encapsulated as json data.
Wherein, the requestor information includes: the user information and/or request operation subdirectory of request operation subdirectory
Progress information.
To achieve the above object, present invention also provides a kind of subdirectory access control systems, comprising:
Monitoring module presets catalogue to be monitored for monitoring;
Module is obtained, for when the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request to be operated
The requestor information of subdirectory;
First determining module, for determining the subdirectory information of requested operation;
Second determining module, for determining institute using the black list information or white list information of the correspondence subdirectory information
State whether requestor information is the legitimate request side that respective operations can be executed to the subdirectory.
To achieve the above object, present invention also provides a kind of subdirectory access control apparatus, comprising:
Memory, for storing computer program;
Processor is realized when for executing the computer program such as the step of the subdirectory access control method.
To achieve the above object, described computer-readable to deposit present invention also provides a kind of computer readable storage medium
It is stored with computer program on storage media, such as the subdirectory access control is realized when the computer program is executed by processor
The step of method.
By above scheme it is found that a kind of subdirectory access control method provided by the invention, comprising: monitoring is default wait supervise
Control catalogue;When the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request operates the requesting party of subdirectory
Information;Determine the subdirectory information of requested operation;Believed using the black list information or white list of the correspondence subdirectory information
Breath determines whether the requestor information is the legitimate request side that respective operations can be executed to the subdirectory.
It can be seen that a kind of subdirectory access control method provided by the present application, catalogue to be monitored is preset in monitoring, when the mesh
When subdirectory under record is requested operation, the requestor information of acquisition request operation, and determine the requested subdirectory letter operated
Then breath determines whether requesting party is legal using the blacklist or white list of corresponding subdirectory information.It is different from the prior art, this
It is no longer the corresponding permission of all subdirectory informations to be set for each user or process, but be directed to subdirectory information in scheme
Which user or process is arranged, and there is corresponding authority or which user or process not to have corresponding authority, thus there is multiple users
Or when process, also only needing to be traversed for primary all subdirectories can complete to be arranged, without being directed to each user or process
It all traverses all subdirectory information to be arranged again, so as to effectively reduce the workload of access control right setting, make
Priority assignation process is more efficient and convenient.Present invention also provides a kind of subdirectory access control system, device and computers can
Storage medium is read, above-mentioned technical effect equally may be implemented.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is a kind of subdirectory access control method flow chart disclosed by the embodiments of the present invention;
Fig. 2 is a kind of subdirectory access control system structural schematic diagram disclosed by the embodiments of the present invention;
Fig. 3 is a kind of subdirectory access control apparatus structural schematic diagram disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a kind of subdirectory access control method, system, device and computer-readable storage mediums
Matter, to solve how access control right is easily arranged.
Referring to Fig. 1, a kind of subdirectory access control method provided in an embodiment of the present invention is specifically included:
Catalogue to be monitored is preset in S101, monitoring.
In the present solution, setting first needs to access the catalogue of control, i.e., catalogue to be monitored, any under the catalogue
It can all be monitored and arrive when subdirectory is operated.
It should be noted that subdirectory includes catalogue and file under catalogue to be monitored.
In a specific embodiment, monitored directory is treated using fanotify mechanism realize monitoring, it is related to use
Fanotify mechanism realizes that the concrete operations of monitoring are referred to the use document of fanotify, does not do specific limit in this application
It is fixed.
Fanotify (fscking all notifiction and file access system) is one
The mechanism that notifier, i.e. a kind of pair of file system variation generate notice.It is notified that when file system changes corresponding
Monitoring programme.
Whether there is subdirectory to change under in the present solution, monitoring catalogue to be monitored using fanotify mechanism.
It should be noted that the mount point of catalogue to be monitored can be directly added under fanotify mechanism, so network magnetic
The access of disk file system can also realize access control by way of such addition catalogue to be monitored, to solve general
The problem of logical I/O request access can not handle network carry.
S102, when the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request operates subdirectory
Requestor information.
Specifically, when the requested operation of the subdirectory under catalogue to be monitored, acquisition request operates the requesting party of subdirectory
Information.That is, in this step, it is thus necessary to determine that be which user or which process have carried out operation requests to subdirectory.
It should be noted that obtaining current requested behaviour when the requested operation of any subdirectory under catalogue to be monitored
The requestor information of the subdirectory of work, requestor information are the user information or progress information for requesting to operate the subdirectory.
In a specific embodiment, believed using the requesting party of fanotify mechanism acquisition request operation subdirectory
Breath.Fanotify can monitor whether the subdirectory under catalogue to be monitored changes, and when changing, and determine and change
The information of the requesting party of subdirectory.It should be noted that can recorde the specific user of requesting party using fanotify mechanism
Information and progress information, these information can be used for matching corresponding blacklist or white list.
S103 determines the subdirectory information of requested operation.
Specifically, in this step, it is thus necessary to determine which subdirectory is requested to operate, that is, determines the son of requested operation
Directory information.
It should be noted that fanotify mechanism, which is merely able to monitor, the requested operation of subdirectory under catalogue to be monitored
, and the requested operation of which specific subdirectory can utilize only when subdirectory is requested newly-built or modification
Fanotify mechanism monitors arrive, such as deleting, renaming operation fanotify mechanism is that cannot monitor, therefore also need to combine
Inotify mechanism carries out overall monitor, determines the subdirectory information of requested operation, specifically utilizes fanotify or inotify
It is determined the operation of subdirectory information, is introduced in following embodiments, is no longer repeated in this programme.
S104 determines the requestor information using the black list information or white list information of the correspondence subdirectory information
It whether is the legitimate request side that respective operations can be executed to the subdirectory.
In the present solution, be preset with blacklist or white list, and blacklist or white list be for subdirectory information and
Setting.It is different from the prior art, the access control policy in this programme is no longer for user or process, that is to say, that
It is no longer that can execute the subdirectory information of operation for each user or the addition of each process, but be directed to subdirectory information,
The user information or progress information that can or cannot be operated are added for subdirectory information.
Specifically, determine whether requestor information can be with antithetical phrase using the blacklist or white list of corresponding subdirectory information
Catalogue executes corresponding operation.It is understood that if the requestor information is with corresponding operation in blacklist, then it is assumed that
The requesting party can not execute the operation requests, it is on the contrary then can be with.
It can be seen that a kind of subdirectory access control method provided by the embodiments of the present application, catalogue to be monitored is preset in monitoring,
When the requested operation of the subdirectory under the catalogue, the requestor information of acquisition request operation, and determine the son of requested operation
Then directory information determines whether requesting party is legal using the blacklist or white list of corresponding subdirectory information.It is different from existing
Technology is no longer that the corresponding permission of all subdirectory informations is arranged for each user or process in this programme, but for son
Which user directory information is arranged or there is process corresponding authority or which user or process not to have corresponding authority, thus having
Multiple users or when process, also only needing to be traversed for primary all subdirectories can complete to be arranged, without being directed to each use
Family or process all traverse all subdirectory information and are arranged again, so as to effectively reduce the work of access control right setting
It measures, keeps priority assignation process more efficient and convenient.
On the basis of the above embodiments, the present embodiment is further detailed and optimizes to technical solution.Specifically such as
Under:
In above-described embodiment S103, the subdirectory information of the requested operation of the determination, comprising:
The requested subdirectory information deleted or be requested renaming is determined using inotify mechanism.
It should be noted that fanotify mechanism, which is merely able to monitor, the requested operation of subdirectory under catalogue to be monitored
, and the requested operation of which specific subdirectory can utilize only when subdirectory is requested newly-built or modification
Fanotify mechanism monitors arrive, such as delete, renaming operation fanotify mechanism is cannot to monitor, therefore in this programme
The requested subdirectory information deleted or be requested renaming is determined using inotify mechanism.
It should be noted that because inotify mechanism can not obtain the directory user permission of execution, that is to say, that
Inotify mechanism can not obtain the specifying information of requesting party, therefore this programme needs to determine request in conjunction with fanotify mechanism
Room information.Catalogue to be monitored is preset using all openings of ACCESS object control in fanotify mechanism, when some process
When treating the subdirectory execution operation requests under monitored directory, catalogue to be monitored can be opened first, determines that opening is to be monitored
The process fd of catalogue, the fd can be intercepted and the fd is recorded in map by fanotify mechanism at this time, then be used
Inotify processing renaming or delete operation.When obtaining deletion or renaming operation in inotify, then according to acquisition into
The fd data of the ACCESS object of fanotify compare in journey fd and map, to judge to determine the corresponding process of which fd
Renaming or delete operation have been carried out, has determined the information of the user or process that carry out renaming or delete operation.
Specifically, the buf for requesting to operate subdirectory is arrived using inotify mechanism is available, includes the letter of operation in buf
Buf is converted to event (event) by breath, information of subdirectory etc., may thereby determine that request operation be specifically to subdirectory into
Row delete operation still renames operation.The specifically used method of Inotify mechanism can refer to the existing use of inotify
Document, it is no longer specific in this programme to limit.
In one embodiment, when the subdirectory information is the requested subdirectory information deleted, the utilization
The black list information or white list information of the corresponding subdirectory information determine the requestor information whether be can be to the son
Catalogue executes after the legitimate request side of respective operations, further includes:
When the requestor information is illegal requesting party, the backup of the subdirectory is obtained, it is extensive using the backup
The multiple deleted subdirectory.
It should be noted that inotify mechanism can not prevent the progress of operation requests, that is to say, that even if utilizing
Inotify mechanism is determined that current subdirectory is requested and is deleted, and illegal requesting party when requesting party, i.e., not to the subdirectory
The permission of deletion, inotify mechanism can not also prevent the progress of delete operation, can only be determined that requesting party is illegal request
Fang Hou is restored deleted subdirectory using backup, and when requesting party is legitimate request side, then delete operation of letting pass.
In another embodiment, described when the subdirectory information is the subdirectory information of requested renaming
Using the black list information or white list information of the correspondence subdirectory information determine the requestor information whether be can be to institute
After the legitimate request side for stating subdirectory execution respective operations, further includes:
When the requestor information is illegal requesting party, restore the Old Name of the subdirectory.
Renaming is operated with delete operation similarly, when inotify mechanism detects that the operation of sub- catalog request be renaming
Operation, and determine that current requesting party is illegal request side according to blacklist or white list, then inotify can will be by the request
The result just renamed return back to the title before executing renaming operation.
On the basis of the above embodiments, the present embodiment is further detailed and optimizes to technical solution.Specifically such as
Under:
In above-described embodiment S103, the subdirectory information of the requested operation of the determination, comprising:
Requested modification is determined using fanotify mechanism or is requested newly-built subdirectory information.
It should be noted that fanotify mechanism can be modified with the subdirectory under direct monitoring to catalogue to be monitored and by
Newly-built situation, therefore determine requested modification using fanotify mechanism or be requested newly-built subdirectory information.
In one embodiment, described true using the black list information or white list information of the corresponding subdirectory information
After whether the fixed requestor information is the legitimate request side that can execute respective operations to the subdirectory, further includes:
When the requestor information is illegal requesting party, the illegal requesting party is prevented using fanotify mechanism
Operation to the subdirectory.
In the present solution, directly preventing to operate using fanotify mechanism when requesting party is illegal.
On the basis of the above embodiments, the present embodiment is further detailed and optimizes to technical solution.Specifically such as
Under:
In above-described embodiment S104, the black list information or white list information using the corresponding subdirectory information
Determine whether the requestor information is the legitimate request side that respective operations can be executed to the subdirectory, comprising:
Described in being matched in the black list information of the correspondence subdirectory information or white list information using regular expression
Whether requestor information is the legitimate request side that respective operations can be executed to the subdirectory with the determination requestor information.
It should be noted that the data of black list information or white list information record are character string forms, therefore at this
In scheme, regular expression can be used to match to requestor information.
In one embodiment, whether the determination requestor information is that corresponding behaviour can be executed to the subdirectory
After the legitimate request side of work, further includes:
It, then will the corresponding requestor information and the subdirectory information when the requestor information is legitimate request side
Operation requests information cache so that the subdirectory again by the legitimate request side request the operation requests when, utilize
Cache information passes through the operation requests.
It should be noted that certain computing resource can be consumed by carrying out matching operation using regular expression, it is a large amount of when having
Matching operation when, will lead to the too high problem of performance cost, therefore, in the present solution, when requestor information is legal ask
The side of asking then caches corresponding requesting party, subdirectory information, operation requests information, so that the requesting party is to the subdirectory
When carrying out identical operation, directly according to cache contents i.e. can determine that operation can execute, no longer need to using regular expression into
Row matching, to save computing resource.
As soon as will delay after caching preset time it should be noted that the information of above-mentioned caching needs to set a preset time
Information deletion in depositing, to avoid the waste to cache resources.
On the basis of the above embodiments, the present embodiment is further detailed and optimizes to technical solution.Specifically such as
Under:
After the S104, further includes:
The processing result of the subdirectory information is recorded, the processing result includes the subdirectory information and the son
The corresponding operation requests information of directory information, requestor information corresponding with the subdirectory information are with the requestor information
No legal result information.
It should be noted that also need to record the treatment process of operation requests in this programme, i.e., record subdirectory information,
And the corresponding operation requests information of the subdirectory information, requestor information corresponding with the subdirectory information and the request
The whether legal result information of square information, for example, specific operating time, process, user, for network directory, there are also target machines
Device IP etc..It should be noted that requesting party is legal to prove that corresponding operation requests are performed, the corresponding operation of rule is not conformed to
Request is not performed.
By record above- mentioned information, can in order to be generated as first acess control, be most frequently visited by statistics, least referenced system
Other data such as meter, user or procedure operation distribution map carry out log analysis convenient for operation management person and share.
In a specific embodiment, after the processing result for recording the subdirectory information, further includes:
The processing result is encapsulated as json data.
In order to which above-mentioned processing result is checked in the reception that can be convenient third-party platform, by processing result benefit in this programme
Json data are encapsulated as with jrpc, so that third-party platform can use the processing that such as snmp tool directly receives above-mentioned record
As a result, to avoid the problem that data do not support third-party platform.
A kind of subdirectory access control system provided by the embodiments of the present application is introduced below, one kind described below
Subdirectory access control system can be cross-referenced with any of the above-described embodiment.
Referring to fig. 2, a kind of subdirectory access control system provided by the embodiments of the present application, specifically includes:
Monitoring module 201 presets catalogue to be monitored for monitoring;
Module 202 is obtained, for when the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request to be grasped
Make the requestor information of subdirectory;
First determining module 203, for determining the subdirectory information of requested operation;
Second determining module 204, for true using the black list information or white list information that correspond to the subdirectory information
Whether the fixed requestor information is the legitimate request side that respective operations can be executed to the subdirectory.
The subdirectory access control system of the present embodiment is for realizing subdirectory access control method above-mentioned, therefore specific item
Record the embodiment part of the visible subdirectory access control method hereinbefore of specific embodiment in access control system, example
Such as, monitoring module 201, obtain module 202, the first determining module 203, and the second determining module 204 is respectively used to realize above-mentioned son
Step S101, S102, S103 and S104 in directory access control method, so, specific embodiment is referred to accordingly
The description of various pieces embodiment, details are not described herein.
A kind of subdirectory access control apparatus provided by the embodiments of the present application is introduced below, one kind described below
Subdirectory access control apparatus can be cross-referenced with any of the above-described embodiment.
Referring to Fig. 3, a kind of subdirectory access control apparatus provided by the embodiments of the present application is specifically included:
Memory 100, for storing computer program;
Processor 200 realizes that subdirectory accesses as described in above-mentioned any embodiment when for executing the computer program
The step of control method.
Specifically, memory 100 includes non-volatile memory medium, built-in storage.Non-volatile memory medium storage
There are operating system and computer-readable instruction, which is that the operating system and computer in non-volatile memory medium can
The operation of reading instruction provides environment.Processor 200 provides calculating and control ability for subdirectory access control apparatus, may be implemented
Step provided by any of the above-described subdirectory access control method embodiment.
On the basis of the above embodiments, preferably, the subdirectory access control apparatus further include:
Input interface 300 is controlled through processor and is saved for obtaining computer program, parameter and the instruction of external importing
Into memory.The input interface 300 can be connected with input unit, receive parameter or instruction that user is manually entered.This is defeated
Entering device can be the touch layer covered on display screen, be also possible to the key being arranged in terminal enclosure, trace ball or Trackpad,
It is also possible to keyboard, Trackpad or mouse etc..Specifically, in the present embodiment, user can be selected manually by input interface 300
Select catalogue to be monitored, and setting black list information or white list information.
Display unit 400, the data sent for video-stream processor.The display unit 40 can be the display in PC machine
Screen, liquid crystal display or electric ink display screen etc..Specifically, in this example it is shown that unit 400 can show request
The information such as the result of subdirectory access control apparatus operation.
The network port 500, for being communicatively coupled with external each terminal device.Skill is communicated used by the communication connection
Art can be cable communicating technology or wireless communication technique, as mobile high definition chained technology (MHL), universal serial bus (USB),
High-definition media interface (HDMI), Bluetooth Communication Technology, the low-power consumption bluetooth communication technology, is based on adopting wireless fidelity technology (WiFi)
The communication technology etc. of IEEE802.11s.Specifically, in the present embodiment, can recorde the processing result of subdirectory information, and benefit
Processing result is transmitted to third-party platform with the network port 500, so as to work such as operation and maintenance.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, the computer
Step provided by above-described embodiment may be implemented when program is executed by processor.The storage medium may include: USB flash disk, movement
Hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory,
RAM), the various media that can store program code such as magnetic or disk.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (15)
1. a kind of subdirectory access control method characterized by comprising
Catalogue to be monitored is preset in monitoring;
When the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request operates requesting party's letter of subdirectory
Breath;
Determine the subdirectory information of requested operation;
Using the black list information or white list information of the correspondence subdirectory information determine the requestor information whether be can
The legitimate request side of respective operations is executed to the subdirectory.
2. the method according to claim 1, wherein catalogue to be monitored is preset in the monitoring, comprising:
Catalogue to be monitored is preset using fanotify mechanism monitors.
3. the method according to claim 1, wherein the subdirectory information of the requested operation of the determination, comprising:
The requested subdirectory information deleted or be requested renaming is determined using inotify mechanism.
4. according to the method described in claim 3, it is characterized in that, when the subdirectory information is the requested subdirectory deleted
It is described to determine that the requestor information is using the black list information or white list information of the corresponding subdirectory information when information
After the no legitimate request side for respective operations can be executed to the subdirectory, further includes:
When the requestor information is illegal requesting party, the backup of the subdirectory is obtained, using the Backup and Restore
The subdirectory deleted.
5. according to the method described in claim 3, it is characterized in that, when the specific item that the subdirectory information is requested renaming
It is described to determine the requestor information using the black list information or white list information of the corresponding subdirectory information when recording information
Whether be can to the subdirectory execute respective operations legitimate request side after, further includes:
When the requestor information is illegal requesting party, restore the Old Name of the subdirectory.
6. the method according to claim 1, wherein the subdirectory information of the requested operation of the determination, comprising:
Requested modification is determined using fanotify mechanism or is requested newly-built subdirectory information.
7. according to the method described in claim 6, it is characterized in that, the blacklist using the corresponding subdirectory information is believed
Breath or white list information determine whether the requestor information is the legitimate request side that respective operations can be executed to the subdirectory
Later, further includes:
When the requestor information is illegal requesting party, prevent the illegal requesting party to institute using fanotify mechanism
State the operation of subdirectory.
8. the method according to claim 1, wherein the blacklist using the corresponding subdirectory information is believed
Breath or white list information determine whether the requestor information is the legitimate request side that respective operations can be executed to the subdirectory,
Include:
The request is matched in the black list information of the correspondence subdirectory information or white list information using regular expression
Whether square information is the legitimate request side that respective operations can be executed to the subdirectory with the determination requestor information.
9. according to the method described in claim 8, it is characterized in that, the determination requestor information whether be can be to described
Subdirectory executes after the legitimate request side of respective operations, further includes:
When the requestor information is legitimate request side, then by the behaviour of the correspondence requestor information and the subdirectory information
Make solicited message caching, when so that the subdirectory requesting the operation requests by the legitimate request side again, utilizes caching
Information passes through the operation requests.
10. the method according to claim 1, wherein the blacklist using the corresponding subdirectory information
Information or white list information determine whether the requestor information is the legitimate request that respective operations can be executed to the subdirectory
After side, further includes:
The processing result of the subdirectory information is recorded, the processing result includes the subdirectory information and the subdirectory
Whether the corresponding operation requests information of information, requestor information corresponding with the subdirectory information close with the requestor information
The result information of method.
11. according to the method described in claim 10, it is characterized in that, the processing result for recording the subdirectory information it
Afterwards, further includes:
The processing result is encapsulated as json data.
12. according to claim 1 to method described in 11 any one, which is characterized in that the requestor information includes: request
Operate the user information of subdirectory and/or the progress information of request operation subdirectory.
13. a kind of subdirectory access control system characterized by comprising
Monitoring module presets catalogue to be monitored for monitoring;
Module is obtained, for when the requested operation of the subdirectory preset under catalogue to be monitored, acquisition request to operate specific item
The requestor information of record;
First determining module, for determining the subdirectory information of requested operation;
Second determining module, for using the correspondence subdirectory information black list information or white list information determine described in ask
Whether the side's of asking information is the legitimate request side that respective operations can be executed to the subdirectory.
14. a kind of subdirectory access control apparatus characterized by comprising
Memory, for storing computer program;
Processor realizes the subdirectory access control as described in any one of claim 1 to 12 when for executing the computer program
The step of method processed.
15. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes the subdirectory access control as described in any one of claim 1 to 12 when the computer program is executed by processor
The step of method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811455479.2A CN109598118A (en) | 2018-11-30 | 2018-11-30 | A kind of subdirectory access control method and relevant apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811455479.2A CN109598118A (en) | 2018-11-30 | 2018-11-30 | A kind of subdirectory access control method and relevant apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109598118A true CN109598118A (en) | 2019-04-09 |
Family
ID=65959996
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811455479.2A Pending CN109598118A (en) | 2018-11-30 | 2018-11-30 | A kind of subdirectory access control method and relevant apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109598118A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784253A (en) * | 2021-02-09 | 2021-05-11 | 珠海豹趣科技有限公司 | Information acquisition method and device of file system, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| US9165160B1 (en) * | 2011-02-04 | 2015-10-20 | hopTo Inc. | System for and methods of controlling user access and/or visibility to directories and files of a computer |
| CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
-
2018
- 2018-11-30 CN CN201811455479.2A patent/CN109598118A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| US9165160B1 (en) * | 2011-02-04 | 2015-10-20 | hopTo Inc. | System for and methods of controlling user access and/or visibility to directories and files of a computer |
| CN105760759A (en) * | 2015-12-08 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Method and system for protecting documents based on process monitoring |
Non-Patent Citations (4)
| Title |
|---|
| WEIXIN_34293911: "Linux ACL访问权限控制详解", 《CSDN》 * |
| 刘坤: "《网络攻防与实践》", 31 July 2018, 北京理工大学出版社 * |
| 朱双喜: "《Linux系统管理》", 31 March 2011 * |
| 杨凯飞等: "面向桌面环境的索引实时更新方法", 《计算机系统应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112784253A (en) * | 2021-02-09 | 2021-05-11 | 珠海豹趣科技有限公司 | Information acquisition method and device of file system, electronic equipment and storage medium |
| CN112784253B (en) * | 2021-02-09 | 2024-06-11 | 珠海豹趣科技有限公司 | File system information acquisition method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10868673B2 (en) | Network access control based on distributed ledger | |
| US9384056B2 (en) | Virtual resource allocation and resource and consumption management | |
| CN110651269B (en) | Isolated container event monitoring | |
| US10831715B2 (en) | Selective downloading of shared content items in a constrained synchronization system | |
| KR101672227B1 (en) | Multimodal computing device | |
| CN111382421A (en) | Service access control method, system, electronic device and storage medium | |
| US8156538B2 (en) | Distribution of information protection policies to client machines | |
| US9563638B2 (en) | Selective downloading of shared content items in a constrained synchronization system | |
| US10642518B1 (en) | System and method for creating high frequency snapshots of an entity in a virtualized environment | |
| US9274847B2 (en) | Resource management platform | |
| CN109598118A (en) | A kind of subdirectory access control method and relevant apparatus | |
| US20130283295A1 (en) | Method and system for the support of application specific policies for conventional operating systems | |
| US9450965B2 (en) | Mobile device, program, and control method | |
| US9305007B1 (en) | Discovering relationships using deduplication metadata to provide a value-added service | |
| US11604669B2 (en) | Single use execution environment for on-demand code execution | |
| Zhang et al. | Device-centric federated analytics at ease | |
| JP6065791B2 (en) | Control program and information processing terminal | |
| Awan et al. | Resource management and security issues in mobile phone operating systems: A comparative analysis | |
| Arora et al. | Flexible Resource Allocation for Relational Database-as-a-Service | |
| Xin et al. | An optimization of memory usage based on the android low memory management mechanisms | |
| US20240249020A1 (en) | Selective deletion of sensitive data | |
| JP6636623B2 (en) | Selective download of shared content items in a constrained synchronization system | |
| Zhu et al. | A dynamic credible factory reset mechanism of personal data in android device | |
| CN117235339A (en) | Data platform with unified privileges | |
| KR20140129715A (en) | System for storage security of cloud server in cloud computing environment and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190409 |
|
| RJ01 | Rejection of invention patent application after publication |