This invention relates to the administrative security of an operating system on a computer and/or a computer network appliance.
A computer appliance or network appliance is a computing device that is similar in many respects to a general purpose computer. A computer appliance typically has many of the same components that a general purpose computer has such as one or more microprocessors, storage devices, memory, an operating system, and the like. Computer appliances are different, however, because they typically have a fixed function or purpose that does not or cannot vary. Specifically, computer appliances are designed and programmed to implement specific types of functionality.
Many different types of computer appliances are in use today. For example, a server appliance may be designed to implement functions that include file sharing, Internet sharing, print sharing, or some combination of these functions. As another example, a computer appliance may be implemented as a network attached storage device to store and maintain information. Other types of appliances include set top boxes that are used in connection with viewing multimedia presentations on a television, or hardware systems that are designed to control a home security system.
A frequent characteristic of computer appliances is that they do not rely on local user interaction mechanisms such as a display, a keyboard, and/or a mouse input. Computer appliance interaction is functionally different from a general purpose computer that typically does have a display, a keyboard, and a mouse input.
Computer appliances are generally designed to operate in conjunction with computing devices and with other computer appliances in a networked environment. Computer appliance software applications and operating systems are designed to be remotely accessible from a networked computing device so that the operational and administrative functions of a computer appliance can be accessed remotely.
The operational and administrative functions of a computer appliance may vary with the functionality and purpose of the appliance. Such functions include updating and deleting information stored on the computer appliance, formatting the storage media, and accessing a computer appliance""s operating system facilities to administratively manage the appliance.
Because the functionalities of computer appliances can vary widely, so too can the adaptation requirements of the software applications and operating systems implemented for use on the appliances. Typically, the software applications for computer appliances are, designed, adapted, and/or implemented by parties other than the computer hardware or operating system manufacturers. These parties are referred to herein as original equipment manufacturers (OEMs).
It is desirable that the software applications and operating systems be designed and/or configured to limit a user""s access to only those operational and administrative functions of a computer appliance that the OEM intended a user to have access to. Accordingly, operating systems are designed with security in mind to limit a user""s access to the operational and administrative functions of a computer appliance. However, the operating system is typically purchased from a software manufacturer and is not designed for the specific purpose being performed by the computer appliance. Accordingly, it is desirable for the operating system to be configurable by the OEM to control various aspects of computer operation.
FIG. 1 illustrates a conventional networked system 100. The system 100 has a network 110 that connects a network domain administrator 112, a client computer 114, multiple computer appliances 116, and a network attached storage device 118 which is a specific implementation of a computer appliance. The client computer 114 is a conventional general purpose computer, configured to serve as a data repository. The multiple computer appliances 116 are implemented to accommodate various functions within the networked system 100 and typically have many of the same components that the client computer 114 has such as one or more microprocessors, storage devices, memory, and an operating system.
Generally, the multiple computer appliances 116 and the network attached storage device 118 do not need to be implemented with user interaction mechanisms such as a display, a keyboard, and/or a mouse input because the devices are accessible via the network 110. The computer appliances 116 and 118 can be accessed by the client computer 114 via the network 110 utilizing well-known technologies such as Telnet and Hypertext Transport Protocol (HTTP).
The network attached storage device 118 is a networked computer appliance having a network interface card 120, volatile memory 122 such as read only memory (ROM) and random access memory (RAM), a mass storage medium 124 such as a hard disk drive, and a processor 126. The processor 126 executes an operating system 128.
In this example, the operating system 128 has a typical operating system security hierarchy 130. The security hierarchy 130 is depicted having a root node security level 132 that is intended to be accessed only by the computer appliance OEM or operating system manufacturer. The security hierarchy 130 has three other levels of security access to the operating system 128: a high security level 134, an intermediate security level 136, and a low security level 138. A user having access privileges to the operating system 128 at the high security level 134 would typically be able to administer and manage the computer appliance""s network configuration parameters, delete files, allocate user accounts and access privilege levels to other users, and the like. A user having access privileges to the operating system 128 at the low security level 138 would typically only be able to read information stored on the computer appliance 118. A user having access privileges to the operating system 128 at the intermediate security level 136 would have access to the same aspects of the computer appliance 118 that the user having access to the low security level 138 would have, but the user having access to the intermediate security level 136 would not be able to access the high-level operational and administrative functions that a user having access to the high security level 134 would have.
Conventionally, access privileges to an operating system 128 are top-down, meaning that a user with a high access privilege level will have access to the operating system 128 at the high security level 134 and also at any level below the high security level (e.g., the user will also have access at the intermediate security level 136 and at the low security level 138). Similarly, a network domain administrator 112 typically has high access privilege rights to every computer and device joined to a network, thus having complete access to the network attached storage device 118. In addition, an xe2x80x9cadministratorxe2x80x9d can log on to a client computer such as client computer 114, and thereby gain access to the administrative functionality of a computer appliance under a high security level 134.
FIG. 2 shows a prior art computer appliance 200 that employs a popular method of administrative control. Specifically, administrative control of the computer appliance 200 is performed through a client computer 202, which can comprise any network workstation having an HTML browser 204.
In this example, an administrative user interface 206 is implemented as a plurality of hyperlinked HTML documents 208. Many of these individual documents or pages comprise active content such as Active Server Pages (ASPs), Common Gateway Interface (GCI) or other Web server extensions. ASPs are a commonly used technology in the Internet and HTML environments.
The HTML-based user interface 206 is accessible to the administrative user through a normal HTML browser 204, i.e., different pages of the interface are xe2x80x9cbrowsedxe2x80x9d in a manner similar to that of browsing Internet content. The user begins at a login page where the user enters a user name and a password that are subsequently used to authenticate the user and to determine the user""s privilege level.
Once the user is authenticated as having authority to perform administrative functions 212, the HTML-based user interface 206 presents pages that allow the user to perform such functions. The administrative functions are carried out by making appropriate calls to the operating system 210.
One problem with this scheme results from the fact that the active content (e.g., HTML documents 208) executes under the authenticated user""s security level. Because of this, the user must be given a privilege level that is high enough to perform all of the low-level administrative and configuration functions that might be performed by the active content 208. Granting this level of privileges, however, may make it possible for the user to tamper with system functionality in a way that might impair the functionality of the device or even render it inoperable.
A further complicating factor is that many operating systems, such as Microsoft""s Windows(copyright) NT operating system, provide only discrete levels of privileges. For example, the active content 208 may require privileges that are available only under an xe2x80x9cadministrativexe2x80x9d privilege level. However, the xe2x80x9cadministrativexe2x80x9d privilege level might also grant additional privileges that are not needed by the active content, and that the OEM might want to prevent end users from having access to. This is an undesirable situation, which the system described below alleviates.
An administrative security process has been developed to allocate operating system security based on a user""s need to access discrete administrative tasks on a general purpose computer or a computer appliance. This is favorable to giving a user complete access to the entire computer or computer appliance, or to a partitioned security level of the operating system.
The administrative security process is a process that executes on a computer under its own administrative user account, having its own administrative privileges. The administrative security process then performs administrative functions on behalf of a user process that does not have an administrative access privilege level to the computer appliance.
The administrative security process acts as an intermediary between a user requesting an administrative action and the operating system. The security process can be used to provide or deny access to any aspect of the operating system for any particular user. The security process is a general purpose intermediary in that it is not coded with any information or knowledge of the operating system administrative functions that may be restricted to a user. Rather, this information is available in a data store that the security process accesses. Through this data store, the OEM can tailor security policies without having to modify portions of the operating system itself.
When the administrative security process receives a request from a user, the security process identifies three items of information: (1) the identity of the user making the request, (2) the area of the operating system being accessed (called the xe2x80x9cclassxe2x80x9d), and (3) the type of change being requested (called the xe2x80x9cmethodxe2x80x9d). The identity of the user consists of the name of the user and the groups of which the user is a member. The later two items of information are treated as opaque items. That is, the security process does not interpret these items, other than through comparison with data in a data store. The administrative security process checks the three items of information against the data store to determine if a requested administrative method should be called.
The data store contains records, and each record consists of either a user identifier and a class, or a user identifier, a class, and a method. The user identifier can represent either a user or a group of users. The security process first looks for a record consisting of a user identifier, class, and method that match the user, class, and method being requested. If this record is found, the security process will allow the administrative function to continue. If the record is not found, the security process will look for a record comprising a user identifier and a class that match the user and class being requested. If found, the security process will allow the administrative function to continue. If neither of these records is found, the security process will not proceed with the administrative function.
The user identifier in the data store matches if it matches the user identifier of the user making the administrative request, or if it matches any of the groups that the user making the request is a member of. The class in the data store matches the class in the request if both are identical. The method in the data store matches the method in the request if both are identical.
If the administrative security process determines that the administrative function can proceed, it calls the class and method within the operating system on behalf of the requesting user process. The result of the administrative method is passed back to the requesting user process.
The administrative functions that each user is allowed to access are configured within the data store. The data store is restricted such that only the administrative security process and other authorized users can access and alter it. Through the use of a data store and a generic security process, the administrative functions that are permitted for each user can be modified without altering the code in the administrative security process.