LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Microsoft Patents Sudo?!! (Groklaw)

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 20:35 UTC (Thu) by DOT (subscriber, #58786)
In reply to: Microsoft Patents Sudo?!! (Groklaw) by pspinler
Parent article: Microsoft Patents Sudo?!! (Groklaw)

So it's a hack that makes fine-grained privilege escalation possible on Windows, without fundamentally fixing the problem. I don't think Unix will ever need to implement something like this. On Unix, we can do this the right way with PolicyKit. We don't need popups to log in as a different user for a particular action.

I'm a bit curious though why Microsoft would feel the need to patent this. It's not really an invention. It's an ugly hack, with little chance of being copied.

(Log in to post comments)

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 21:26 UTC (Thu) by NAR (subscriber, #1313) [Link]

I'm a bit curious though why Microsoft would feel the need to patent this.

It's probably not "Microsoft", but some software research/development group in Microsoft. One of the performance metrics used on such group could be "number of patents/year", so they try to patent every idea. Also, the individual researcher/developer might get a bonus for every patent.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 21:37 UTC (Thu) by foom (subscriber, #14868) [Link]

> On Unix, we can do this the right way with PolicyKit. We don't need popups to log in
> as a different user for a particular action.

What's "the right thing" when an unprivileged user wants to change a privileged system setting that
they are not allowed to change? For example: deleting a user account, or installing software
system-wide. The solution in Windows (and OSX) is to ask you if you'd like to authenticate using an
suitably-privileged-user's credentials in order to perform that task.

The idea is that perhaps that user can be called in to allow the task which you yourself are not
trusted to do.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 21:57 UTC (Thu) by DOT (subscriber, #58786) [Link]

Oh, PolicyKit does present a list of privileged users if the user isn't privileged at all. The hack I'm talking about is that Microsoft's system actually runs the app as another user, giving the app all the privileges that that other user has.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 22:15 UTC (Thu) by Kit (guest, #55925) [Link]

>The hack I'm talking about is that Microsoft's system actually
>runs the app as another user, giving the app all the privileges
>that that other user has.

That's the way sudo works, which before PolicyKit was generally the method of choice for administrative tasks in GUIs on *nix (along with su).

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 12, 2009 23:51 UTC (Thu) by PaulWay (✭ supporter ✭, #45600) [Link]

> On Unix, we can do this the right way with PolicyKit.

Yes, and there's the fundamental point we need to watch.

The patent basically deals with the OS recognising that the user doesn't have the permissions to do something, and prompting to enter the password for an account that does. sudo, on the other hand, requires the user to know beforehand (i.e. as they type the command) that they need it to run with elevated privileges; it prompts them for their own password and then checks its configuration for whether that person can run (that command) as that higher privilege. The difference is in the timing (before or after the command is being run), the authenticator being asked for (user versus admin) and the user interaction.

The big problem we have was that the patent was filed in 2005; PolicyKit started development in 2008. We need to find prior art for something that behaves like PolicyKit, rather than sudo. I'm not sure that sudo and the various analogues that people have suggested are the same as what Microsoft claims.

I agree with everything else that's wrong about this patent: it's obfuscated, it tries to explicitly claim that it's not just patenting the steps but anything that looks like them, and it's definitely stifling any possibility of progress in this kind of user interface. And I also agree that what they're patenting is a fairly stupid, fairly obvious way of dealing with the problem - some of the less intelligent species of the genus Cucurbita might have trouble remembering the name 'administrator' but few sysadmins generate their own administration user called (4Gn2z^/y$b8x"hQ - which seems to be the problem they're describing.

But don't fool yourself by thinking sudo is prior art to this patent.

Have fun,

Paul

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 13, 2009 6:59 UTC (Fri) by johill (subscriber, #25196) [Link]

gksu has been around for much longer than that (2003-ish), and it seems likely that somebody was using it to start certain programs that are known to require adminstrative permission when it came around. Does it matter much that the particular program didn't detect the condition, but it was "automatically detected" by knowing that the program needs permissions?

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 13, 2009 11:37 UTC (Fri) by cortana (subscriber, #24596) [Link]

I've seen a few solaris users describe PolicyKit as being similar to a feature that solaris has had
for some time -- execution profiles/RBAC stuff. Can't find a concrete reference at the moment
though so I don't know how to compare the two.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 14, 2009 11:45 UTC (Sat) by luya (subscriber, #50741) [Link]

Maybe this can help:
http://www.softpanorama.org/Solaris/Security/solaris_rbac...

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 13, 2009 11:44 UTC (Fri) by cortana (subscriber, #24596) [Link]

Oh, by the way, I thought PolicyKit has been around for longer than just since 2008. I remember a
presentation on PackageKit at LugRadio LIVE in 2006 where it was mentioned as the component
that would allow users to gain the privileges to install packages.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 13, 2009 20:37 UTC (Fri) by jdv (subscriber, #712) [Link]

The initial revision in the git repository is from March, 2006 (http://cgit.freedesktop.org/PolicyKit/log/?ofs=550); so even if that initial revision would count as prior art, it is not from before the patent application date.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 14, 2009 4:06 UTC (Sat) by luya (subscriber, #50741) [Link]

Quick question: Has that patent ever worked on 2005 for Microsoft and is the exact copy of PolicyKit? Microsoft must show a demonstration in that case.

Microsoft Patents Sudo?!! (Groklaw)

Posted Nov 18, 2009 9:08 UTC (Wed) by k8to (subscriber, #15413) [Link]

Well hopefully this patent will make PolicyKit infringing.

Explicitly suing to root in a shell before running minimal programs to adminster the system... vastly
superior to this overengineered ball of hair called hal, dbus, policykit, devicekit and friends, which
won't even nicely cooperate with other methods. May they burn.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds