Microsoft Patents sudo

Jimmy O Regan writes "Justin Mason (of SpamAssassin fame) has this blog entry: US Patent 6,775,781, filed by Microsoft, is a patent on the concept of 'a process configured to run under an administrative privilege level' which, based on authorization information 'in a data store', may perform actions at administrative privilege on behalf of a 'user process'."

Why do they even try?

[halo1982]

A computer such as a network appliance executes an administrative security process configured to run under an administrative privilege level. Having an administrative privilege level, the administrative security process can initiate administrative functions in an operating system function library. A user process executing under a non-administrative privilege level can initiate a particular administrative function that the process would not otherwise be able to initiate by requesting that the administrative security process initiate the function. In response to a request to initiate a particular function from a process with a non-administrative privilege level, the administrative security process determines whether the requesting process is authorized to initiate the particular administrative function based on information accessed in a data store. If the requesting process is authorized, the administrative security process initiates the particular administrative function. In this manner, the administrative security process facilitates access to specific administrative functions for a user process having a privilege level that does not permit the user process to access the administrative functions.

So of course this is completely unenforcable...I wonder if they'll even try. What is the process to go about for getting this patent revoked?

A brief history of SUDO

[tao_of_biology]

So, the patent is filed for August 10th, 2004... I checked out the history of SUDO page at: http://www.courtesan.com/sudo/history.html [courtesan.com] and it looks like SUDO dates back to 1980.

In reading the patent, it does look pretty obvious that it's doing what SUDO is doing... I think this should be blown up with little effort.

Is there any penalty for filing patents for which you KNOW prior art exists? If not, there definitely should be.

Re:"in a data store"

[FuzzieNorn]

No, sudo asks for the password of the currently running user, and then if correct, checks a data store - /etc/sudoers - to see if that user is allowed to use sudo, and only then runs the administrative command. The root logon is not involved; it's actually disabled on some of my boxes.

Ritchie's setuid patent at prior art?

[GGardner]

I can see missing prior work as prior art. But missing the famous setuid patent [uspto.gov] seems just silly.

History of sudo.

[Skulker303]

http://www.sudo.ws/sudo/history.html

Prior art.

Re:What Next?

[Mark_MF-WN]

This just hastens the end of the patent system. Seriously -- the American patent system is going to fall apart soon, and things like this are the reason.

The underlying premise of patents will no doubt survive, as it makes a lot of sense in some areas (like engineering). But software and business process patents will probably disappear.

Re:"in a data store"

[GuyverDH]

sudo - through the use of it's data-store the "sudoers" file, can be configured multiple ways.

#1 - To require the "root" password.
#2 - To require the password of the userid that the user is running as.
#4 - To require the password of the userid the user wishes to switch to.
#5 - To not require any password at all.

When not requiring a password, it can be configured by the userid, or the command that is being run.

All in all, it's very configurable, and definately fits the prior art criteria.

Re:Setuid?

[LordWoody]

No, because set uid bit by itself does not validate the parent process/user against any data store like sudo command does (eg: against /etc/sudoers)

Re:Proof of concept?

[Bryan_W]

I know you were trying to be funny but seriously, it is a feature of Windows 2000/XP all you have to do is shift + right click any executable and select "Run as..." or use the runas command from the command prompt. Sorry but I had to be fair to Microsoft.

Re:Su do me!

[Rosco P. Coltrane]

HELLO? When was FAT patented...NEVER. Microsoft didn't even invent fat. Please think before you post.

Ignorant people shouldn't yak. [eweek.com]

I don't think there's an out

[illuminatedwax]

I don't think there's an out this time. Usually, when you get posts saying "Microsoft patents clicking!!" there's usually something in the patent that says "clicking on an icon by using a joystick, underwater, over the internet" or something ridiculous that means the patent doesn't have prior art, but the idea itself does, and will probably be used to try and stretch the patent as far as the courts will let it.

But this time, it looks like they are doing exactly what sudoes. Maybe finally all the anti-Slashdot-stereotype trolls will be wrong.
Here's my read:

CLAIMS:

1. Processing a request from a non-admin user to do admin tasks. check.
2. Determining if the user can do such a request. Check.
3. Checking a data source to do #2. Check. (etc/passwd, others)
4. Checking a data source to see which one of many admin tasks the user can do. This might be a bit iffy, because I'm not incredibly familiar with sudo. I would assume it's possible to restrict the usage of sudo for different tasks, and if so, Check.
5. Multiple users. Check.
6. Groups. Check.
7. Using it for Methods. I think the Linux kernel might allow only certain system calls to be done by an administrator. If so, check.
8. Groups for #7. Check-maybe.
9,10. Combining classes and methods. Here it seems they get really specific, and it doesn't look like they define "class" or "method." Maybe.
11-13. Passwords. Check.
14-23. A computer to do the above. Check.
24-34. A security framework to do the above. Check.
35-49. Doing it over a network. Check. Now, here, a network seems to involve "hyperlinked documents creating a user interface." Certainly this idea is older than 2000. Check.
50-62. Again, having a computer to do 1-49.
63-end. Yeesh. Having a computer to do everything from 1-62. I guess they are covering every single combination.

So there's the claims. There's nothing in there that sudo really doesn't do, because I think the vauge language MS is using can be applied to a lot of different methods of unix-style security.

So who's going to care? No one, especially not at the Patent Office.

--Stephen

Re:Setuid?

[DAldredge]

Setuid was already patented.

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PT O1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm &r=1&f=G&l=50&s1=4135240.WKU.&OS=PN/4135240&RS=PN/ 4135240 [uspto.gov]

Re:"in a data store"

[C_To]

You can change the config in the sudo.conf file to ask for user passwords, or to run without it for certain users, etc.

Re:Su do me!

[Anonymous Coward]

They claim they did.

http://www.microsoft.com/mscorp/ip/tech/fat.asp

Re:A brief history of SUDO

[ArbitraryConstant]

$man su
...
HISTORY
A su command appeared in Version 7 AT&T UNIX.
...

Version 7 was released in 1979.

In other news, sudo 1.6.8 was announced today...

[millert]

What an auspicious start. Maybe M$ will decide to patent some of the new features [www.sudo.ws].

Re:Why do they even try?

[NanoGator]

"What is the process to go about for getting this patent revoked?"

Duplicate the feature, release a product, wait for MS to sue you.

SCO's prior art

[The Monster]

So is SCO going to sue Microsoft for infringing on their claim to sudo

They already have prior art in the form of asroot [sco.com] in SCO OpenServer. For those who aren't familiar with it, asroot allows an adminstrator to authorize certain users to run certain commands, well, 'as root'. Since it requires a 'data store' of which users are authorized to run which commands, there is definitely prior art.

Of course, it's quite possible that the prior art involved is that of the programmers working on the original Xenix product for MS.

Ok, let's see what it actually says....

[Flower]

There are 75 claims to the patent. I almost got to claim 30 before I had the urge to reach for my bhong or pray for a flashback. Skimming through the rest of the claims I did note that they include claims for network connected devices.

Onto the description which is not as sound as commenting on the actual claims but at least provides an idea of what they want to patent. First thing to note is they are once again on the appliance angle. They aren't discussing a PC. They're discussing an XBox or NAS.

Now hitting the Detailed Description, here is where they slide in that the patent can cover general purpose PCs. Lots of discussion about Web-based administration. So it's not just sudo but Webmin+sudo.

If anyone wants to take this to the next level go for it. I did my best to RTFP and this is as far as I think I'm going to take it. It was kinda cute to note how general things were in the patent e.g. "data store" that can cover the registry or a text file but there are other things to read tonight.

Re:You know something...

[Derek Pomery]

Actually,
nobody did [straightdope.com].

Re:Prior Art?

[mr_walrus]

the University of Waterloo had a similar concept
with something called "suw"

basically a su command that allowed authorized individuals to have
their own root password. the root login account
itself had unusable password.

each authorized users suw password was of course kept in
a "data store" (a private passwd style file)
and logging of its usage was done to provide an audit
trail.

this is at least 16 or more years old.

-k

Re:Why do they even try?

[CodeBuster]

not really, do you really think that Microsoft is going to waste time and money going after people with all of these patents? of course not. However, they do have a billion dollar cash hoard to protect from every small time company lawyer out there that wants to roll the dice on patent litigation to steal a piece of that pie. IBM does the same thing. These patents are defensive in nature, they are supposed to protect Microsoft from submarine patents and their unscrupulous holders.

Re:maybe not so easy

[Anonymous Coward]

If the summary is correct, sudo doesn't count.

The summary is mostly irrelivant as to what legal protection the patent has. The legal protection comes from the part marked "claims". And if you look at claim 1:

executing an administrative security process under the administrative privilege level;

the administrative security process accepting a request from a user process executing under the non-administrative privilege level

You need an "admin. security process" that is "executing ... under ... admin. priv. level".

It, the "admin. security process" then needs to "accept request[s] from a user process".

So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.

In any case, everyone here who's uptight about the patent, there's at least two things you can do. 1) you can collect together all your sudo data, and optionally if you want explain how you think it describes a system that operates the same as the claimed system, and send it to the patent office to be placed into the legal record of this patent. That's the low cost (or maybe no cost, check the patent office web site for details) option available for you. Or, 2) you can collect together all your sudo data, and explain carefully how you think it describes what the claims describe, and file with the patent office for what is known as a reexamination of the patent. Yes, that's correct, you, someone unrelated to either MS or the patent office, or this patent, can actually send in your information and ask that the patent office reconsider their decision. Again, check the web site for details. So, instead of belly aching about how bad a job the patent office is or is not doing, why not simply help them out by sending them the info you know about, and then they have a better chance of doing a better job. And who knows, you might actually get this patent killed in the process.

Re:A brief history of SUDO

[zog karndon]

Geez, doesn't *anybody* know the history of patents? There are literally *hundreds* of patents for (e.g.) paperclips. Each patent describes a slightly different implementation of a paperclip. One might examine, for example, patent 494,622 [uspto.gov] or patent 371,390 [uspto.gov] - both patents issued for paperclips, issued in 2004 and 1996, respectively.

Similarly, Microsoft has a patent on a slightly different implementation of setuid.

Oh, wait... This is Microsoft, and therefore evil.

Re:Quick! Send in your prior art!

[Vengie]

/dev is the directory commonly used to represent devices. (e.g. /dev/hd0 is hard disk 0)

There is a distinction between virtual and physical devices. /dev/null is a "null device" -- a device which accepts tons of input but never produces anything.

so:
foomachine# echo "abc" | /dev/null

produces NOTHING, since "abc" is given to /dev/null and /dev/null throws it away. (in lieu of a tty or lpt which would print/output "abc")

/dev/urandom is a source of randomness........

/dev/uspto is...well...obvious.

one poster suggested REPLACING /dev/uspto (the patent office) with randomness ( ... > /dev/uspto)

Another posted examined how the USPTO and randomness differ (the utility diff):

# diff x y
#
no response from diff means the two files are identical, so this poster succinctly suggests that the uspto is random bullshit.

Re:Setuid?

[jc42]

No, because set uid bit by itself does not validate the parent process/user against any data store

It certainly does. It verifies that the parent's uid has valid execute permission on the new program by comparing the owner and the x bits. This information is stored in the inode, which is in a filesystem (usually but not always a disk). A unix filesystem would certainly qualify as a "data store".

So unix systems have two different instances of prior art, the setuid (and setgid) bit, and the somewhat later sudo command.

Of course, the main question is whether anyone will be able to afford the effort to get this patent invalidated. Or will Microsoft be able to bankrupt anyone who tries?

I suppose IBM could decide that this is a challenge to the security setup in their aix and linux systems. They probably have the money to successfully fight this one. I don't think I do.

Re:A brief history of SUDO

[Anonymous Coward]

sudo allows a program to run as root whereas su logs you in as root. su really has nothing to do with the discussion here.

Before sudo, I would run commands like that:
su -c "mount /dev/hda2 /mnt2"

assume everything already patented

[goon]

'... In software, assume that everything is already patented. You can't build anything, no matter how new it is, without infringing someone's patent. patents and linux [tbray.org] ...'
[tim bray]

must make a mention of tim brays article on software patents that I've recycled [slashdot.org] from a while ago.

Re:A brief history of SUDO

[Snowgen]

One might examine, for example, patent 494,622 or patent 371,390 - both patents issued for paperclips, issued in 2004 and 1996, respectively.

Those are design patents, not invention patents.

For example--no one can patent the fork because it's obvious and it's prior art, etc etc. But, you can design a fork that looks prettier than other forks, and get a design patent for that.

As a very rough metaphor, think of a design patent as more like a 3-D copyright.

It has no bearing at all on what's being discussed here.

Re:Prior Art?

[slacker775]

http://www.symark.com/powerbroker.htm Powerbroker is a sudo-like commercial app. It does a means to run as a daemon process in a client-server type environment to allow the configured policy to work between different systems. Googling on it turns up posts from the mid 90's so it's been around for a while.

The USPO is a laughing stock

[Secrity]

Software patents are turning the USPO into a laughing stock. I can understand the USPO not being able to thoroughly examine patents for some esoteric science. Sudo is not an esoteric science. If the USPO is going to issue software patents they should have somebody who knows something about software. This sort of patent should have been caught by anybody who has any knowlege of Unix-like operating systems.

Those are 'prior art' pictures, to show contrast

[teridon]

The most interesting part is the images. There you can actually see the Gnome logo. (There is an extra karma bunus for the first who find the KDE logo;)

Listen, I hate MS as much as the next guy -- but did you read the rest of the patent? In the "BRIEF DESCRIPTION OF THE DRAWINGS" section, it reads:

[0013] FIG. 1A [referring to the KDE front panel] is a pictorial diagram illustrating a desktop of a graphical user interface according to the prior art.

[0014] FIG. 1B [referring to the Gnome front panel] is a pictorial diagram illustrating one implementation of a panel containing a desk guide used to switch among multiple virtual desktop according to the prior art.

In the "BACKGROUND OF THE INVENTION" section, it points out that in KDE, the pager doesn't show you the pictures of the desktops: "As more and more application windows 102 are dispersed throughout these virtual desktops, it may be difficult for a user to remember which desktop contains which application window." You have to click on each desktop until you find it.

For the GNOME pager, it says that "running application windows appear as small, raised squares... it is still not possible for a user to determine from these small raised squares the desired application window for which he may be looking"

The patent is apparently for MS's improvment of the concept by actually showing small recognizable representations of each desktop in a "preview" pane that shows all the desktops, and for being able to transfer application windows from a different virtual desktop to the current one, without actually bringing up the other desktop.

Ok, /.'ers -- can you think of prior art for this? Codetek's Virual Desktop [codetek.com] is similar, but it uses application icons to represent windows, instead of shrunken pictures of the actual windows. However, from this FAQ [trakhelp.com], it appears the Codetek has at least tried to show shruken pictures in their pager, and found it was too processor intensive.

Re:maybe not so easy

[Anonymous Coward]

So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.

OK, so they didn't patent sudo. They patented xinetd. Either way, it's a stupid patent. One of the big problems with the USPTO is that (IIRC) it is funded by the patent fees it collects from applicants. Therefore, it is in their interest to grant patents -- no matter how stupid -- because more applications means more money for them. Maybe if they had to return the fees if a patent is overturned, they wouldn't have such a "shoot first and let God sort 'em out" attitude.

Re:Prior Art?

[yawgnol]

Yeah, I think you're right. The US gets a little bit slower every day because of all this patent/copyright warfare. But it's mostly just companies within the US fighting with each other and slowing down innovation and general economic health within America. The US is trying to reach out and impose this structure on the rest of the world, but there is enough sensible resistence out there to make world-wide (submission) adoption highly questionable.

It's a good point you make.