Microsoft Patents sudo

Jimmy O Regan writes "Justin Mason (of SpamAssassin fame) has this blog entry: US Patent 6,775,781, filed by Microsoft, is a patent on the concept of 'a process configured to run under an administrative privilege level' which, based on authorization information 'in a data store', may perform actions at administrative privilege on behalf of a 'user process'."

Prior Art?

So, I guess the prior art will be easy to show... right?

Re:Prior Art?

Sure, if you have the USD500,000 to field the court case. Most people cave first.

Re:Prior Art?

How? Everyone knows those Open Sores hippies stole everything anyways.

Re:Prior Art?

Those who do not copy Unix are destined to reinvent it.

Re:Prior Art?

Those who do not copy Unix are destined to reinvent it

badly.

Re:Prior Art?

Shouldn't that be, "Those who do not copy Unix are destined to patent it?"

Re:Prior Art?

"Why would they patent something which has been around for years in the competition's OS? There's no way they can actually patent sudo...not on my watch."

They can patent it just fine, all the USPTO has to do is not notice the similarity. It's when they get to court with somebody about it that the problem actually exists.

I had to sound like an arrogant ass here, but maybe you should go work for the Patent Office? Not because it'd teach you a lesson, but because it is pretty clear that whoever approves these doesn't understand the area they're in. I mean, look how technical the patent is. Either the patent office picked up on a subtle nuance that makes it different from *nux, or they just didn't connect it with something it does already.

Re:Prior Art?

Let's be fair, if you had to read these at the rate they do at the USPTO, then figure out exactly wtf all this double-talking techno babble means, eventually things would start blending together and crap like this would filter through. I thought it was generally accepted that the main problem is not that the USPTO people don't know what they're doing, it's that 1) the patent process has been turned from a means to protect innovation into a profitable business model, and nobody seems to want to stop it, and 2) the USPTO itself is understaffed.

Re:Prior Art?

USPTO itself is understaffed.

It doesn't matter how well staffed the patent office is. It is humanly impossible for a government office to realistically assess all of human knowledge for prior art. To say otherwise is dishonest.

More precisely the patent office examiners a liars if they can say with a straight face thay have checked all possible places for prior art on an invention they have never seen before. Only a scientist who has spent a lifetime working in a very narrow area can do this, and even then they make mistakes all the time. It is financially impossible for the patent office to employ a scientist in every narrow area. Just look at their understanding of even one area like software. Absolutely hopeless.

In any case prior art is a necessary but not sufficient evidence of inventiveness.

---

It's wrong that an intellectual property creator should not be rewarded for their work.
It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
Reform IP law and stop the M$/RIAA patent/copyright abuse.

Re:Prior Art?

You could have a period where the public are allowed to submit objections to the patent.

If someone objects on the basis of prior art, then the patent office could look and see if their complaint was valid or not.

Re:Prior Art?

You could have a period where the public are allowed to submit objections to the patent.

This has been in place for several years. All patent applications are published in a pre-grant publication (PGPub) at most 18 months after they are submitted. This usually means that the application will be published but unexamined for 12-18 months, and usually published and not issued (or finally rejected) for about 24 months.

There is a section of 35 USC which specifically enables 3rd parties (you) to submit (without editorializing or commenting) pieces of art that you think are applicable. While I haven't poured over this patent, I would have -definitely- looked at UNIX/Linux in excruciating detail while prosecuting it.

Long story short - there is a system in place where you could have looked at this application while it was pending and submitted UNIX man pages or whatever. The fact is that nobody, nobody, nobody ever does this (except large corporations who pay people to do so against their competitors applications.)

Re:Prior Art?

I think the USPTO's problem is that they've adopted a default 'innocent until proven guilty' mantra where all patents are valid unless proven otherwise. They need to turn their thinking around and adopt a default 'guilty until proven innocent' mantra where all patents are invalid until sufficient (or a certain amount of) time has been spent or research done to prove otherwise. If a patent application comes in for a supposed "computer/electronic technology" and some guy looks at it for a couple hours (days, weeks, etc), but doesn't know what he's looking at, how can he actually justify that this is a new, unique, novel idea by accepting the application? If a patent reviewer doesn't react with an "ah ha!, now that is interesting" that indicates he/she understands the topic and what is unique about the idea, then it shouldn't be accepted.

Re:Prior Art?

Stop making excuses for the incompetent. We all have to pay for their screwups, and it's about freakin' time they were held accountable.

Sue them. Sue them for your legal fees, your lost revenue, your lost potential revenue, damage to your corporate image, and anything else you can think of if you get caught in a bogus IP "lawsuit" by some vulture corp because of USPTO incompetence.

If they can't do the job, don't do it. Let the backlog build up until industry screams and starts pushing for Congress to increase the budget. As long as you push incompetent crap through instead, the funding will never be increased because corporate America does not see just how much damage you're doing with your negligence at the USPTO.

And believe me, it is emphatically negligance.

Not really a patent

It's a pseudo-patent.

thanks, I'll be here all week....

Re:Not really a patent

If only that were true. I think we all know it's pronounced "soo-doo" because that sounds like "Sulu" from Star Trek.

Damn trekkies everywhere.

maybe not so easy

If the summary is correct, sudo doesn't count.
At least, normal sudo use doesn't count.

This looks more like a daemon that will accept
commands to run. With sudo, you don't have a
privileged process performing actions on behalf
of a user process. It's a privileged process all
by itself, plain and simple.

Maybe xcdroast+cdrecord would count, if cdrecord
is setuid and xcdroast is not. That's key. You
have to have two processes, one of which is not
privileged. Knowing the way Windows would likely
do things though, a daemon may be required.

Re:maybe not so easy

In fact, I did (well, at least the claims). There are two processes: a non-privileged process such as your shell, which starts sudo (a privileged process). Sudo uses its command line as a request and executes it. Clear now?

Re:maybe not so easy

If the summary is correct, sudo doesn't count.

The summary is mostly irrelivant as to what legal protection the patent has. The legal protection comes from the part marked "claims". And if you look at claim 1:

executing an administrative security process under the administrative privilege level;

the administrative security process accepting a request from a user process executing under the non-administrative privilege level

You need an "admin. security process" that is "executing ... under ... admin. priv. level".

It, the "admin. security process" then needs to "accept request[s] from a user process".

So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.

In any case, everyone here who's uptight about the patent, there's at least two things you can do. 1) you can collect together all your sudo data, and optionally if you want explain how you think it describes a system that operates the same as the claimed system, and send it to the patent office to be placed into the legal record of this patent. That's the low cost (or maybe no cost, check the patent office web site for details) option available for you. Or, 2) you can collect together all your sudo data, and explain carefully how you think it describes what the claims describe, and file with the patent office for what is known as a reexamination of the patent. Yes, that's correct, you, someone unrelated to either MS or the patent office, or this patent, can actually send in your information and ask that the patent office reconsider their decision. Again, check the web site for details. So, instead of belly aching about how bad a job the patent office is or is not doing, why not simply help them out by sending them the info you know about, and then they have a better chance of doing a better job. And who knows, you might actually get this patent killed in the process.

Re:maybe not so easy

So, it's somewhat questionable if sudo would really block the claims. I'm sure if one were to send the patent office the sudo info, MS would argue that they have an "already running admin. process" that then actively accepts requests from other user processes.

you may be correct... I wonder, in security terms, if its a good idea to have such a thing constantly on, like you describe.

Re:maybe not so easy

you might actually get this patent killed in the process.

Would that be in the administrative process or in the user process?

killall sudo_patent

Re:maybe not so easy

I don't think you are right with this. You're taking the word "process" too strict. I have not seen that it sasys in the patent that it needs to be a daemon.

In the patent context it's hardly a OS process, more a "description of collected steps performing a defined functionality".

If you think sudo does not count you're definitely incorrect. The sudo program is a process (performs defined steps) under an authorized level (setuid root) goes after privileges (grouped by user/computer/group/whatever) and allows or denies privileges.

That's the patent.

What M$soft does right now is write zillions of patents, no matter if they have previous art - they sure know it exists. Their straegy appears to be to get as many patents as possible and then one has to go to court to get it revoked. They got billions of $$'s in their war chest ant they are using it in this manner - one day we'll see how this turns out.

Re:Prior Art?

Who needs to prove prior art? Obviousness is also an impediment to a patent. Even if the existing prior art cited here doesn't quite match, the reaction of everyone on this page is that there must be some that does: a fairly good indication that practitioners versed in the art regard the idea as obvious.

Re:Prior Art?

the University of Waterloo had a similar concept
with something called "suw"

basically a su command that allowed authorized individuals to have
their own root password. the root login account
itself had unusable password.

each authorized users suw password was of course kept in
a "data store" (a private passwd style file)
and logging of its usage was done to provide an audit
trail.

this is at least 16 or more years old.

-k

Re:Prior Art?

More prior art: A co-worker of mine has a working application that runs as a priveleged user and is used to start and stop custom NT services after receiving RPC calls from a client application that we are using so that we don't need permanent admin access to start and stop the services. This was a result of Sarbanes-Oxley -- I miss the good access I had in 1999 when I was the DBA, sysadmin, developer, etc. Now I'm only the developer.

Re:Prior Art?

http://www.symark.com/powerbroker.htm Powerbroker is a sudo-like commercial app. It does a means to run as a daemon process in a client-server type environment to allow the configured policy to work between different systems. Googling on it turns up posts from the mid 90's so it's been around for a while.

Absolutely !!

So, I guess the prior art will be easy to show... right?

Absolutely,
however, if you want the prior art to have any legal meaning, you will have to affort a costly legal process with the evil empire's lawyers.

You see, it doesn't matter so much who is *right* any more. It costs a awful lot of money just to have your case heard.

Oh, yeah

So SU me!

Probably redundant by now.

Why do they even try?

A computer such as a network appliance executes an administrative security process configured to run under an administrative privilege level. Having an administrative privilege level, the administrative security process can initiate administrative functions in an operating system function library. A user process executing under a non-administrative privilege level can initiate a particular administrative function that the process would not otherwise be able to initiate by requesting that the administrative security process initiate the function. In response to a request to initiate a particular function from a process with a non-administrative privilege level, the administrative security process determines whether the requesting process is authorized to initiate the particular administrative function based on information accessed in a data store. If the requesting process is authorized, the administrative security process initiates the particular administrative function. In this manner, the administrative security process facilitates access to specific administrative functions for a user process having a privilege level that does not permit the user process to access the administrative functions.

So of course this is completely unenforcable...I wonder if they'll even try. What is the process to go about for getting this patent revoked?

Re:Why do they even try?

That seems setup makes sense under Windows, but seems utterly useless under any Unix variant. It's almost as if Microsoft is defensively patenting just to make sure nobody else weasels in and trys to cut them off from a concept they want to use.

Re:Why do they even try?

So of course this is completely unenforcable...I wonder if they'll even try. What is the process to go about for getting this patent revoked?

This is not about being unenforcable. This is about having a HUGE cabinet of patents that you can throw at whoever and use to stop them. Now, many of MS's patents are nothing but rip offs. But, if you were hit with more than 1000 patents, just the reading and understanding of them could take a year or two.

Very scarey

Re:perhaps my evil genius hat isn't working

I get the feeling more and more that Microsoft is doing something like this:

Manager 1: Wow! They accepted that patent! The USPTO is crazy! Even with a year or so of prior art!

Manager 2: Yeah, no kidding!

Manager 1: Let's try this one next. It's got 3 years prior art.

Manager 2: Wow! They accepted that one too! What morons!

Manager 1: Man...let's see just how crazy we can get here...let's go with 20 years prior art, and see if the dopes accept it!

Manager 2: LOL HAHA ROFLMAO! They took it! What planet do these guys live on?!?!

Re:perhaps my evil genius hat isn't working

More like this:

M1: Alright, pay up.

M2: I can't believe this. (pays)

M3: Hey guys, 3 to 1 odds I don't get the patent on the 'long rectangular button which inserts a space character when pressed'. Who's in?

M1: $50 you don't get it.

M2: $200 for.

Re:perhaps my evil genius hat isn't working

Microsoft: hello I want to fill a patent request...

Patent office employee: ok, granted!

Microsoft: ...but don't you first want to...

Patent office employee: NO NO NO I said granted!!

Microsoft: ...well but there's this thing called prior...

Patent office employee: I SAID GRANTED!!

Microsoft: yeah but there was another pate...

Patent oggice employee: KNOCK IT OFF ALREADY!!! GRANTED YOU BIG-POCKET COMPANY!!!

Re:perhaps my evil genius hat isn't working

A patent on $ or # as a prompt?

It would probably read more like:

An indication by which a computer system indicates that it is ready for arbitrary input from the user.

But specifically, they'd be patenting C:\> .

Quick! Send in your prior art!

man sudo >/dev/uspto

Re:Quick! Send in your prior art!

rm -rf /dev/uspto

Re:Quick! Send in your prior art!

No, I doubt you have the permissions for that.

sudo rm -rf /dev/uspto

Re:Quick! Send in your prior art!

If only. It's more like:
cat /dev/urandom > /dev/uspto

Re:Quick! Send in your prior art!

user@host$ diff /dev/urandom /dev/uspto

user@host$

Re:Quick! Send in your prior art!

the parent found a special case where infinite number of monkeys on infinite number of typewriters appeared to be working for the uspto.

ahem

A process configured to run under an administrative privilege level, eh? excuse me a second... ah --- ah---- ahchoooooounixpriorart !

Setuid?

Wouldn't this patent also cover setuid, as that's a way you can have an app run under superuser privs for a regular user?

Re:Setuid?

No, because set uid bit by itself does not validate the parent process/user against any data store like sudo command does (eg: against /etc/sudoers)

Re:Setuid?

No, because set uid bit by itself does not validate the parent process/user against any data store

It certainly does. It verifies that the parent's uid has valid execute permission on the new program by comparing the owner and the x bits. This information is stored in the inode, which is in a filesystem (usually but not always a disk). A unix filesystem would certainly qualify as a "data store".

So unix systems have two different instances of prior art, the setuid (and setgid) bit, and the somewhat later sudo command.

Of course, the main question is whether anyone will be able to afford the effort to get this patent invalidated. Or will Microsoft be able to bankrupt anyone who tries?

I suppose IBM could decide that this is a challenge to the security setup in their aix and linux systems. They probably have the money to successfully fight this one. I don't think I do.

Proof of concept?

I don't think I've seen a true unprivileged user under an M$ system yet. Everyone is talking about previous art, which is definitly around, but I'd say make M$ prove they actually understand sudo before you start complaining about "I saw it first."

Re:Proof of concept?

I agree. I also have to agree with an earlier post which mentioned punishing those who patent what they know already has prior art.

Problem is, I have seen this unprivileged user, and its broken. A few years ago we split our NT accounts in the IT office I worked in into 'priv' and 'non-priv' accounts for each of us. Previously, our typical logins had all the admin privs to do whatever we needed on the workstation.

The plan was that we could use the win2k/xp version of 'su' (whatever it is called, I don't remember) to do things that needed elevated privs. IT DIDN'T WORK. Some of the child processes, for example, of burning a CD would spawn as your unprivileged context - meaning you couldn't burn a damn CD. You had to log out, and log back in with your priv account for a simple task like burning a CD.

I think its great how Microsoft steals ideas from other people (*cough*NIX), comes up with a totally frelled implementation that many times doesn't work - and then A) breaks the existing standards, B) goes off and patents the idea as their own or C) both

Perhaps Microsoft's division which is doing all this should simply be retitled "Patent Whores"

Re:Proof of concept?

I know you were trying to be funny but seriously, it is a feature of Windows 2000/XP all you have to do is shift + right click any executable and select "Run as..." or use the runas command from the command prompt. Sorry but I had to be fair to Microsoft.