+

WO2016118177A1 - Access control to a portion of a file system object - Google Patents

Access control to a portion of a file system object Download PDF

Info

Publication number
WO2016118177A1
WO2016118177A1 PCT/US2015/022071 US2015022071W WO2016118177A1 WO 2016118177 A1 WO2016118177 A1 WO 2016118177A1 US 2015022071 W US2015022071 W US 2015022071W WO 2016118177 A1 WO2016118177 A1 WO 2016118177A1
Authority
WO
WIPO (PCT)
Prior art keywords
file system
system object
access
request
acl
Prior art date
Application number
PCT/US2015/022071
Other languages
French (fr)
Inventor
Anand Satish PHATAK
Sandya Srivilliputtur Mannarswamy
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Publication of WO2016118177A1 publication Critical patent/WO2016118177A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • File systems typically include methods to assign permissions or access rights to a specific user or group of users. These mechanisms control the ability of the users to perform an action related to the contents of the file system. In other words, they may convey to an operating system what can be done with a file and by whom. Some examples of such actions may include a read, write, execute, delete file, and directory access operation.
  • FIG. 1 is a block diagram of an example computing device for controlling access to a portion of a file system object
  • FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object
  • FIG. 3 is a block diagram of an example computer system for controlling access to a portion of a file system object.
  • File system permissions may range from a simple arrangement with one or two basic permissions (such as read and write) to a more detailed classification that describes access rights to a file system object. There may be scenarios where access to an entire file system object may not be required. Rather, permissions to access or modify a portion of a file system object may be more desirable.
  • a cloud-based content service provider may prefer to provide access to only those portions or segments of a file's content (for example, a video or sound recording) that are paid for by a subscriber (for example, a media house), as against access to an entire file. Likewise, a subscriber may also be reluctant to pay for an entire file's contents.
  • the existing file system permission mechanisms may not authorize a request to access a portion(s) of a file system object.
  • a request may be received to access a portion of a file system object.
  • a determination may be made from an Access Control List (ACL) associated with the file system object whether the request is authorized to access the portion of the file system object. If the request is authorized to access the portion of the file system object, the request may be allowed to access the portion of the file system object.
  • ACL Access Control List
  • FIG. 1 is a block diagram of an example computing device 100 for controlling access to a portion of a file system object.
  • Computing device 100 may include a file system 102, a receipt module 104, a determination module 106, and an authorization module 108.
  • the term "module” may refer to a software component (machine readable instructions), a hardware component or a combination thereof.
  • a module may include, by way of example, components, such as software components, processes, tasks, coroutines, functions, attributes, procedures, drivers, firmware, data, databases, data structures, Application Specific Integrated Circuits (ASIC) and other computing devices.
  • a module may reside on a volatile or non- volatile storage medium and configured to interact with a processor of computing device 100.
  • Computing device 100 generally represents any type of computing system capable of reading machine-executable instructions. Examples of computing device 100 may include, without limitation, a server, a desktop computer, a notebook computer, a tablet computer, a thin client, a mobile device, a personal digital assistant (PDA), a phablet, and the like.
  • Examples of computing device 100 may include, without limitation, a server, a desktop computer, a notebook computer, a tablet computer, a thin client, a mobile device, a personal digital assistant (PDA), a phablet, and the like.
  • PDA personal digital assistant
  • File system 102 may include one or more file system objects. Some non- limiting examples of a file system object may include a file, a directory, a sub-directory, and the like. In an example, file system 102 may be a local file system. In another example, file system may a scale-out file system such as a shared file system or network file system. Examples of a shared file system may include a Network Attached Storage (NAS) file system or cluster file system. Examples of a network file system may include a distributed file system or distributed parallel file system.
  • NAS Network Attached Storage
  • An access control list may be associated with a file system object of the file system 102, wherein the ACL may specify an access right (or permission) related to accessing of a portion of the file system object.
  • the access control list may be used to manage file system permissions related to various portions of the file system object. For instance, the access control list may define a list of permissions attached to a portion of a file system object.
  • the ACL may include a set of data (for example, a table) that informs a computer's operating system which permissions, or access rights, that each user or group has to a specific portion of a file system object.
  • the permissions determine specific access rights, such as whether a user can read from, or write to a portion of a file system object.
  • ACL may be termed as a "custom ACL", which may be in addition to or alternative to a default ACL that may be associated with the file system object.
  • the custom ACL may be a part of extended file attributes of the associated file system object.
  • the ACL may specify whether a request is authorized to access a portion of an associated file system object.
  • the ACL may also define what operations a request may be allowed to perform on a portion of a file system object.
  • the ACL may specify which computer application or computer process may be allowed to access a segment of an associated file system object. This may help, for instance, to distinguish between a trusted application and an application that may be suspicious.
  • the ACL may allow the request to access the requested part of a file system object.
  • the ACL may disallow the request.
  • the ACL may also define, in addition, whether a user making such a request via the aforementioned computer application or process is allowed to access the requested segment of the file system object.
  • the ACL may specify a computing device(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computing device. This may help, for instance, to distinguish between a trusted computing device and a device that may be untrustworthy.
  • the ACL may allow the computing device to access the requested part of a file system object.
  • the ACL may deny access.
  • the ACL may specify a computer network(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computer network. This may help, for instance, to distinguish between a trusted computer network and a network that may be untrustworthy.
  • the ACL may allow the computer network to access the requested part of a file system object. However, in the latter case, the ACL may not grant access.
  • the ACL may specify a geographical location(s) that may be allowed to access a portion of an associated file system object.
  • the ACL may allow a request to access a portion of a file system object only if the request is received from a specified location. This may help, for instance, to distinguish between a permitted location and a location that may be barred.
  • the ACL may allow the location to access the requested part of a file system object.
  • the ACL may deny access.
  • the ACL may specify a time period during which an access right may remain valid for a portion of a file system object. In other words, the ACL may specify how long a request may be allowed to access a portion of a file system object. In another instance, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computer application or process. In another example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computing device or computer network. In a further example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular location.
  • Receipt module 104 may receive a request to access a portion (or specific part) of a file system object of a file system (for example, 102).
  • the request may be received from a user.
  • the request may be received from a computer application or computer process.
  • the request may be received from another computing device that may be communicatively coupled to the computing device 100, for example, via a computer network.
  • a computer network may be a wireless or wired network.
  • the computer network may include, for example, a Local Area Network (LAN), a Wireless Local Area Network (WAN), a Metropolitan Area Network (MAN), a Storage Area Network (SAN), a Campus Area Network (CAN), or the like.
  • the computer network may be a public network (for example, the Internet) or a private network (for example, an intranet).
  • the "portion" of a file system object for which a request may be received by the receipt module 104, may be defined using file offsets.
  • a request may define a portion of a file system object that it requires access to by specifying a "start offset” value and an "end offset” value.
  • the "portion” may be considered as that segment of the file system object, which may be present between these two offsets (including both start offset and end offset values).
  • a request to access a portion of a file system object of the file system may include a request to perform an operation related to the portion of the file system object.
  • Some non-limiting examples of such operation may include a read, write, and an execute operation.
  • Determination module 106 may determine, from an Access Control List (ACL) associated with a file system object, whether a request to access a portion of a file system object is authorized to access the portion of the file system object. In other words, the determination module 106 may refer to the Access Control List (ACL) associated with the file system object to determine whether the request may be allowed to access the requested portion of the file system object. In another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer application or computer process that is permitted to access the requested portion of the file system object in the ACL.
  • ACL Access Control List
  • the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL. In a yet another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL.
  • ACL Access Control List
  • Authorization module 108 may authorize a request to access a portion of a file system object if the determination module determines that the request is authorized to access the portion of the file system object. In other words, the authorization module 108 may allow the request to manipulate the portion of file system object. The aforementioned manipulation may include, by way of non-limiting examples, a read operation, a write operation, and a delete operation with respect to the requested portion. In an example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL.
  • the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL.
  • FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object.
  • the method 200 may at least partially be executed on a computing device 100 of FIG. 1 . However, other computing devices may be used as well.
  • a request may be received (for example, by receipt module 104) for accessing a portion of a file system object of a file system (for example, 102).
  • a determination may be made (for example, by determination module 106), from an Access Control List (ACL) associated with the file system object, whether the request is permitted to access the portion of the file system object.
  • ACL Access Control List
  • the ACL may specify all access right(s) related to the portion of the file system object.
  • the request may be permitted to access the portion of the file system object.
  • the request may be permitted to access the portion of the file system object only for a time period specified in the ACL.
  • the permission to access a portion of the file system object may include a permission to perform an operation related to the portion of the file system object. Some non-limiting examples of such operation may include a read, write, and an execute operation.
  • FIG. 3 is a block diagram of an example computer system 300 for controlling access to a portion of a file system object.
  • System 300 includes a processor 302 and a machine-readable storage medium 304 communicatively coupled through a system bus.
  • system 300 may be analogous to computing device 100 of FIG. 1 .
  • Processor 302 may be any type of Central Processing Unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium 304.
  • Machine-readable storage medium 304 may be a random access memory (RAM) or another type of dynamic storage device that may store information and machine-readable instructions that may be executed by processor 302.
  • RAM random access memory
  • machine- readable storage medium 304 may be Synchronous DRAM (SDRAM), Double Data Rate (DDR), Rambus DRAM (RDRAM), Rambus RAM, etc. or a storage memory media such as a floppy disk, a hard disk, a CD-ROM, a DVD, a pen drive, and the like.
  • machine-readable storage medium 304 may be a non-transitory machine-readable medium.
  • Machine- readable storage medium 304 may store instructions 306, 308, and 310.
  • instructions 306 may be executed by processor 302 to receive a request to access a portion of a file system object of a file system (for example, 102).
  • Instructions 308 may be executed by processor 302 to determine, from an Access Control List (ACL) associated with the file system object, whether the request is authorized to access the portion of the file system object.
  • ACL Access Control List
  • Instructions 310 may be executed by processor 302 to authorize the request to access the portion of the file system object if the request is authorized to access the portion of the file system object.
  • FIG. 2 is shown as executing serially, however it is to be understood and appreciated that the present and other examples are not limited by the illustrated order.
  • Embodiments within the scope of the present solution may also include program products comprising non-transitory computer-readable media for carrying or having computer-executable instructions or data structures stored thereon.
  • Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer.
  • such computer-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM, magnetic disk storage or other storage devices, or any other medium which can be used to carry or store desired program code in the form of computer-executable instructions and which can be accessed by a general purpose or special purpose computer.
  • the computer readable instructions can also be accessed from memory and executed by a processor. 25] It should be noted that the above-described examples of the present solution is for the purpose of illustration only. Although the solution has been described in conjunction with a specific embodiment thereof, numerous modifications may be possible without materially departing from the teachings and advantages of the subject matter described herein. Other substitutions, modifications and changes may be made without departing from the spirit of the present solution. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Some examples relate to controlling access to a portion of a file system object. In an example, a request may be received for accessing a portion of a file system object. A determination may be made from an Access Control List (ACL) associated with the file system object whether the request is permitted to access the portion of the file system object, wherein the ACL specifies an access right related to the portion of the file system object. If the request is permitted to access the portion of the file system object, the request may be allowed to access the portion of the file system object.

Description

ACCESS CONTROL TO A PORTION OF A FILE SYSTEM OBJECT Background
[001] File systems typically include methods to assign permissions or access rights to a specific user or group of users. These mechanisms control the ability of the users to perform an action related to the contents of the file system. In other words, they may convey to an operating system what can be done with a file and by whom. Some examples of such actions may include a read, write, execute, delete file, and directory access operation.
Brief Description of the Drawings
[002] For a better understanding of the solution, embodiments will now be described, purely by way of example, with reference to the accompanying drawings, in which:
[003] FIG. 1 is a block diagram of an example computing device for controlling access to a portion of a file system object;
[004] FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object; and
[005] FIG. 3 is a block diagram of an example computer system for controlling access to a portion of a file system object.
Detailed Description
[006] File system permissions may range from a simple arrangement with one or two basic permissions (such as read and write) to a more detailed classification that describes access rights to a file system object. There may be scenarios where access to an entire file system object may not be required. Rather, permissions to access or modify a portion of a file system object may be more desirable. To provide an example, a cloud-based content service provider may prefer to provide access to only those portions or segments of a file's content (for example, a video or sound recording) that are paid for by a subscriber (for example, a media house), as against access to an entire file. Likewise, a subscriber may also be reluctant to pay for an entire file's contents. Thus, there may be situations where it may be possible for a single file to hold data that may not be required by all users, or hold data whose parts may be required by different users at the same time. The existing file system permission mechanisms may not authorize a request to access a portion(s) of a file system object.
[007] To address this issue, the present disclosure describes various examples for controlling access to a portion of a file system object. In an example, a request may be received to access a portion of a file system object. Upon receipt of the request, a determination may be made from an Access Control List (ACL) associated with the file system object whether the request is authorized to access the portion of the file system object. If the request is authorized to access the portion of the file system object, the request may be allowed to access the portion of the file system object.
[008] FIG. 1 is a block diagram of an example computing device 100 for controlling access to a portion of a file system object. Computing device 100 may include a file system 102, a receipt module 104, a determination module 106, and an authorization module 108. The term "module" may refer to a software component (machine readable instructions), a hardware component or a combination thereof. A module may include, by way of example, components, such as software components, processes, tasks, coroutines, functions, attributes, procedures, drivers, firmware, data, databases, data structures, Application Specific Integrated Circuits (ASIC) and other computing devices. A module may reside on a volatile or non- volatile storage medium and configured to interact with a processor of computing device 100.
[009] Computing device 100 generally represents any type of computing system capable of reading machine-executable instructions. Examples of computing device 100 may include, without limitation, a server, a desktop computer, a notebook computer, a tablet computer, a thin client, a mobile device, a personal digital assistant (PDA), a phablet, and the like.
[0010] File system 102 may include one or more file system objects. Some non- limiting examples of a file system object may include a file, a directory, a sub-directory, and the like. In an example, file system 102 may be a local file system. In another example, file system may a scale-out file system such as a shared file system or network file system. Examples of a shared file system may include a Network Attached Storage (NAS) file system or cluster file system. Examples of a network file system may include a distributed file system or distributed parallel file system.
[0011] An access control list (ACL) may be associated with a file system object of the file system 102, wherein the ACL may specify an access right (or permission) related to accessing of a portion of the file system object. The access control list (ACL) may be used to manage file system permissions related to various portions of the file system object. For instance, the access control list may define a list of permissions attached to a portion of a file system object. The ACL may include a set of data (for example, a table) that informs a computer's operating system which permissions, or access rights, that each user or group has to a specific portion of a file system object. The permissions determine specific access rights, such as whether a user can read from, or write to a portion of a file system object. In an instance, such ACL may be termed as a "custom ACL", which may be in addition to or alternative to a default ACL that may be associated with the file system object. In an example, the custom ACL may be a part of extended file attributes of the associated file system object.
[0012] In an example, the ACL may specify whether a request is authorized to access a portion of an associated file system object. The ACL may also define what operations a request may be allowed to perform on a portion of a file system object. In another example, if the request originates from a computer application or computer process, the ACL may specify which computer application or computer process may be allowed to access a segment of an associated file system object. This may help, for instance, to distinguish between a trusted application and an application that may be suspicious. In the former case, the ACL may allow the request to access the requested part of a file system object. However, in the latter case, the ACL may disallow the request. In this context, the ACL may also define, in addition, whether a user making such a request via the aforementioned computer application or process is allowed to access the requested segment of the file system object.
[0013] In a yet another example, the ACL may specify a computing device(s) that may be allowed to access a portion of an associated file system object. In other words, the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computing device. This may help, for instance, to distinguish between a trusted computing device and a device that may be untrustworthy. In the former case, the ACL may allow the computing device to access the requested part of a file system object. However, in the latter case, the ACL may deny access.
[0014] In a further example, the ACL may specify a computer network(s) that may be allowed to access a portion of an associated file system object. In other words, the ACL may allow a request to access a portion of a file system object only if the request is received from a specified computer network. This may help, for instance, to distinguish between a trusted computer network and a network that may be untrustworthy. In the former case, the ACL may allow the computer network to access the requested part of a file system object. However, in the latter case, the ACL may not grant access.
[0015] In a still further example, the ACL may specify a geographical location(s) that may be allowed to access a portion of an associated file system object. In other words, the ACL may allow a request to access a portion of a file system object only if the request is received from a specified location. This may help, for instance, to distinguish between a permitted location and a location that may be barred. In the former case, the ACL may allow the location to access the requested part of a file system object. However, in the latter case, the ACL may deny access.
[0016] In a still further example, the ACL may specify a time period during which an access right may remain valid for a portion of a file system object. In other words, the ACL may specify how long a request may be allowed to access a portion of a file system object. In another instance, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computer application or process. In another example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular computing device or computer network. In a further example, the ACL may specify a time period for allowing a request to access a portion of a file system object from a particular location.
[0017] Receipt module 104 may receive a request to access a portion (or specific part) of a file system object of a file system (for example, 102). In an example, the request may be received from a user. In another example, the request may be received from a computer application or computer process. In a yet another example, the request may be received from another computing device that may be communicatively coupled to the computing device 100, for example, via a computer network. Such a computer network may be a wireless or wired network. The computer network may include, for example, a Local Area Network (LAN), a Wireless Local Area Network (WAN), a Metropolitan Area Network (MAN), a Storage Area Network (SAN), a Campus Area Network (CAN), or the like. Further, the computer network may be a public network (for example, the Internet) or a private network (for example, an intranet).
[0018] In an example, the "portion" of a file system object, for which a request may be received by the receipt module 104, may be defined using file offsets. For instance, a request may define a portion of a file system object that it requires access to by specifying a "start offset" value and an "end offset" value. In such case, the "portion" may be considered as that segment of the file system object, which may be present between these two offsets (including both start offset and end offset values).
[0019] In an example, a request to access a portion of a file system object of the file system may include a request to perform an operation related to the portion of the file system object. Some non-limiting examples of such operation may include a read, write, and an execute operation.
[0020] Determination module 106 may determine, from an Access Control List (ACL) associated with a file system object, whether a request to access a portion of a file system object is authorized to access the portion of the file system object. In other words, the determination module 106 may refer to the Access Control List (ACL) associated with the file system object to determine whether the request may be allowed to access the requested portion of the file system object. In another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer application or computer process that is permitted to access the requested portion of the file system object in the ACL. In a further example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL. In a yet another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the determination module 106 may determine, from the Access Control List (ACL) associated with the file system object, if the request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL. 21] Authorization module 108 may authorize a request to access a portion of a file system object if the determination module determines that the request is authorized to access the portion of the file system object. In other words, the authorization module 108 may allow the request to manipulate the portion of file system object. The aforementioned manipulation may include, by way of non-limiting examples, a read operation, a write operation, and a delete operation with respect to the requested portion. In an example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computing device that is permitted to access the requested portion of the file system object in the ACL. In a yet another example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that the request is received from a computer network that is permitted to access the requested portion of the file system object in the ACL. In a still another example, the authorization module 108 may authorize a request to access a portion of a file system object if it is determined that request is received from a geographical location that is permitted to access the requested portion of the file system object in the ACL.
[0022] FIG. 2 is a flowchart of an example method of controlling access to a portion of a file system object. The method 200, which is described below, may at least partially be executed on a computing device 100 of FIG. 1 . However, other computing devices may be used as well. At block 202, a request may be received (for example, by receipt module 104) for accessing a portion of a file system object of a file system (for example, 102). At block 204, a determination may be made (for example, by determination module 106), from an Access Control List (ACL) associated with the file system object, whether the request is permitted to access the portion of the file system object. In an example, the ACL may specify all access right(s) related to the portion of the file system object. At block 206, if it is determined (for example, by authorization module 108) that the request is permitted to access the portion of the file system object, the request may be permitted to access the portion of the file system object. In an instance, the request may be permitted to access the portion of the file system object only for a time period specified in the ACL. In another instance, the permission to access a portion of the file system object may include a permission to perform an operation related to the portion of the file system object. Some non-limiting examples of such operation may include a read, write, and an execute operation.
[0023] FIG. 3 is a block diagram of an example computer system 300 for controlling access to a portion of a file system object. System 300 includes a processor 302 and a machine-readable storage medium 304 communicatively coupled through a system bus. In an example, system 300 may be analogous to computing device 100 of FIG. 1 . Processor 302 may be any type of Central Processing Unit (CPU), microprocessor, or processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium 304. Machine-readable storage medium 304 may be a random access memory (RAM) or another type of dynamic storage device that may store information and machine-readable instructions that may be executed by processor 302. For example, machine- readable storage medium 304 may be Synchronous DRAM (SDRAM), Double Data Rate (DDR), Rambus DRAM (RDRAM), Rambus RAM, etc. or a storage memory media such as a floppy disk, a hard disk, a CD-ROM, a DVD, a pen drive, and the like. In an example, machine-readable storage medium 304 may be a non-transitory machine-readable medium. Machine- readable storage medium 304 may store instructions 306, 308, and 310. In an example, instructions 306 may be executed by processor 302 to receive a request to access a portion of a file system object of a file system (for example, 102). Instructions 308 may be executed by processor 302 to determine, from an Access Control List (ACL) associated with the file system object, whether the request is authorized to access the portion of the file system object. In an instance, the ACL may enumerate an authorization related to the portion of the file system object. Instructions 310 may be executed by processor 302 to authorize the request to access the portion of the file system object if the request is authorized to access the portion of the file system object. 24] For the purpose of simplicity of explanation, the example method of FIG.
2 is shown as executing serially, however it is to be understood and appreciated that the present and other examples are not limited by the illustrated order. The example systems of FIGS. 1 and 3, and method of FIG.
3 may be implemented in the form of a computer program product including computer-executable instructions, such as program code, which may be run on any suitable computing device in conjunction with a suitable operating system (for example, Microsoft Windows, Linux, UNIX, and the like). Embodiments within the scope of the present solution may also include program products comprising non-transitory computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, such computer-readable media can comprise RAM, ROM, EPROM, EEPROM, CD-ROM, magnetic disk storage or other storage devices, or any other medium which can be used to carry or store desired program code in the form of computer-executable instructions and which can be accessed by a general purpose or special purpose computer. The computer readable instructions can also be accessed from memory and executed by a processor. 25] It should be noted that the above-described examples of the present solution is for the purpose of illustration only. Although the solution has been described in conjunction with a specific embodiment thereof, numerous modifications may be possible without materially departing from the teachings and advantages of the subject matter described herein. Other substitutions, modifications and changes may be made without departing from the spirit of the present solution. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.

Claims

Claims:
1 . A method of controlling access to a portion of a file system object, comprising:
receiving a request for accessing a portion of a file system object;
determining, from an Access Control List (ACL) associated with the file system object, whether the request is permitted to access the portion of the file system object, wherein the ACL specifies an access right related to the portion of the file system object; and
if the request is permitted to access the portion of the file system object, allowing the request to access the portion of the file system object.
2. The method of claim 1 , further comprising allowing the request to access the portion of the file system object only for a time period specified in the ACL.
3. The method of claim 1 , wherein the determining comprises determining whether the request is received from a specific application.
4. The method of claim 3, wherein the specific application includes a trusted application.
5. The method of claim 1 , further comprising allowing the request to manipulate the portion of the file system object.
6. A system to control access to a portion of a file system object, comprising: a receipt module to receive a request to access a portion of a file system object;
a determination module to determine, from a custom Access Control List (ACL) associated with the file system object, whether the request is authorized to access the portion of the file system object, wherein the custom ACL specifies an access right related to the portion of the file system object; and an authorization module to authorize the request to access the portion of the file system object if the determination module determines that the request is authorized to access the portion of the file system object.
7. The system of claim 6, wherein to determine whether the request is authorized to access the portion of the file system object comprises to determine whether the request is received from a specific device.
8. The system of claim 6, wherein the determination whether the request is authorized to access the portion of the file system object comprises to determine whether the request is received from a specific network.
9. The system of claim 6, wherein the determination whether the request is authorized to access the portion of the file system object comprises to determine whether the request is received from a particular location.
10. The system of claim 6, wherein the custom ACL is a part of extended file attributes of the file system object.
1 1 . A non-transitory machine-readable storage medium comprising instructions to control access to a portion of a file system object, the instructions executable by a processor to:
receive a request to access a portion of a file system object;
determine, from an Access Control List (ACL) associated with the file system object, whether the request is authorized to access the portion of the file system object, wherein the ACL enumerates an authorization related to the portion of the file system object; and
authorize the request to access the portion of the file system object if the request is authorized to access the portion of the file system object.
12. The storage medium of claim 1 1 , wherein the request is received from a user.
13. The storage medium of claim 1 1 , wherein the request is received from a computer application or computer process.
14. The storage medium of claim 1 1 , wherein the request to access includes a request to perform an operation related to the portion of the file system object.
15. The storage medium of claim 1 1 , wherein file offsets are used to define the portion of the file system object.
PCT/US2015/022071 2015-01-19 2015-03-23 Access control to a portion of a file system object WO2016118177A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN287/CHE/2015 2015-01-19
IN287CH2015 2015-01-19

Publications (1)

Publication Number Publication Date
WO2016118177A1 true WO2016118177A1 (en) 2016-07-28

Family

ID=56417546

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/022071 WO2016118177A1 (en) 2015-01-19 2015-03-23 Access control to a portion of a file system object

Country Status (1)

Country Link
WO (1) WO2016118177A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170278206A1 (en) * 2016-03-24 2017-09-28 Adobe Systems Incorporated Digital Rights Management and Updates
US20200250333A1 (en) * 2019-02-04 2020-08-06 Hitachi, Ltd. Data management system and data management method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070233957A1 (en) * 2006-03-28 2007-10-04 Etai Lev-Ran Method and apparatus for local access authorization of cached resources
US20080066185A1 (en) * 2006-09-12 2008-03-13 Adobe Systems Incorporated Selective access to portions of digital content
US20090055921A1 (en) * 2007-08-23 2009-02-26 Microsoft Corporation File access in multi-protocol environment
US8601283B2 (en) * 2004-12-21 2013-12-03 Sandisk Technologies Inc. Method for versatile content control with partitioning
US20140149461A1 (en) * 2011-11-29 2014-05-29 Ravi Wijayaratne Flexible permission management framework for cloud attached file systems

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601283B2 (en) * 2004-12-21 2013-12-03 Sandisk Technologies Inc. Method for versatile content control with partitioning
US20070233957A1 (en) * 2006-03-28 2007-10-04 Etai Lev-Ran Method and apparatus for local access authorization of cached resources
US20080066185A1 (en) * 2006-09-12 2008-03-13 Adobe Systems Incorporated Selective access to portions of digital content
US20090055921A1 (en) * 2007-08-23 2009-02-26 Microsoft Corporation File access in multi-protocol environment
US20140149461A1 (en) * 2011-11-29 2014-05-29 Ravi Wijayaratne Flexible permission management framework for cloud attached file systems

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170278206A1 (en) * 2016-03-24 2017-09-28 Adobe Systems Incorporated Digital Rights Management and Updates
US20200250333A1 (en) * 2019-02-04 2020-08-06 Hitachi, Ltd. Data management system and data management method

Similar Documents

Publication Publication Date Title
US10165007B2 (en) Securing data usage in computing devices
US8931037B2 (en) Policy-based access to virtualized applications
EP2783321B1 (en) File system access for one or more sandboxed applications
US9256722B2 (en) Systems and methods of using a temporary private key between two devices
US9332019B2 (en) Establishment of a trust index to enable connections from unknown devices
EP2947905B1 (en) Intra-application permissions on an electronic device
US9830432B2 (en) Software revalidation and invalidation
EP2924947B1 (en) Method and apparatus for controlling access
US10831915B2 (en) Method and system for isolating application data access
US20130024944A1 (en) Confidential information leakage prevention system, confidential information leakage prevention method and confidential information leakage prevention program
US11886605B2 (en) Differentiated file permissions for container users
US9065863B1 (en) Determining eligibility of a device to auto-enroll in a domain
WO2016118177A1 (en) Access control to a portion of a file system object
US9330016B2 (en) Systems and methods for managing read-only memory
EP3249540B1 (en) Method for writing multiple copies into storage device, and storage device
US20140380417A1 (en) Methods And Devices For Controlling Access To Distributed Resources
CN115244535A (en) System and method for protecting a folder from unauthorized file modification
US9754121B2 (en) System and methods for live masking file system access control entries
US9305142B1 (en) Buffer memory protection unit
US10038694B1 (en) System and method for security mode-based authorization for data management operations in a multi-tenant protection storage system
US9736201B2 (en) Encrypted streams to receivers
US11706257B2 (en) Device and method for checking properties of resources
CN114117396A (en) Mobile device access control method and device in Docker container

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15879201

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15879201

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载