Abstract: A method and system for restricting access to objects created by privileged commands. In an RBAC environment, execution of certain privileged commands creates objects, which typically, have traditional access permissions based on the user ID and not the role. To enhance security of these objects, a new security attribute is introduced. The security attribute can be associated to the privileged command. Therefore, whenever a privileged command creates an object, the security attribute associated with the privileged command is applied on the object. The security attribute can mask the traditional access permissions of the object, and modify the access permissions, which can be stored along with the object. An AND operation can be performed on the traditional access permissions and the security attribute, to determine the modified permissions of the object. Further, an authorized user can modify, add, delete, or customize the security attribute at any time.

Abstract: A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.

Abstract: A general purpose distributed encrypted file system generates a block key on a client machine. The client machine encrypts a file using the block key. Then, the client encrypts the block key on the first client machine with a public key of a keystore associated with a user and associates the encrypted block key with the encrypted data block as crypto metadata. The client machine caches the encrypted data block and the crypto metadata and sends the encrypted data block and the crypto metadata to a network file system server. When the client machine receives a return code from the network file system server indicating successful writes of the encrypted data block and the crypto metadata, the client machine clears the cached encrypted data block and the crypto metadata.

Abstract: A method and system for restricting access to objects created by privileged commands. In an RBAC environment, execution of certain privileged commands creates objects, which typically, have traditional access permissions based on the user ID and not the role. To enhance security of these objects, a new security attribute is introduced. The security attribute can be associated to the privileged command. Therefore, whenever a privileged command creates an object, the security attribute associated with the privileged command is applied on the object. The security attribute can mask the traditional access permissions of the object, and modify the access permissions, which can be stored along with the object. An AND operation can be performed on the traditional access permissions and the security attribute, to determine the modified permissions of the object. Further, an authorized user can modify, add, delete, or customize the security attribute at any time.