Abstract: A disclosed method may include (1) identifying a child process that spawned from a parent process running on a computing device, (2) receiving, from the child process, a request to execute an unsigned script on the computing device, (3) determining, in response to the request, whether to override a restriction against executing unsigned scripts by (A) checking an access-control label referenced by the parent process and (B) determining that the access-control label indicates that the parent process has a privilege to override the restriction, (4) imputing, to the child process, the privilege of the parent process to override the, and then (5) executing, on the computing device, the unsigned script despite the restriction due at least in part to the privilege of the parent process having been imputed to the child process. Various other apparatuses, systems, and methods are also disclosed.

Abstract: An example device includes one or more memories; and one or more processors, communicatively coupled to the one or more memories, to, during a loading process of a boot process of an operating system, identify a file to be loaded for the operating system, where the operating system is being loaded during the boot process; identify a manifest of the file; verify the manifest of the file based on a supplied signature of the manifest; identify a fingerprint, associated with the file, in a fingerprint library; calculate a hash of the file; compare the hash of the file and the fingerprint; and verify the file based on the hash of the file matching the fingerprint associated with the file.

Abstract: The disclosed computer-implemented method may include (1) obtaining an update initiation file that facilitates updating an operating system installed on a network device by way of one or more packages that (A) are external to the update initiation file and (B) have yet to be downloaded to the network device, (2) identifying certain device-specific details about the network device that influence which packages are necessary to achieve the update, (3) determining, based at least in part on the update initiation file and the certain device-specific details, the packages that are necessary to achieve the update, (4) downloading the necessary packages by way of one or more links included in the update initiation file, and then (5) updating the operating system by installing the necessary packages downloaded by way of the links included in the update initiation file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method may include (1) receiving, at a network node within a network, a request to downgrade a first version of an operating system that is currently active to a second version of the operating system that predates the first version of the operating system, (2) rebooting the network node to facilitate downgrading the first version of the operating system to the second version of the operating system, and (3) during the reboot, downgrading the first version of the operating system to the second version of the operating system by (A) reclassifying an active set of packages from the first version of the operating system as a previous set of packages and (B) executing a pending set of packages from the second version of the operating system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method may assist in securing data for transmission to a receiving entity. Received data may include metadata associated therewith. The data may be encrypted using an encryption key encoded within selected portions of the metadata, where the selection of the selected portions is based on a scheme shared with the receiving entity. The encrypted data including the metadata may be transferred to the receiving entity. The receiving entity may decrypt the encrypted data using the selected portions of the metadata.

Abstract: In general, the invention is directed to techniques for establishing secure connections with devices residing behind a security device. In accordance with the techniques, a managed device initiates a transmission control protocol (TCP) session to establish a TCP session with a management device such that the management device acts as the TCP server and the managed device acts as a TCP client. Once established, the managed device sends a role reversal message specifying an identity of the managed device via the TCP session. Upon receiving the role reversal message, the management device initiates a secure connection over the TCP session in accordance with a secure protocol such that the management device acts as the secure protocol client and the managed device acts as the secure protocol server. By properly establishing the secure session, each of the devices assumes the proper roles and administrators may more easily configure the devices.

Abstract: A system and method may assist in securing data for transmission to a receiving entity. Received data may include metadata associated therewith. The data may be encrypted using an encryption key encoded within selected portions of the metadata, where the selection of the selected portions is based on a scheme shared with the receiving entity. The encrypted data including the metadata may be transferred to the receiving entity. The receiving entity may decrypt the encrypted data using the selected portions of the metadata.

Abstract: In general, the invention is directed to techniques for verifying the integrity of a file system and individually verifying files contained therein based on the integrity of the file system. For example, a computer-based device is described in which a computer-readable storage medium stores a file system stored as an image file. The device comprises a virtual file system comprising a mount list entry that corresponds to the file system, wherein the file system is mounted on the virtual file system, and wherein the mount list entry comprises a first verified flag that indicates whether the file system is verified. A verified execution module determines whether the image file is corrupt, and a kernel module sets the first verified flag when the image file is not corrupt. An image verify module verifies the integrity of files stored by the file system by determining whether the file system is verified.

Abstract: In general, this disclosure relates to techniques for allowing multiple clients to concurrently configure a network device. More specifically, a management module creates a working copy of an initial data source that stores configuration data for a network device and modifies the working copy to reorder one or more configuration objects in a list in response to configuration commands from a client. Upon receiving a show|compare command or a commit command, the management module generates a configuration patch that is a textual representation of any differences between the working copy and the initial data source. The configuration patch includes modification control indicators that identify configuration objects in the list that are reordered. The patch is applied to the initial data source to reorder the list of configuration objects within the initial data source without processing portions of the configuration data associated with the reordered configuration.

Abstract: In general, the invention is directed to techniques for establishing secure connections with devices residing behind a security device. In accordance with the techniques, a managed device initiates a transmission control protocol (TCP) session to establish a TCP session with a management device such that the management device acts as the TCP server and the managed device acts as a TCP client. Once established, the managed device sends a role reversal message specifying an identity of the managed device via the TCP session. Upon receiving the role reversal message, the management device initiates a secure connection over the TCP session in accordance with a secure protocol such that the management device acts as the secure protocol client and the managed device acts as the secure protocol server. By properly establishing the secure session, each of the devices assumes the proper roles and administrators may more easily configure the devices.

Abstract: A network device includes an initial data source to store configuration data for the network device, and a management module to generate a configuration patch that lists any differences between a working copy of the initial data source and the initial data source. The management module modifies the working copy based on configuration commands received from a client, and updates the initial data source in accordance with the differences defined by the configuration patch. During the update process, the management module verifies that any conditions specified by the patch are satisfied. The management module may generate the configuration patch in response to a first command from a client, and apply the patch in response to a second command from the client. The configuration patch may be communicated to other network devices for configuring the devices.

Abstract: Techniques are described that configure a router in a configuration mode specified by a client. For example, a client may request to configure the router in a private configuration mode. In response to the command, a management module creates a private database. A client may edit the configuration data of the private database. The client may edit the private database without interference from other clients that may also be editing configuration data of the router. Management server module updates the committed database with edited private database, and the router begins to operate in accordance with the updated configuration data.