Browse Prior Art Database

Extended Filesystem Capabilities to Control File Contents Disclosure Number: IPCOM000130582D
Original Publication Date: 2005-Oct-27
Included in the Prior Art Database: 2005-Oct-27
Document File: 2 page(s) / 27K

Publishing Venue



Disclosed is a method to enable finer control over user capabilities and permissions in specified areas of the filesystem. It will be useful, for example, when the administrator wants: - to forbid storing MPEG 1, Layer 3 (MP3) files on the system; - there exists a well-defined directory tree and some users may create subdirectories, while others can't; - administrator wants to forbid users from creating symbolic links or named pipes in their directories for any reason; - administrator wants to limit user read capabilities to MS Word * files only, nothing else. It is independent of the underlying filesystem implementation. None of the existing solutions, such as Access Control List (ACL), Global Storage Architecture (GSA), Linux ** capabilities, or generic UNIX permissions (suid, sgid, or sticky bits) allow such restrictions. Moreover, the user won't have to authenticate more than once during UNIX login, as GSA or Distributed Computing Environment (DCE) implementations may require him to do.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Extended Filesystem Capabilities to Control File Contents

Described is a method to allow the administrator to control the contents of a directory tree. Namely things similar to the following: - type of files a user can create, such as plain files, character special files, block special files, named pipes, etc.; - decide which users are not allowed to create directories or subdirectories in certain areas of the tree; - decide what type of files a directory can contain, i.e. only text files, or only excel files; - certain types of files may be explicitely forbidded, for example, MP3 or Moving Picture Experts Group (MPEG) files.

One possible solution to this problem is to create a configuration file with the following contents:
"user id" "capabilities" "directory" "file type"

"user id" is an optional attribute and will hold the username, whose capabilities will be described further;

"capabilities" will hold what the user is allowed (or disallowed) to do: a - can create anything; b - can create block special files; c - can create character special files; d - can create directories/subdirectories; f - can create plain files; l - can create symlinks; p - can create named pipes; etc.

"directory" is an optional attribute and will contain the directory where these capabilities apply and maybe recursive;

"file type" is an optional attribute and will contain a file type (of type "f" from above) that are forbidden from being created.

The file type is NOT checked by the extension. Instead a reference file similar to /etc/magic is used to compare the first several (I believe 4 bytes) of the file to figure out its type. In other words, before the file is written it is checked against the reference file for its...