Method of automatically limiting access following a file system authorization failure
Original Publication Date: 2001-Nov-03
Included in the Prior Art Database: 2003-Jun-20
Method of automatically limiting access following a file system authorization failure Disclosed is a method for creating a new authorization check point in the logical file system of a UNIX* based OS. It will automatically limit access on the number of access failures returned by the underlying physical file systems. There are two keys to security on a computer system: authentication and authorization. Authentication put simply , you are who you say you are. This is typically done with log in names and passwords. You say you are "jones" and then you must authenticate yourself with the appropriate password for "jones". Authorization is when you have already been authenticated, but now you are allowed certain restricted access permission within the system. The log in name can also be locked preventing login on that name until an administrator takes action to allow that login name access to the machine. This disclosure proposes enhancements to the logical file system layer of a UNIX base OS to automatically limit access for a user process following an authorization failure from a physical file system. The logical file system which is a set of kernel utilities that abstract a physical file system away from the OS on which it is running will increment an access failure counter in the user block for the running process whenever a physical file system denies access to a file or directory that the user is attempting to access. When this access failure counter reaches an administrator assigned limit for a specific user, the process can be terminated, the login session terminated, the process interrupted, or denied access to all physical file systems. In essence the user process is locked out of the system. This administrator defined limit could also be automatically reduced each time the failure threshold is reached. The logical file system could also send some type of notification to the administrator of the action taken so that the administrator can take appropriate action.