From: utzoo!decvax!cca!Michael.Young.CMU-CS-A@SRI-UNIX@sri-unix
Newsgroups: net.unix-wizards
Title: Re: File Protection and Deletion
Article-I.D.: sri-unix.4841
Posted: Wed Dec 15 03:52:18 1982
Received: Sun Dec 19 00:00:51 1982

From: Michael Wayne Young <Michael.Young.CMU-CS-A@SRI-UNIX>
Date:  9 December 1982 1952-EST (Thursday)
As I read about how people would like to have file deletion handled,
I'd like to propose a slight change to our handling of files
to allow for the DeleteFile ability, as well as other things like
giving files away (without needing super-user-privileged chowns).
What I'd like to see is a couple of special forms of file ownership:
	1)	Unowned.  When you want to "give away" a file, you
			  make a call like disown (filename).  Nobody
			  can then open the file until it is picked
			  up with an take(filename) [or similar].
			  [There are problems with this: see below.]
	2)	Dead.	  When you want to DeleteFile something (that
			  is, prevent ANY links to it from being used),
			  you call destroy (filename), which then makes
			  it "dead."  As other links to this file are
			  uncovered, the directory entries are removed
			  (unless the filesystem is read-only, but this
			  unlikely case just means the link's death is
			  deferred).  It's just as though the file
			  wasn't there at all.

Both of these can be implemented without any messing with the current
inode structure... you just add two new "owners" from the uid pool.

The advantage to "unowned" is that you can delete a file without really
making its contents go away... for example, if you have disk quotas,
you can give a file away to someone else with a link if you can't afford it.
This can obviously be abused, as two users can just trade off ownership,
but they'd have to be really careful about it [not to mention that their
total quota could still not be exceeded].  It also has synchronization
problems (i.e. who can take ownership after a file is disowned has to
be well-thought out -- I'd recommend only allowing users with links to
it [i.e. access to those links] to take a file).  Still, a careful
chown could be achieved by making a directory accessible only by the
two parties involved somehow.

Note that nobody could access an "unowned" file until it became "owned"
(except for root, of course).  You'd also want to let people to remove
links from "unowned" files as well (and root can always remove them).
Thus, an "unowned" file can disappear without anyone ever picking it up.

Similarly, you can then "delete" a file permanently.  Little added cost
is involved, and the uses were explained in the note I'm answering.

Yes, there are a few holes in my solution, but they can be ironed out
(but I'd rather not spend the time here) fairly straightforwardly.  I'd
like to hear from anyone who has real difficulties with the idea, though.

			Michael