diff --git a/os/src/syscall/fs.rs b/os/src/syscall/fs.rs
index ff68ee9..8d46fad 100644
--- a/os/src/syscall/fs.rs
+++ b/os/src/syscall/fs.rs
@@ -47,6 +47,13 @@ pub fn sys_open(path: *const u8, flags: u32) -> isize {
     let task = current_task().unwrap();
     let token = current_user_token();
     let path = translated_str(token, path);
+
+    // 简单用户检查示例：非 root 用户不能打开 /root 下文件
+    let username = task.inner_exclusive_access().user.clone();
+    if path.starts_with("/root") && username != "root" {
+        return -1; // Permission denied
+    }
+
     if let Some(inode) = open_file(path.as_str(), OpenFlags::from_bits(flags).unwrap()) {
         let mut inner = task.inner_exclusive_access();
         let fd = inner.alloc_fd();
@@ -57,6 +64,7 @@ pub fn sys_open(path: *const u8, flags: u32) -> isize {
     }
 }
 
+
 pub fn sys_close(fd: usize) -> isize {
     let task = current_task().unwrap();
     let mut inner = task.inner_exclusive_access();
diff --git a/os/src/task/task.rs b/os/src/task/task.rs
index 7b02cd6..87d287a 100644
--- a/os/src/task/task.rs
+++ b/os/src/task/task.rs
@@ -30,6 +30,9 @@ pub struct TaskControlBlockInner {
     pub children: Vec<Arc<TaskControlBlock>>,
     pub exit_code: i32,
     pub fd_table: Vec<Option<Arc<dyn File + Send + Sync>>>,
+    
+    // New: User
+    pub user: String,
 }
 
 impl TaskControlBlockInner {
@@ -166,6 +169,7 @@ impl TaskControlBlock {
                     children: Vec::new(),
                     exit_code: 0,
                     fd_table: new_fd_table,
+                    user: username.to_string(),  // Init User name
                 })
             },
         });