If you are not cyrstal clear about what permissions are or if you simply don't know how to use them, then John has produced the article for you. John will discuss permissions on the Unix platform and how you can embed permission commands from within a PHP application.
In the past few columns written on www.onlamp.com, I have been discussing using PHP's file I/O capabilities for manipulating both files and directories. This week, we'll take a slight detour from a strictly PHP-related subject and discuss file permissions in Unix systems. If you are using PHP in a Windows environment (or other environment without a permission system), this column may not apply to you.
How Permissions Work
Before we can explain how permissions can be used from within PHP applications, you'll need a little background on how permissions work in general. Although today's column only discusses Unix permission-related commands, these commands directly relate to their PHP counterparts discussed in my next column. If you haven't ever really worked with the permissions system in PHP (or need a refresher) read on.
In a Unix environment, all files and directories are owned by two different entities -- a user and a group. (A group represents multiple individual users.) Likewise, each file in the file system has three different permission sets which determine who can access a particular file or directory. Specifically, every file in a Unix system has the following permission sets: user-level, group-level, and global-level.
For each permission set, three different flags exist: read, write, and execute. If a particular user does not have the read flag set, he will be unable to read the desired file (or the files in a directory). Likewise, if a user does not have the execute permission on a file, she will be unable to execute that program. When a user creates a file, that file automatically is owned by the user and group to which the user belongs. In order to change the owner of a particular file the chown Unix command is used as follows:
[user@localhost]$ chown theuser thefilemask
where theuser represents the username to change the file mask specified by thefilemask. Please note that this command can only be executed by a user who has super-user privileges (such as root).
Changing the group to which a file belongs to is done via the chgrp Unix command. Unlike chown, which requires super-user privileges, chgrp can be used by any user. The one restriction that applies is that chgrp will only allow the user to change the group of a file as long as the user belongs to that group. For example, a given user who belongs to the groups foo and bar can change the group of a given file to either foo or bar but not foobar -- because he does not belong to that group.
As I mentioned, for a given file there are three different permission levels that apply to each file and directory: the user-level, group-level, and global-level. Each level is independent of the other, and is used to permit read, write, or execution access for the given file. From a Unix console, one can see the owner, group, and permissions assigned to these three groups by executing the ls (list) command in a given directory and specifying the -l (long) tag as shown:
[user@localhost]$ ls -l
rwx-w-r-- 4 php mygroup 4096 Nov 7 15:52 mydirectory
In the above example, the directory mydirectory is owned by the user php and belongs to the group mygroup. The string drwx-w-r-- identifies the permissions.
If the permission has been granted (read, write, or execute) then that letter will be displayed for the particular group. Otherwise, a dash is shown. Thus, in the example above, this particular file has been given read, write, and execute permissions for the owner of the file (the user php). However, those who belong to the group mygroup can write to this file, while the remainder of people (global) can only read the file. The one flag that hasn't been identified yet (the first character, d) identifies this particular file as a directory.
Although permissions are fairly simple for normal files, they take on a slightly different meaning when applied to directories. Specifically, read permission is required in order for a user to view the contents of the directory. Write permission allows a user to create or remove files within the directory. Execute permission is required in order to access the directory at all. Note that a user with write permission to a directory will be able to delete any file in that directory, even if she lacks write permission for that file.
So how does one modify the permissions of a file? Unix permissions are handled through a command called chmod:
[user@localhost]$ chmod 755 thefilemask
In the above example, 755 is the numeric representation of the permissions to set, and thefilemask is the file mask of the affected files. Note that only the owner or a group member may modify the permissions of a file. There are two different ways to assign or to revoke permissions for a file -- one text-based and the other numeric-based. Because PHP does not provide means to modify permission values using the text-based method I will only discuss the numeric method.
The permissions of all of the permission groups can be represented by different numeric values. Added together, this represents the complete numeric permission value. The values of the different permission levels are:
| Value | Permission Level |
|---|
400 | Owner Read |
200 | Owner Write |
100 | Owner Execute |
40 | Group Read |
20 | Group Write |
10 | Group Execute |
4 | Global Read |
2 | Global Write |
1 | Global Execute |
In order to give read and execute permission to the file's owner, write permission to the group, and read permission to everyone else (global) the permission value would be:
400 | Owner Read |
+ 100 | Owner Execute |
+ 20 | Group Write |
+ 4 | Global Read |
= 524 | Total Permission Value |
Applying these permissions to the file is as simple as using the chmod command:
[user@localhost]$ ls -l
-rwx-w-r-- 4 php mygroup 4096 Nov 7 18:52 myfile
[user@localhost]$ chmod 524 myfile
[user@localhost]$ ls -l
-r-x-w-r-- 4 php mygroup 4096 Nov 7 18:60 myfile
[user@localhost]$
PHP Returns Next Time!
That's it for today's column. Although no PHP commands were actually discussed, having a reasonable understanding of the Unix permission system (especially when working with files) is critical to PHP applications. Without being familiar with this subject it is very easy to open up your scripts to malicious users. In my next column, I'll take the Unix commands discussed today and apply them to the counterpart PHP functions.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More PHP Articles
More By John Coggeshall
 developerWorks - FREE Tools!
|
Building a software-as-a-service solution requires addressing a few key technical challenges. In this webcast, we'll focus on the role of IBM Tivoli Directory Server and WebSphere Portlet Factory in creating a Software as a Service solution. We will demonstrate how to use Tivoli Directory Server to prevent the user population of one tenant from accessing the virtual portal and portlet components of another tenant. We will also use the dynamic profile capability of WebSphere Portlet Factory to create multiple highly customized applications from one code base.
FREE! Go There Now!
|
|
|
|
Learn how you can extend modern application lifecycle management to IBM System z through the IBM Rational Software Delivery Platform (SDP). The Did you say mainframe? e-kit includes podcasts, webcasts, tutorials, white and red papers, demos, and articles designed to help ease the challenges of modernizing your enterprise. This complimentary kit for mainframe developers is a practical, how-to guide for making the most of an existing development environment, including the skills and infrastructure already in place at an established enterprise.
FREE! Go There Now!
|
|
|
|
Download a free trial version of IBM Rational Developer for System i V7.1, which provides a complete development environment for traditional i5/OS application development. IBM Rational Developer for System i is a new eclipse-based workstation offering for i5/OS application development that provides a comprehensive Integrated Development Environment for edit/compile/debug of traditional RPG/COBOL/C/C++ i5/OS applications.
FREE! Go There Now!
|
|
|
|
Manage, govern, and share services across your organization by using WebSphere Service Registry and Repository. Follow the hands-on exercises to learn how to navigate the Web interface to publish, find, reuse, and update services.
FREE! Go There Now!
|
|
|
|
Learn how Rational Build Forge can extend a simple compile and package build process by adding customization and deployment capability. Go from a manual method to automating: checking for code changes; getting the latest source; compiling and packaging; customizing; copying to and restarting a deployment server; and sending e-mail notification that a new version is available.
FREE! Go There Now!
|
|
|
|
Asset Reuse is a key strategy for companies looking to create innovative solutions to solve complex software development problems. Searching for, identifying, updating, using and deploying software assets can be a difficult challenge. Listen to this webcast, to learn about strategies and tools that you can leverage for a successful project, including Rational Asset Manager, Rational Software Architect and WebSphere Service Registry and Repository.
FREE! Go There Now!
|
|
|
|
XML has become a common way of storing business data as flat files and many data server vendors including IBM have provided ways to store this data within relational database systems. Increasingly collections of XML files are accessed like databases using an xQuery and other XML standard mechanisms. Businesses find the need to combine the traditional tabular structured data with XML formatted data. In this webcast, you’ll learn about IBM’s WebSphere Federation Server technology, which provides users with the ability to integrate these two data formats.
FREE! Go There Now!
|
|
|
|
Join this Rational Talks to You teleconference on December 11 at 1:00 pm ET to get tips on building your own plugins with Rational Method Composer. Get your questions answered!
FREE! Go There Now!
|
|
|
|
As businesses grow increasingly dependent upon Web applications, these complex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves – and these technologies cannot prevent them. This paper explains what you can do to help protect your organization, and it discusses an approach for improving your organization’s Web application security.
FREE! Go There Now!
|
|
|
|
With IBM Rational Systems Development Solution, you can deliver products faster with higher quality. Within this kit, Read the “Model Driven Systems Development” white paper to see how to improve product quality and communication. Then check out the rest of the e-Kit to learn more about important topics that can affect the success of any software project through customer examples, tutorials, informative Webcasts, and best practices for designing, building and managing systems. From start to finish, at every stage in your projects, Rational Systems Development Solution can help your company reach its full potential.
FREE! Go There Now!
|
|
|
|
All FREE IBM® developerWorks Tools!
|
