If you are not cyrstal clear about what permissions are or if you simply don't know how to use them, then John has produced the article for you. John will discuss permissions on the Unix platform and how you can embed permission commands from within a PHP application.
In the past few columns written on www.onlamp.com, I have been discussing using PHP's file I/O capabilities for manipulating both files and directories. This week, we'll take a slight detour from a strictly PHP-related subject and discuss file permissions in Unix systems. If you are using PHP in a Windows environment (or other environment without a permission system), this column may not apply to you.
How Permissions Work
Before we can explain how permissions can be used from within PHP applications, you'll need a little background on how permissions work in general. Although today's column only discusses Unix permission-related commands, these commands directly relate to their PHP counterparts discussed in my next column. If you haven't ever really worked with the permissions system in PHP (or need a refresher) read on.
In a Unix environment, all files and directories are owned by two different entities -- a user and a group. (A group represents multiple individual users.) Likewise, each file in the file system has three different permission sets which determine who can access a particular file or directory. Specifically, every file in a Unix system has the following permission sets: user-level, group-level, and global-level.
For each permission set, three different flags exist: read, write, and execute. If a particular user does not have the read flag set, he will be unable to read the desired file (or the files in a directory). Likewise, if a user does not have the execute permission on a file, she will be unable to execute that program. When a user creates a file, that file automatically is owned by the user and group to which the user belongs. In order to change the owner of a particular file the chown Unix command is used as follows:
[user@localhost]$ chown theuser thefilemask
where theuser represents the username to change the file mask specified by thefilemask. Please note that this command can only be executed by a user who has super-user privileges (such as root).
Changing the group to which a file belongs to is done via the chgrp Unix command. Unlike chown, which requires super-user privileges, chgrp can be used by any user. The one restriction that applies is that chgrp will only allow the user to change the group of a file as long as the user belongs to that group. For example, a given user who belongs to the groups foo and bar can change the group of a given file to either foo or bar but not foobar -- because he does not belong to that group.
As I mentioned, for a given file there are three different permission levels that apply to each file and directory: the user-level, group-level, and global-level. Each level is independent of the other, and is used to permit read, write, or execution access for the given file. From a Unix console, one can see the owner, group, and permissions assigned to these three groups by executing the ls (list) command in a given directory and specifying the -l (long) tag as shown:
[user@localhost]$ ls -l
rwx-w-r-- 4 php mygroup 4096 Nov 7 15:52 mydirectory
In the above example, the directory mydirectory is owned by the user php and belongs to the group mygroup. The string drwx-w-r-- identifies the permissions.
If the permission has been granted (read, write, or execute) then that letter will be displayed for the particular group. Otherwise, a dash is shown. Thus, in the example above, this particular file has been given read, write, and execute permissions for the owner of the file (the user php). However, those who belong to the group mygroup can write to this file, while the remainder of people (global) can only read the file. The one flag that hasn't been identified yet (the first character, d) identifies this particular file as a directory.
Although permissions are fairly simple for normal files, they take on a slightly different meaning when applied to directories. Specifically, read permission is required in order for a user to view the contents of the directory. Write permission allows a user to create or remove files within the directory. Execute permission is required in order to access the directory at all. Note that a user with write permission to a directory will be able to delete any file in that directory, even if she lacks write permission for that file.
So how does one modify the permissions of a file? Unix permissions are handled through a command called chmod:
[user@localhost]$ chmod 755 thefilemask
In the above example, 755 is the numeric representation of the permissions to set, and thefilemask is the file mask of the affected files. Note that only the owner or a group member may modify the permissions of a file. There are two different ways to assign or to revoke permissions for a file -- one text-based and the other numeric-based. Because PHP does not provide means to modify permission values using the text-based method I will only discuss the numeric method.
The permissions of all of the permission groups can be represented by different numeric values. Added together, this represents the complete numeric permission value. The values of the different permission levels are:
| Value | Permission Level |
|---|
400 | Owner Read |
200 | Owner Write |
100 | Owner Execute |
40 | Group Read |
20 | Group Write |
10 | Group Execute |
4 | Global Read |
2 | Global Write |
1 | Global Execute |
In order to give read and execute permission to the file's owner, write permission to the group, and read permission to everyone else (global) the permission value would be:
400 | Owner Read |
+ 100 | Owner Execute |
+ 20 | Group Write |
+ 4 | Global Read |
= 524 | Total Permission Value |
Applying these permissions to the file is as simple as using the chmod command:
[user@localhost]$ ls -l
-rwx-w-r-- 4 php mygroup 4096 Nov 7 18:52 myfile
[user@localhost]$ chmod 524 myfile
[user@localhost]$ ls -l
-r-x-w-r-- 4 php mygroup 4096 Nov 7 18:60 myfile
[user@localhost]$
PHP Returns Next Time!
That's it for today's column. Although no PHP commands were actually discussed, having a reasonable understanding of the Unix permission system (especially when working with files) is critical to PHP applications. Without being familiar with this subject it is very easy to open up your scripts to malicious users. In my next column, I'll take the Unix commands discussed today and apply them to the counterpart PHP functions.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More PHP Articles
More By John Coggeshall
developerWorks - FREE Tools! |
The IBM DB2 Deep Compression ROI tool is designed for DBA’s and IT management personnel to perform a clinical analysis of the cost savings gained from the Storage Optimization feature of DB2 9 for Linux, UNIX and Windows. The feature, also known as Deep Compression, compresses data that lies within a database by up to 80% at times. FREE! Go There Now!
|
|
|
|
Learn to enable users to both rate existing animations and to combine existing animations into new snippets. This is the third in a series of three tutorials that chronicle the building of a site that enables collaborative discussion and animation building using Domino and OpenLaszlo. FREE! Go There Now!
|
|
|
|
Build secure Web services with transport-level security using IBM Rational Application Developer V7 and IBM WebSphere Application Server V6.1. Follow this three-part series for step-by-step instructions about how to develop Web services and clients, configure HTTP basic authentication, and configure HTTP over SSL (HTTPS). This first part of the series walks you through building a Web service for a simple calculator application. You generate and test two different types of Web services clients: a Java Platform, Enterprise Edition (Java EE) client and a stand-alone Java client. You also handle user-defined exceptions in Web services. FREE! Go There Now!
|
|
|
|
WebSphere Process Server delivers a unique integration framework that simplifies existing IT resources. Often, as IT assets grow to support business demand, so too does their complexity and manageability. In this webcast, we’ll discuss how WebSphere Process Server helps deliver an SOA infrastructure that provides a common model to orchestrate, mediate, connect, map, and execute the underlying IT functions. Discover how WebSphere Process Server simplifies integration of business processes by leveraging existing IT assets as reusable services without the complexities of traditional integration methodologies. FREE! Go There Now!
|
|
|
|
Download a free trial version of IBM DB2 9.5 for Linux, UNIX, and Windows. DB2 9 is the result of a five-year development project that transformed traditional (static) database technology into an interactive data server that merges the high performance and ease of use of DB2 with the self-describing benefits of XML. FREE! Go There Now!
|
|
|
|
Visit IBM developerWorks to download a free trial of the Rational Host Access Transformation Services (HATS) Toolkit. The HATS toolkit provides a set of plug-ins for the IBM Rational Software Delivery Platform to help you easily extend your legacy applications. HATS makes your 3270 and 5250 applications available as HTML through the most popular Web browsers, while converting your host screens to a Web look and feel and it also enables you to develop new Web, portal, and rich-client applications. FREE! Go There Now!
|
|
|
|
Listen to this webcast to get an overview of Info 2.0 and a technical demo of how to quickly build an enterprise mashup. IBM's Info 2.0 technology leverages emerging Web 2.0 technologies such as mashups, feeds, AJAX, and JSON in order to simplify assembly of information using feeds and services. Come learn about the technical elements of Info 2.0 including the Feed Generation framework, Mashup Engine, and mashup assembly components. Learn how to pull information from databases, departmental information, and the Web to create mashups critical to your company’s success. We will also discuss best practices to help you get started. FREE! Go There Now!
|
|
|
|
Regression testing -- in which code is thoroughly tested to ensure that changes have not produced unexpected results -- is an important part of any development process. But many testing environments neglect the terminal-based applications that still form the backbone of many industries. In this tutorial, you'll learn how the Rational Functional Tester Extension for Terminal-Based Applications works with other Rational Functional Tester to help test terminal-based applications quickly and easily. FREE! Go There Now!
|
|
|
|
Get a free trial download of the latest version of IBM Rational Functional Tester V7.0.1. Rational Functional Tester is an automated functional and regression testing solution for QA teams concerned with the quality of their Java, Microsoft Visual Studio .NET, and Web-based applications. FREE! Go There Now!
|
|
|
|
As businesses grow increasingly dependent upon Web applications, these complex entities grow more difficult to secure. Most companies equip their Web sites with firewalls, Secure Sockets Layer (SSL), and network and host security, but the majority of attacks are on applications themselves – and these technologies cannot prevent them. This paper explains what you can do to help protect your organization, and it discusses an approach for improving your organization’s Web application security. FREE! Go There Now!
|
|
|
|
All FREE IBM® developerWorks Tools! |