If you are not crystal clear about what
file permissions are
or if you simply don't have an idea how to use the file permissions, then we
have produced this research article
for you. We will discuss file permissions in PHP on the Unix platform and how you can
embed permission commands from within a PHP applications.
Now, we'll take a slight detour from a strictly PHP-related subject and discuss file permissions in Unix systems. If you are
using PHP in a Windows environment (or other environment without a permission
system), this article may or may not apply as mentioned here.
How File Permissions Work in PHP
Before we can explain how permissions can be
used from within PHP applications, you'll need a little background on how
permissions work in general. Although this article will only discusses Unix
permission-related commands, these commands directly relate to their PHP
counterparts discussed in our next article. If you haven't ever really worked with
the permissions system in PHP (or need a refresher) read on.
In a Unix environment, all files and
directories are owned by two different entities -- a user and a group. (A group
represents multiple individual users.) Likewise, each file in the file system
has three different permission sets which determine who can access a particular
file or directory. Specifically, every file in a Unix system has the following
permission sets: user-level, group-level, and global-level.
For each permission set, three different flags
exist: read, write, and execute. If a particular user does not have the read
flag set, he will be unable to read the desired file (or the files in a
directory). Likewise, if a user does not have the execute permission on a file,
she will be unable to execute that program. When a user creates a file, that
file automatically is owned by the user and group to which the user belongs. In
order to change the owner of a particular file the chown Unix command is used as
[user@localhost]$ chown theuser thefilemask
where the user represents the username to change
the file mask specified by thefilemask. Please note that this command can only
be executed by a user who has super-user privileges (such as root).
Changing the group to which a file belongs to
is done via the chgrp Unix command. Unlike chown, which requires super-user
privileges, chgrp can be used by any user. The one restriction that applies is
that chgrp will only allow the user to change the group of a file as long as the
user belongs to that group. For example, a given user who belongs to the groups
foo and bar can change the group of a given file to either foo or bar but not
foobar -- because he does not belong to that group.
As I mentioned, for a given file there are
three different permission levels that apply to each file and directory: the
user-level, group-level, and global-level. Each level is independent of the
other, and is used to permit read, write, or execution access for the given
file. From a Unix console, one can see the owner, group, and permissions
assigned to these three groups by executing the ls (list) command in a given
directory and specifying the -l (long) tag as shown:
[user@localhost]$ ls -l
rwx-w-r-- 4 php 4096
Nov 7 15:52 mydirectory
In the above example, the directory mydirectory
is owned by the user php and belongs to the group mygroup. The string drwx-w-r--
identifies the permissions.
If the permission has been granted (read,
write, or execute) then that letter will be displayed for the particular group.
Otherwise, a dash is shown. Thus, in the example above, this particular file has
been given read, write, and execute permissions for the owner of the file (the
user php). However, those who belong to the group mygroup can write to this
file, while the remainder of people (global) can only read the file. The one
flag that hasn't been identified yet (the first character, d) identifies this
particular file as a directory.
Although permissions are fairly simple for
normal files, they take on a slightly different meaning when applied to
directories. Specifically, read permission is required in order for a user to
view the contents of the directory. Write permission allows a user to create or
remove files within the directory. Execute permission is required in order to
access the directory at all. Note that a user with write permission to a
directory will be able to delete any file in that directory, even if she lacks
write permission for that file.
Modify the permissions in PHP
So how does one modify the permissions of a
file? Unix permissions are handled through a command called chmod:
[user@localhost]$ chmod 755 thefilemask
In the above example, 755 is the numeric
representation of the permissions to set, and thefilemask is the file mask of
the affected files. Note that only the owner or a group member may modify the
permissions of a file. There are two different ways to assign or to revoke
permissions for a file -- one text-based and the other numeric-based. Because
PHP does not provide means to modify permission values using the text-based
method I will only discuss the numeric method.
Numeric permission value in PHP
The permissions of all of the permission groups
can be represented by different numeric values. Added together, this represents
the complete numeric permission value. The values of the different permission
In order to give read and execute permission to
the file's owner, write permission to the group, and read permission to everyone
else (global) the permission value would be:
|Total Permission Value
Applying the permissions to the file in PHP
Applying these permissions to the file is as
simple as using the
[user@localhost]$ ls -l
-rwx-w-r-- 4 php mygroup 4096 Nov 7 18:52 myfile
[user@localhost]$ chmod 524 myfile
[user@localhost]$ ls -l
-r-x-w-r-- 4 php mygroup 4096 Nov 7 18:60 myfile
PHP Returns Next Time!
That's it for this article now. Although no PHP
commands were actually discussed here, having a reasonable understanding of the Unix
permission system (especially when working with files) is critical to PHP
applications. Without being familiar with this subject it is very easy to open
up your scripts to malicious users. In our next article, We'll take the Unix
commands discussed today and apply them to the counterpart PHP functions.