Limiting Access Permissions in Perl
Perl Insecurities and Prevention – Part 1
Foreword: In this part of the series I explain how to limit access from users, to a Perl program.
By: Chrysanthus Date Published: 23 Nov 2015
A program is a file. Anyone who has been granted some privilege to a file, may read, write or execute the file. The user can have one, two or three of these privileges.
This series is part of a Perl Course. At the bottom of this page, you will find links to the different series you should have read before coming here, as this series is a continuation.
Ownership of a File
Any file (or directory) in a computer should have an owner. An owner of a file is a user of the computer.
File Access Mode
File access mode is of permissions to access a file. The permissions are read, write and execute.
The read permission allows a user to read the file. So he can only see the content of the file, but he cannot change the content.
The write permission allows the user to modify the content of the file.
If the file is a program (e.g. a Perl script), then the execute permission allows the user to run the file.
The owner of the file may not have all 3 permissions – see why below.
Changing Ownership of a File
If you install an operating system using the default settings and entering your own username and password, as you install, then you are the super-user (also known as root) for the computer. Only the super-user has the right to change ownership of a file or directory, from one user to another user. A computer can have many users.
As a super-user, you change (give) the ownership of one or more files as follows
chown ($uid, $gid, 'foo', 'bar');
where the first two elements of the list must be the numeric user-id and group-id, in that order. The rest of the elements are filenames in quotes. The chown function returns the number of files successfully changed.
A user of a computer is somebody that has the right (username and password) to use the computer. A user is denoted in coding by u. u is an example of an access class.
A user can be a member of a group. A group is a collective number of users with common interest. A group is denoted in coding by g. g is an example of an access class.
Any user of the computer who does not belong to a file owner’s group is denoted by o. o is an example of an access class.
The letter, a for all, can mean u, or g, or o. So you have the following letters (classes): u, g, o, and a.
Whether you are dealing with files or directories, there are three types of permissions called access types. They are read, write and execute. In coding, the execute permission is the number, 100; the write permission is the number, 200; but the read permission is the number, 400. 000 means no permission. Now 300 means the write and execute permissions, obtained by adding the permission for execute, which is 100 and the permission for write, which is 200. Now these permissions (numbers) are for the owner (main user) of the file.
For a group, the execute permission is 010; the write permission is 020 and the read permission is 040. 000 means no permission for the group.
For others (the class, o), the execute permission is 001; the write permission is 002 and the read permission is 004. 000 means no permission for others.
Absolute Form of Granting Permissions
It is not only the super-user that can grant permissions to users for your file; you as an ordinary user can grant permissions of your file to another user. Do not confuse between granting permissions and changing ownership. Only the supper-user can change ownership of a file; of course, he can also grant permissions.
Assume that you have logged into the computer and you wanted to give yourself read, write, and execute permissions on myfile.pl; give users in your group read and execute permissions; and give others only execute permission. The appropriate number would be calculated as (400+200+100)+(040+000+010)+(000+000+001) to result in the three digits, 751. Note that the permission for the owner (user) has a digit and is followed by 2 zeroes; the permission for the group has one zero in front and another behind; and the permission for others is preceded by 2 zeroes.
To grant 751 permissions for a file, you would type,
chmod (0751, "myfile.pl");
To grant permissions for more than one file, it would be something like:
chmod (0751, "foo", "bar");
where foo and bar are filenames. The first argument is a number preceded by 0 for the permissions. You get the number by addition as illustrated above; it should not be in quotes (because it happens to be an octal number). The rest of the arguments are filenames in quotes. The chmod function returns the number of files successfully changed.
Note: it is the super-user that can change the permissions of a file, which belongs to some other user (and not you). All he has to do is to include the path to the file (or files), as follows:
chmod (0751, "c:/dirA/dirB/one.txt", "c:/dirA/dirB/two.txt");
To be sure if the mode (permissions) has been successfully changed, he should type a code segment like:
my $cnt = chmod (0751, "c:/dirA/dirB/one.txt", "c:/dirA/dirB/two.txt");
I tried it in my computer for two files and the value of $cnt was 2 (confirming).
The super-user has all the rights in everything in the computer.
Note: granting and changing permissions mean the same thing.
Some other frequently used permissions are:
0777 : anyone can do anything (read, write, or execute)
0755 : you can do anything; others can only read and execute
0711 : you can do anything; others can only execute
0644 : you can read and write; others can only read
File Status Information
To get the file status information, you use the stat function as follows:
($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($filename);
The argument to the stat function is the filename in quotes or a variable. There are 13 of the return values. The meanings are as follows:
0 dev device number of filesystem
1 ino inode number
2 mode file mode (type and permissions)
3 nlink number of (hard) links to the file
4 uid numeric user ID of file's owner
5 gid numeric group ID of file's owner
6 rdev the device identifier (special files only)
7 size total size of file, in bytes
8 atime last access time in seconds since the epoch
9 mtime last modify time in seconds since the epoch
10 ctime inode change time in seconds since the epoch (*)
11 blksize preferred block size for file system I/O
12 blocks actual number of blocks allocated
Now, the epoch is the datatime, which is 00:00 January 1, 1970 GMT. The number of seconds for atime, mtime, and ctime can be converted to datetime – see later.
Try the following code, for any file in the working directory, replacing "file" with the name of the file (in quotes):
my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat("file");
print "dev is $dev\n", "ino is $ino\n", "mode is $mode\n", "nlink is $nlink\n", "uid is $uid\n", "gid is $gid\n", "rdev is $rdev\n", "size is $size\n", "atime is $atime\n", "mtime is $mtime\n", "ctime is $ctime\n", "blksize is $blksize\n", "blocks is $blocks\n";
The most common mode is 0755. This means any one using the same operating system as the one in your computer can read the source code of your Perl file as well as execute. However, if they were using the Internet, they would only be able to execute your file and not see the source code.
Unfortunately, for a Perl file to be compiled and interpreted (i.e. to be executable), the user needs to have the read and execute permissions. So, if a hacker is using the same operating system as you, then he can read your source code. That makes it easy for him to hack the code. In this series, to hack, means to inject wrong data or wrong code into your Perl program, so that the program does not run as intended.
Note, even if the hacker cannot read the source code, it is often possible for him to determine insecure coding in your code and exploit it to inject wrong data or wrong code. In this series, you learn those insecurities (insecure coding) and how to lock them.
Well, that is it for this part of the series. We stop here and continue in the next part.
Related LinksPerl Basics
Perl Data Types
Perl References Optimized
Handling Files and Directories in Perl
Perl Object Oriented Programming
Perl Regular Expressions
Perl Core Number Basics and Testing
Commonly Used Perl Predefined Functions
Line Oriented Operator and Here-doc
Handling Strings in Perl
Using Perl Arrays
Using Perl Hashes
Perl Multi-Dimensional Array
Date and Time in Perl
Namespace in Perl
Perl Eval Function
Writing a Perl Command Line Tool
Perl Insecurities and Prevention
Sending Email with Perl
Miscellaneous Features in Perl
Perl Two-Dimensional Structures
Advanced Perl Regular Expressions
Designing and Using a Perl Module
More Related Links
PurePerl MySQL API
Perl Course - Professional and Advanced
Major in Website Design
Web Development Course
Producing a Pure Perl Library