PHP File Access Permission and Status Information
Files and Directories with Security Considerations in PHP - Part 5
Foreword: In this part of the series, I talk about Files and Directories with Security Considerations in PHP.
By: Chrysanthus Date Published: 19 Jan 2019
Introduction
Ownership of a File
Any file (or directory) in a computer should have an owner. An owner of a file is a user of the computer.
File Access Mode
File access mode, is of permissions to access the file. The permissions are read, write and execute.
Read
The read permission allows a user to read the file. So he can only see the content of the file, but he cannot change the content.
Write
The write permission allows the user to modify the content of the file.
Execute
If the file is a program (e.g. a PHP script), then the execute permission allows the user to run the file.
The owner of the file may not have all 3 permissions – see why below.
Directory Access Mode
The permissions for a directory are the same as for a file, which are read, write and execute.
Read
This permission to a directory means that the user can list (read) the entries of the directory. The entries are the filenames and directory names. The current directory is typically represented by a dot. The parent directory to the current directory is typically represented by double dots. In order for the user to read, write to, or execute any file in the directory, he still needs the read, write and execute permissions for that particular file.
Write
This permission to a directory means that the user can add or delete files in the directory.
Execute
This permission to a directory is rather redundant. It simply means that the user can list the entries of the directory and he can use the Change Directory (chdir) command to reach the directory. It is the write permission for the directory that allows the user to delete and add files.
Note: whether you are dealing with a file or a directory, permissions have to be given to the user.
Changing Ownership of a File
If you install an operating system using the default settings and entering your own username and password, as you install, then you are the super-user (also known as root) for the computer. Only the super-user has the right to change ownership of a file or directory, from one user to another user. A computer can have many users.
As a super-user, you change (give) the ownership of one or more files with the following syntax:
bool chown ( string $filename , mixed $user )
This attempts to change the owner of the file, $filename to user, $user_name.
The function returns TRUE on success or FALSE on failure.
Note: This function will not work on remote files as the file to be examined must be accessible via the server's filesystem.
Note: When PHP safe mode is enabled, PHP checks whether the files or directories being operated upon have the same UID (owner) as the script that is being executed (i.e. as the script that is operating on those files and directories).
Access Class
A user of a computer is somebody that has the right (username and password) to use the computer. A user is denoted in coding by u. u is an example of an access class.
A user can be a member of a group. A group is a collective number of users with common interest. A group is denoted in coding by g. g is an example of an access class.
Any user of the computer who does not belong to a file owner’s group, is denoted by o. o is an example of an access class.
The letter, a for all, can mean u, or g, or o. So you have the following letters (classes): u, g, o, and a.
Access Type
Whether you are dealing with files or directories, there are three types of permissions called access types. They are read, write and execute. In coding, the execute permission is the number, 100; the write permission is the number, 200; but the read permission is the number, 400. 000 means no permission. Now 300 means the write and execute permissions, obtained by adding the permission for execute, which is 100 to the permission for write, which is 200. Now these permissions (numbers) are for the owner (main user) of the file.
For a group, the execute permission is 010; the write permission is 020 and the read permission is 040. 000 means no permission for the group.
For others (the class, o), the execute permission is 001; the write permission is 002 and the read permission is 004. 000 means no permission for others.
Note the position of the digit for owner (leftmost, e.g. 200), group (middle e.g. 020) and others (rightmost e.g. 002).
Absolute Form of Granting Permissions
It is not only the super-user that can grant permissions to users for your file or directory; you as an ordinary user can grant permissions of your file or directory to another user. Do not confuse between granting permission and changing ownership. Only the supper-user can change ownership of a file; of course, he can also grant permissions.
Assume that you have logged into the computer and you wanted to give yourself read, write, and execute permissions on myfile.pl; give users in your group read and execute permissions; and give others only execute permission. The appropriate number would be calculated as (400+200+100)+(040+000+010)+(000+000+001) to result in the three digits, 751. Note that the permission for the owner (user) has a digit and is followed by 2 zeroes; the permission for the group has one zero in front and another behind; and the permission for others is preceded by 2 zeroes.
To grant the 751 permissions for a file, you would type,
chmod ('myfile.pl', 0751);
This is base 8 numbering and you have to precede 751 with 0.
The function attempts to change the mode of the specified file to that given in mode (second argument).
The function returns TRUE on success or FALSE on failure.
Note: This function will not work on remote files as the file to be examined must be accessible via the server's filesystem.
Note: When safe mode is enabled, PHP checks whether the files or directories you are about to operate on have the same UID (owner) as the script that is being executed.
Note: it is the super-user that can change the permissions of a file, which belongs to some other user (and not you). All he has to do is to include the path to the file, as follows:
chmod ('c:/dirA/dirB/one.txt', 0751);
The super-user has all the rights in everything in the computer.
Note: granting and changing permissions mean the same thing.
Some other frequently used permissions are:
0777 : anyone can do anything (read, write, or execute)
0755 : you can do anything; others can only read and execute
0711 : you can do anything; others can only execute
0644 : you can read and write; others can only read
File Status Information
Abbreviations and meanings for file information data are as follows:
Numeric Associative Description
0 dev device number
1 ino inode number *
2 mode inode protection mode
3 nlink number of links
4 uid userid of owner *
5 gid groupid of owner *
6 rdev device type, if inode device
7 size size in bytes
8 atime time of last access (Unix timestamp)
9 mtime time of last modification (Unix timestamp)
10 ctime time of last inode change (Unix timestamp)
11 blksize blocksize of filesystem IO **
12 blocks number of 512-byte blocks allocated **
* On Windows this will always be 0.
** Only valid on systems supporting the st_blksize type - other systems (e.g. Windows) return -1.
In case of error, stat() returns FALSE.
The syntax is:
array lstat ( string $filename )
Gathers the statistics of the file or symbolic link named by filename.
filename
Path to a file or a symbolic link.
Note: The results of this function are cached.
To copy a file, you need to have read permission for the source directory and read permission for the source file. You also need to have write permission for the destination directory.
With those permissions, you open the source file for reading and open the destination file for writing. As you copy one line from the source file, you send (print) the same line to the destination file. You then close the two files.
The next thing to do is to obtain the permissions and ownership of the source file and then set the same permissions and ownership to the destination file.
The stat() function returns 13 elements. The third (2) element is the mode (permissions). The fifth (4) element has the numeric user ID of file's owner and the sixth (5) element has the numeric group ID of file's owner. You can use the stat function to obtain these values from the source file. To set the permissions of the destination file, you use the chmod() function. You assign the ownership using the chown() function.
Moving Files
In this case you also need the write permission for the directory of the source file.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links