Broad Network


Limiting Access Permissions in Perl

Perl Insecurities and Prevention – Part 1

Perl Course

Foreword: In this part of the series I explain how to limit access from users, to a Perl program.

By: Chrysanthus Date Published: 23 Nov 2015

Introduction

This is part 1 of my series, Perl Insecurities and Prevention. In this part of the series I explain how to limit access from users, to a Perl program. A Perl program is a Perl script. Most, if not all computer languages have ways that one can inject wrong data or wrong code into the program, to make the program serve a different purpose. The first thing you should do to limit these, is not to allow unauthorized people to use the program and for those who can use the program, give them different access rights, based on their needs.

A program is a file. Anyone who has been granted some privilege to a file, may read, write or execute the file. The user can have one, two or three of these privileges.

Pre-Knowledge
This series is part of a Perl Course. At the bottom of this page, you will find links to the different series you should have read before coming here, as this series is a continuation.

Ownership of a File
Any file (or directory) in a computer should have an owner. An owner of a file is a user of the computer.

File Access Mode
File access mode is of permissions to access a file. The permissions are read, write and execute.

Read
The read permission allows a user to read the file. So he can only see the content of the file, but he cannot change the content.

Write
The write permission allows the user to modify the content of the file.

Execute
If the file is a program (e.g. a Perl script), then the execute permission allows the user to run the file.

The owner of the file may not have all 3 permissions – see why below.

Changing Ownership of a File
If you install an operating system using the default settings and entering your own username and password, as you install, then you are the super-user (also known as root) for the computer. Only the super-user has the right to change ownership of a file or directory, from one user to another user. A computer can have many users.

As a super-user, you change (give) the ownership of one or more files as follows

    chown ($uid, $gid, 'foo', 'bar');

where the first two elements of the list must be the numeric user-id and group-id, in that order. The rest of the elements are filenames in quotes. The chown function returns the number of files successfully changed.

Access Class
A user of a computer is somebody that has the right (username and password) to use the computer. A user is denoted in coding by u. u is an example of an access class.

A user can be a member of a group. A group is a collective number of users with common interest. A group is denoted in coding by g. g is an example of an access class.

Any user of the computer who does not belong to a file owner’s group is denoted by o. o is an example of an access class.

The letter, a for all, can mean u, or g, or o. So you have the following letters (classes): u, g, o, and a.

Access Type
Whether you are dealing with files or directories, there are three types of permissions called access types. They are read, write and execute. In coding, the execute permission is the number, 100; the write permission is the number, 200; but the read permission is the number, 400. 000 means no permission. Now 300 means the write and execute permissions, obtained by adding the permission for execute, which is 100 and the permission for write, which is 200. Now these permissions (numbers) are for the owner (main user) of the file.

For a group, the execute permission is 010; the write permission is 020 and the read permission is 040. 000 means no permission for the group.

For others (the class, o), the execute permission is 001; the write permission is 002 and the read permission is 004. 000 means no permission for others.

Absolute Form of Granting Permissions
It is not only the super-user that can grant permissions to users for your file; you as an ordinary user can grant permissions of your file to another user. Do not confuse between granting permissions and changing ownership. Only the supper-user can change ownership of a file; of course, he can also grant permissions.

Assume that you have logged into the computer and you wanted to give yourself read, write, and execute permissions on myfile.pl; give users in your group read and execute permissions; and give others only execute permission. The appropriate number would be calculated as (400+200+100)+(040+000+010)+(000+000+001) to result in the three digits, 751. Note that the permission for the owner (user) has a digit and is followed by 2 zeroes; the permission for the group has one zero in front and another behind; and the permission for others is preceded by 2 zeroes.

To grant 751 permissions for a file, you would type,

    chmod (0751, "myfile.pl");

To grant permissions for more than one file, it would be something like:

    chmod (0751, "foo", "bar");

where foo and bar are filenames. The first argument is a number preceded by 0 for the permissions. You get the number by addition as illustrated above; it should not be in quotes (because it happens to be an octal number). The rest of the arguments are filenames in quotes. The chmod function returns the number of files successfully changed.

Note: it is the super-user that can change the permissions of a file, which belongs to some other user (and not you). All he has to do is to include the path to the file (or files), as follows:

    chmod (0751, "c:/dirA/dirB/one.txt", "c:/dirA/dirB/two.txt");

To be sure if the mode (permissions) has been successfully changed, he should type a code segment like:

    my $cnt = chmod (0751, "c:/dirA/dirB/one.txt", "c:/dirA/dirB/two.txt");
    print $cnt;

I tried it in my computer for two files and the value of $cnt was 2 (confirming).

The super-user has all the rights in everything in the computer.

Note: granting and changing permissions mean the same thing.

Some other frequently used Modes
Some other frequently used permissions are:
0777 : anyone can do anything (read, write, or execute)
0755  : you can do anything; others can only read and execute
0711 : you can do anything; others can only execute
0644 : you can read and write; others can only read

File Status Information
To get the file status information, you use the stat function as follows:

        ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks) = stat($filename);

The argument to the stat function is the filename in quotes or a variable. There are 13 of the return values. The meanings are as follows:

    0 dev      device number of filesystem
    1 ino      inode number
    2 mode     file mode  (type and permissions)
    3 nlink    number of (hard) links to the file
    4 uid      numeric user ID of file's owner
    5 gid      numeric group ID of file's owner
    6 rdev     the device identifier (special files only)
    7 size     total size of file, in bytes
    8 atime    last access time in seconds since the epoch
    9 mtime    last modify time in seconds since the epoch
    10 ctime    inode change time in seconds since the epoch (*)
    11 blksize    preferred block size for file system I/O
    12 blocks    actual number of blocks allocated

Now, the epoch is the datatime, which is 00:00 January 1, 1970 GMT. The number of seconds for atime, mtime, and ctime can be converted to datetime – see later.

Try the following code, for any file in the working directory, replacing "file" with the name of the file (in quotes):

use strict;

    my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat("file");

    print "dev is $dev\n", "ino is $ino\n", "mode is $mode\n", "nlink is $nlink\n", "uid is $uid\n", "gid is $gid\n", "rdev is $rdev\n", "size is $size\n", "atime is $atime\n", "mtime is $mtime\n", "ctime is $ctime\n", "blksize is $blksize\n", "blocks is $blocks\n";

Security Issues
The most common mode is 0755. This means any one using the same operating system as the one in your computer can read the source code of your Perl file as well as execute. However, if they were using the Internet, they would only be able to execute your file and not see the source code.

Unfortunately, for a Perl file to be compiled and interpreted (i.e. to be executable), the user needs to have the read and execute permissions. So, if a hacker is using the same operating system as you, then he can read your source code. That makes it easy for him to hack the code. In this series, to hack, means to inject wrong data or wrong code into your Perl program, so that the program does not run as intended.

Note, even if the hacker cannot read the source code, it is often possible for him to determine insecure coding in your code and exploit it to inject wrong data or wrong code. In this series, you learn those insecurities (insecure coding) and how to lock them.

Well, that is it for this part of the series. We stop here and continue in the next part.

Chrys

Related Links

Perl Basics
Perl Data Types
Perl Syntax
Perl References Optimized
Handling Files and Directories in Perl
Perl Function
Perl Package
Perl Object Oriented Programming
Perl Regular Expressions
Perl Operators
Perl Core Number Basics and Testing
Commonly Used Perl Predefined Functions
Line Oriented Operator and Here-doc
Handling Strings in Perl
Using Perl Arrays
Using Perl Hashes
Perl Multi-Dimensional Array
Date and Time in Perl
Perl Scoping
Namespace in Perl
Perl Eval Function
Writing a Perl Command Line Tool
Perl Insecurities and Prevention
Sending Email with Perl
Advanced Course
Miscellaneous Features in Perl
Perl Two-Dimensional Structures
Advanced Perl Regular Expressions
Designing and Using a Perl Module
More Related Links
Perl Mailsend
PurePerl MySQL API
Perl Course - Professional and Advanced
Major in Website Design
Web Development Course
Producing a Pure Perl Library
MySQL Course

NEXT

Comments

Become the Writer's Fan
Send the Writer a Message