Working with Permissions in PHP, Part 1
by John Coggeshall
02/06/2003
In the past few columns, I have been discussing using PHP's file I/O
capabilities for manipulating both files and directories. This week, we'll
take a slight detour from a strictly PHP-related subject and discuss file
permissions in Unix systems. If you are using PHP in a Windows environment
(or other environment without a permission system), this column may not
apply to you.
How Permissions Work
Before we can explain how permissions can be used from within PHP
applications, you'll need a little background on how permissions work in
general. Although today's column only discusses Unix permission-related
commands, these commands directly relate to their PHP counterparts
discussed in my next column. If you haven't ever really worked with the
permissions system in PHP (or need a refresher) read on.
In a Unix environment, all files and directories are owned by two
different entities -- a user and a group. (A group represents multiple
individual users.) Likewise, each file in the file system has three
different permission sets which determine who can access a particular file
or directory. Specifically, every file in a Unix system has the following
permission sets: user-level, group-level, and global-level.
For each permission set, three different flags exist: read, write, and
execute. If a particular user does not have the read flag set, he will be
unable to read the desired file (or the files in a directory). Likewise,
if a user does not have the execute permission on a file, she will be
unable to execute that program. When a user creates a file, that file
automatically is owned by the user and group to which the user belongs. In
order to change the owner of a particular file the chown Unix
command is used as follows:
[user@localhost]$ chown theuser thefilemask
where theuser represents the username to change the file
mask specified by thefilemask. Please note that this command
can only be executed by a user who has super-user privileges (such as
root).
Changing the group to which a file belongs to is done via the
chgrp Unix command. Unlike chown, which requires
super-user privileges, chgrp can be used by any user. The one
restriction that applies is that chgrp will only allow the
user to change the group of a file as long as the user belongs to that
group. For example, a given user who belongs to the groups
foo and bar can change the group of a given file
to either foo or bar but not foobar
-- because he does not belong to that group.
As I mentioned, for a given file there are three different permission
levels that apply to each file and directory: the user-level, group-level,
and global-level. Each level is independent of the other, and is used to
permit read, write, or execution access for the given file. From a Unix
console, one can see the owner, group, and permissions assigned to these
three groups by executing the ls (list) command in a given
directory and specifying the -l (long) tag as shown:
[user@localhost]$ ls -l
rwx-w-r-- 4 php mygroup 4096 Nov 7 15:52 mydirectory
In the above example, the directory mydirectory is owned
by the user php and belongs to the group
mygroup. The string drwx-w-r-- identifies the
permissions.
If the permission has been granted (read, write, or execute) then that
letter will be displayed for the particular group. Otherwise, a dash is
shown. Thus, in the example above, this particular file has been given
read, write, and execute permissions for the owner of the file (the user
php). However, those who belong to the group
mygroup can write to this file, while the remainder of people
(global) can only read the file. The one flag that hasn't been identified
yet (the first character, d) identifies this particular file
as a directory.
Although permissions are fairly simple for normal files, they take on a
slightly different meaning when applied to directories. Specifically,
read permission is required in order for a user to view the contents of
the directory. Write permission allows a user to create or remove files
within the directory. Execute permission is required in order to access
the directory at all. Note that a user with write permission to a
directory will be able to delete any file in that directory, even if she
lacks write permission for that file.
So how does one modify the permissions of a file? Unix permissions are
handled through a command called chmod:
[user@localhost]$ chmod 755 thefilemask
In the above example, 755 is the numeric representation of
the permissions to set, and thefilemask is the file mask of
the affected files. Note that only the owner or a group member may modify
the permissions of a file. There are two different ways to assign or to
revoke permissions for a file -- one text-based and the other
numeric-based. Because PHP does not provide means to modify permission
values using the text-based method I will only discuss the numeric method.
The permissions of all of the permission groups can be represented by
different numeric values. Added together, this represents the complete
numeric permission value. The values of the different permission levels
are:
| Value | Permission Level |
|---|
400 | Owner Read |
200 | Owner Write |
100 | Owner Execute |
40 | Group Read |
20 | Group Write |
10 | Group Execute |
4 | Global Read |
2 | Global Write |
1 | Global Execute |
In order to give read and execute permission to the file's owner, write
permission to the group, and read permission to everyone else (global) the
permission value would be:
400 | Owner Read |
+ 100 | Owner Execute |
+ 20 | Group Write |
+ 4 | Global Read |
= 524 | Total Permission Value |
Applying these permissions to the file is as simple as using the
chmod command:
[user@localhost]$ ls -l
-rwx-w-r-- 4 php mygroup 4096 Nov 7 18:52 myfile
[user@localhost]$ chmod 524 myfile
[user@localhost]$ ls -l
-r-x-w-r-- 4 php mygroup 4096 Nov 7 18:60 myfile
[user@localhost]$
PHP Returns Next Time!
That's it for today's column. Although no PHP commands were actually
discussed, having a reasonable understanding of the Unix permission system
(especially when working with files) is critical to PHP
applications. Without being familiar with this subject it is very easy to
open up your scripts to malicious users. In my next column, I'll take the
Unix commands discussed today and apply them to the counterpart PHP
functions.
John Coggeshall
is a a PHP consultant and author who started losing sleep over PHP around five years ago.
Read more PHP Foundations columns.
Return to the PHP DevCenter.
