File Security and Resources with PHP

File Ownership and Permissions

These days, security is paramount to any server installation, large or small. Most modern operating systems have embraced the concept of the separation of file rights via a user/group ownership paradigm, which, when properly configured, offers a wonderfully convenient and powerful means for securing data. In this section, you'll learn how to use PHP's built-in functionality to review and manage these permissions.

Note that because PHP scripts typically execute under the guise of the server daemon process owner, some of these functions will fail unless highly insecure actions are taken to run the server as a privileged user. Thus, keep in mind that some of the functionality introduced in this chapter is much better suited for use when running PHP as a command-line interface (CLI), since scripts executed by way of the CLI could conceivably be run as any system user.

chown()

int chown (string filename, mixed user)

The chown() function attempts to change the owner of filename to user (specified either by the user's username or UID), returning TRUE on success and FALSE otherwise.

chgrp()

int chgrp (string filename, mixed group)

The chgrp() function attempts to change the group membership of filename to group, returning TRUE on success and FALSE otherwise.

fileperms()

int fileperms (string filename)

The fileperms() function returns filename's permissions in decimal format, or FALSE in case of error. Because the decimal permissions representation is almost certainly not the desired format, you'll need to convert fileperms()'s return value. This is easily accomplished using the base_convert() function in conjunction with substr(). The base_convert() function converts a value from one number base to another; therefore, you can use it to convert fileperms()'s returned decimal value from base 10 to the desired base 8. The substr() function is then used to retrieve only the final three digits of base_convert()'s returned value, which are the only digits referred to when discussing Unix file permissions. Consider the following example:

<?php
echo substr(base_convert(fileperms("/etc/passwd"), 10, 8), 3);
?>

This returns:

--------------------------------------------644
--------------------------------------------

filegroup()

int filegroup (string filename)

The filegroup() function returns the group ID (GID) of the filename owner, and FALSE if the GID cannot be determined:

<?php
$gid = filegroup("/etc/passwd");
// Returns "0" on Unix, because root usually has GID of 0.
?>

Note that filegroup() returns the GID, and not the group name.

fileowner()

int fileowner (string filename)

The fileowner() function returns the user ID (UID) of the filename owner, or FALSE if the UID cannot be determined. Consider this example:

<?php
$uid = fileowner("/etc/passwd");
// Returns "0" on Linux, as root typically has UID of 0.
?>

Note that fileowner() returns the UID, and not the username.

isexecutable()

boolean isexecutable (string filename)

The isexecutable() function returns TRUE if filename exists and is executable, and FALSE otherwise. Note that this function is not available on the Windows platform.

isreadable()

boolean isreadable (string filename)

The isreadable() function returns TRUE if filename exists and is readable, and FALSE otherwise. If a directory name is passed in as filename, isreadable() will determine whether that directory is readable.

iswriteable()

boolean iswriteable (string filename)

The iswriteable() function returns TRUE if filename exists and is writable, and FALSE otherwise. If a directory name is passed in as filename, iswriteable() will determine whether that directory is writable.

Note The function iswritable() is an alias of iswriteable().

umask()

int umask ([int mask])

The umask() function determines the level of permissions assigned to a newly created file. The umask() function calculates PHP's umask to be the result of mask bitwise ANDed with 0777, and returns the old mask. Keep in mind that mask is a three- or four-digit code representing the pewrmission level. PHP then uses this umask when creating files and directories throughout the script. Omitting the optional parameter mask results in the retrieval of PHP's currently configured umask value.

File I/O

Writing exciting, useful programs almost always requires that the program work with some sort of external data source. Two prime examples of such data sources are files and databases. In this section, we delve deep into working with files. Before we introduce PHP's numerous standard file-related functions, however, it's worth introducing a few basic concepts pertinent to this topic.