Saturday, August 8, 2009

UNIX Permission Analyzing Algorithm

UNIX permissions can be quite baffling. They are even more difficult to tackle with when they are needed to be analyzed using computer programs. Let us take one scenario where we need to analyze using computer programs if the permissions over a file are no more than Recommended or Permitted.Let the Recommended permission be 600(octal). This means Read and Write permissions only to the Owner, no more than that. If these permissions are analyzed using mathematical operators, the results will not always be correct. Let us have a look at different scenarios :

Scenario 1 : The permissions over the file is 400. Hence 400 < 600 results in True. And the Analysis is correct.

Scenario 2 : The permissions over the file is 500. Hence 500 < 600 results in True. The Analysis is incorrect in this case since 500 means Read and Execute Permissions to the Owner. We have however recommended that the owner should not be granted any other permission than Read and Write.

Hence, as seen in Scenario 2, UNIX permissions cannot be analyzed using mathematical operators.

To correctly analyze UNIX file permissions the following algorithm can be used :

1. Convert the textual form of the Recommended permission to binary.

eg. If the recommended permission is 600, the textual form would be rw------- . The binary of this would be 110000000.

2. Convert the binary of the Recommended permission to its inverted form. Call it RI (recommended inverted).

eg. If the binary is 110000000, the inverted form would be 001111111.

3. Take the textual form of the encountered file permission and convert it to its binary. Call it EP (encountered permission).

eg. If the encountered permission is r-x------ , the binary would be 101000000. This is 500 in Octal.

4. Do a Bit-wise Logical AND of the Encountered Permission(EP) with the Recommended Inverted(RI). EP (AND) RI.

eg. EP = 101000000 , RI = 001111111 , then EP (AND) RI => 101000000 AND 001111111. This gives a result of 001000000.

5. If the result has a '1' in any of its positions, the Encountered Permission is lesser stringent that the Recommended Permission. Furthermore, the exact permission that is not required can also be pin pointed using the location of the 1s in the result.

eg. If the result is 001000000, the permission that is not required is in the third position. Hence, revoking execute access over the file from the Owner will ensure compliance with the recommend permission.

Once again, the algorithm goes as follows :

1. Obtain the Recommended Inverted(RI).
2. Obtain the Encountered Permission(EP).
3. Perform Bit-wise Logical AND of EP with RI.
4. If result contains even a single 1, EP is lesser stringent than RI. If result contains all 0s, EP is no lesser stringent than RI.


Step 2 might require some more processing in case of permissions with sticky bit etc. We will have a look at such scenarios in my next post.....

Headlines Summary Nov 20, 2024

...