Limiting Access Permissions in ECMAScript

ECMAScript Insecurities and Prevention – Part 1

ECMAScript 6

Foreword: In this part of the series I explain how to limit access from users, to an ECMAScript program.

By: Chrysanthus Date Published: 16 Jul 2016

Introduction

This is part 1 of my series, ECMAScript Insecurities and Prevention. In this part of the series I explain how to limit access from users, to an ECMAScript program. An ECMAScript program is an ECMAScript script. Most, if not all computer languages have ways that one can inject wrong data or wrong code into the program, to make the program serve a different purpose. The first thing you should do to limit these, is not to allow unauthorized people to use the program and for those who can use the program, give them different access rights, based on their needs.

A program is a file. Anyone who has been granted some privilege to a file, may read, write or execute the file. The user can have one, two or three of these privileges.

Pre-Knowledge
This series is part of an ECMAScript Course. At the bottom of this page, you will find links to the different series you should have read before coming here, as this series is a continuation.

Ownership of a File
Any file (or directory) in a computer should have an owner. An owner of a file is a user of the computer.

File Access Mode
File access mode is of permissions to access a file. The permissions are read, write and execute.

Read
The read permission allows a user to read the file. So he can only see the content of the file, but he cannot change the content.

Write
The write permission allows the user to modify the content of the file.

Execute
If the file is a program (e.g. an ECMAScript script), then the execute permission allows the user to run the file.

The owner of the file may not have all 3 permissions – see why below.

Changing Ownership of a File
If you install an operating system using the default settings and entering your own username and password, as you install, then you are the super-user (also known as root) for the computer. Only the super-user has the right to change ownership of a file or directory, from one user to another user. A computer can have many users.

As a super-user, you change (give) the ownership of a file as follows:

fs = require('fs');

fs.chownSync('/dir1/dir2/filename.ext', uid, gid);

where the last two elements of the list must be the numeric user-id and group-id, in that order. Sadly, the chown function returns undefined. The first statement includes the module, File System – see later.

Access Class
A user of a computer is somebody that has the right (username and password) to use the computer. A user is denoted in coding by u. u is an example of an access class.

A user can be a member of a group. A group is a collective number of users with common interest. A group is denoted in coding by g. g is an example of an access class.

Any user of the computer who does not belong to a file owner’s group is denoted by o. o is an example of an access class.

The letter, a for all, can mean u, or g, or o. So you have the following letters (classes): u, g, o, and a.

Access Type
Whether you are dealing with files or directories, there are three types of permissions called access types. They are read, write and execute. In coding, the execute permission is the number, 100; the write permission is the number, 200; but the read permission is the number, 400. 000 means no permission. Now 300 means the write and execute permissions, obtained by adding the permission for execute, which is 100 and the permission for write, which is 200. Now these permissions (numbers) are for the owner (main user) of the file.

For a group, the execute permission is 010; the write permission is 020 and the read permission is 040. 000 means no permission for the group.

For others (the class, o), the execute permission is 001; the write permission is 002 and the read permission is 004. 000 means no permission for others.

Absolute Form of Granting Permissions
It is not only the super-user that can grant permissions to users for your file; you as an ordinary user can grant permissions of your file to another user. Do not confuse between granting permissions and changing ownership. Only the supper-user can change ownership of a file; of course, he can also grant permissions.

Assume that you have logged into the computer and you wanted to give yourself read, write, and execute permissions on myfile.js; give users in your group read and execute permissions; and give others only execute permission. The appropriate number would be calculated as (400+200+100)+(040+000+010)+(000+000+001) to result in the three digits, 751. Note that the permission for the owner (user) has a digit and is followed by 2 zeroes; the permission for the group has one zero in front and another behind; and the permission for others is preceded by 2 zeroes.

To grant 751 permissions for a file, you would type,

        fs = require('fs');

        fs.chmodSync("myfile.js", 0751);

where myfile.js  is a filename and can be preceded by a path. The second argument is a number preceded by 0 for the permissions. You get the number by addition as illustrated above; it should not be in quotes (because it happens to be seen as an octal number). Sadly, the chmod function returns undefined.

Note: it is the super-user that can change the permissions of a file, which belongs to some other user (and not you); you can change only your own. All he has to do is to include the path to the file, as follows:

        fs.chmodSync("/dir1/dir2/myfile.js", 0751);

where the first / is for the root directory.

The super-user has all the rights in everything in the computer.

Note: granting and changing permissions mean the same thing.

Some other frequently used Modes
Some other frequently used permissions are:
0777 : anyone can do anything (read, write, or execute)
0755  : you can do anything; others can only read and execute
0711 : you can do anything; others can only execute
0644 : you can read and write; others can only read

File Status Information
To get the file status information, you use the stat function as follows:

    fs = require('fs');

    fs.chmodSync("/dir1/dir2/filename.ext");

This function returns an object, an example of which is:

{
  dev: 2114,
  ino: 48064969,
  mode: 33188,
  nlink: 1,
  uid: 85,
  gid: 100,
  rdev: 0,
  size: 527,
  blksize: 4096,
  blocks: 8,
  atime: Mon, 10 Oct 2011 23:24:11 GMT,
  mtime: Mon, 10 Oct 2011 23:24:11 GMT,
  ctime: Mon, 10 Oct 2011 23:24:11 GMT,
  birthtime: Mon, 10 Oct 2011 23:24:11 GMT
}

The meaning of the data-property/value pairs are as follows:

    0 dev      device number of filesystem
    1 ino      inode number
    2 mode     file mode  (type and permissions)
    3 nlink    number of (hard) links to the file
    4 uid      numeric user ID of file's owner
    5 gid      numeric group ID of file's owner
    6 rdev     the device identifier (special files only)
    7 size     total size of file, in bytes
    8 atime    last access time in seconds since the epoch
    9 mtime    last modify time in seconds since the epoch
    10 ctime    inode change time in seconds since the epoch (*)
    11 blksize    preferred block size for file system I/O
    12 blocks    actual number of blocks allocated

Security Issues
The most common mode is 0755. This means any one using the same operating system as the one in your computer can read the source code of your ECMAScript file as well as execute. However, if they were using the Internet, they would only be able to execute your file and not see the source code.

Well, that is it for this part of the series. We stop here and continue in the next part.

Chrys

Broad Network

Related Articles

Limiting Access Permissions in ECMAScript

ECMAScript Insecurities and Prevention – Part 1

ECMAScript 6

Introduction

Related Links

Comments