Operating System Security

Each operating system has the inherent ability to place access limits on the files and directories within its file system. Web servers can leverage these security features to implement access control.

Windows 2003 and XP

To place access limits on the CFIDE directory in Windows 2003 and XP, follow these steps:

1.	Open Windows Explorer, and browse to the CFIDE directory.
2.	Right-click on CFIDE, and select Properties. This opens a properties sheet similar to the one shown in Figure 8.1. Figure 8.1. NTFS file permissions are set in the Security tab of the directory properties sheet.
3.	Select the Security tab.
4.	If you want to modify existing user/group permissions, proceed to step 6.
5.	If you want to add additional user/group permissions, click the Add button. This opens The Select Users or Groups window (Figure 8.2). Enter the user/group names in the text box provided and click OK. Figure 8.2. Select only the users who should be allowed to access this directory. Or you can click the Advanced button to search for users/groups to add. In the search results window, select the users/groups you want to add and click OK. Click OK again to close the Select Users, Computers, or Groups window.
6.	To modify existing user/group permissions, in the Security tab of the properties sheet select the user whose access you want to change. If you added additional users/groups, the last one added is currently selected.
7.	Click the appropriate check box in either the Allow or Deny column next to the permission you wish to control for this user. A shaded checkbox indicates an inherited permission, as shown in Figure 8.3. Figure 8.3. Explicitly allow or deny directory permissions. Shaded checkboxes indicate inherited permissions.
8.	If there are any users or groups in the list who should not have access, select them and click Remove.
9.	Click the Advanced button for access to special permissions and advanced settings. This opens the Advanced Security Settings dialog box (Figure 8.4). Figure 8.4. Secure subdirectories and files by allowing permissions to be passed along to child objects. If you want this directory to inherit the properties from the directory immediately above it (its parent), select the check box to "Allow inheritable permissions from the parent to propagate to this object and all child objects." If you want to secure all files in subdirectories below this one, check the Replace button. Check the box to "Replace permission entries on all child objects with entries shown here that apply to child objects."
10.	Click OK to close the advanced settings dialog box, and then again to close the directory properties window.

NOTE

To implement file permissions, the underlying file system must be NTFSnot FAT or FAT32.

Unix and Linux

Unix and Linux operating systems let administrators set the read, write, and execute permissions on individual files and directories. The permission structures are based on granting permissions to three types of users: owner, group, and all users. These permissions are identified in Table 8.1.

These permissions are combined to determine an individual's level of access. For example, if the owner has read and write permission, it can be expressed as rw- or the value 6. A user's read, write, and execute permissions can be expressed as rwx or 7, whereas no permission is expressed as - or 0.

Running the ls -l command at the command line shows the permissions for each file in the directory. These permissions are expressed as triplets, showing the owner's, group's, and all users' permissions. For example:

 $ls l myfile -rwxrw-r-- 1 root root 0 July 1 10:05 myfile 

shows that the file myfile has the following permissions:

 Owner: Read, Write, Execute Group: Read, Write Everyone: Read 

This is often also expressed numerically. In that case, the file would have a permission of 764.

In Unix, the chmod or change mode command is used to set permissions on files and directories. If you wanted to revoke the permission for everyone outside of the owner and group types, you would type the following:

 $chmod 760 myfile 

This tells the system to change the permissions mode on the file myfile to:

 Owner: Read, Write, Execute Group: Read, Write Everyone: none 

Running the same ls -l as before yields the following:

 $ls l myfile -rwxrw---- 1 root root 0 July 1 10:05 myfile 

This indicates that permissions for this file are no longer available to everyone.

If the file on which you are granting permissions is a directory, and you want all files in that directory to also inherit the new permissions, you can use the -R attribute of chmod to indicate that the system should recurse through the directory and assign the permissions to every file within it.