Using File Permissions

Using File Permissions

The access permissions for each UNIX file control who may read, write, or execute the file. These access permissions may be set only by the owner of the file or by the superuser. The permissions of the directory in which the file resides can also affect the access permissions for a file. Note that if the permissions for a directory allow anyone to write in the directory, then files within that directory may be removed even by a user who does not have read, write, or execute permission for those files.

If your application warrants the use of record locking, make sure that the permissions on your files and directories are also set properly. A record lock, even a mandatory record lock, protects only the records that are locked, while they are locked. Other parts of the files can be corrupted if proper precautions are not taken.

Only a known set of programs and/or users should be able to read or write a database. This can be enforced through file permissions as follows:

Using the chown facility (see the chown(1) and chown(2) reference pages), set the ownership of the critical directories and files to reflect the authorized group ID.
Using the chmod facility (see also the chmod(1) and chmod(2) reference pages), set the file permissions of the critical directories and files so that only members of the authorized group have write access ("775" permissions).
Using the chown facility, set the accessing program executable files to be owned by the authorized group.
Using the chmod facility, set the set-GID bit for each accessing program executable file, and to permit execution by anyone ("2755" permissions).

Users who are not members of the authorized group cannot modify the critical directories and files. However, when an ordinary user executes one of the accessing programs, the program automatically adopts the group ID of its owner. The accessing program can create and modify files in the critical directory, but other programs started by an ordinary user cannot.