-6

I am trying to disable a user from opening a file. The purpose is that when a user will try to open a specific file, he would not be able to.

Also, I want to be able to return the permissions and letting the user open the file.

I only found ways to enable premissions: os.chmod(path, 0444), but I can not understand how to disable permissions.

Martin Tournoij
  • 26,737
  • 24
  • 105
  • 146
jonathan
  • 11
  • 3
  • 1
    Could you show us what you tried with `os.chmod`? – L3viathan Mar 09 '16 at 14:49
  • 1
    Welcome to Stack Overflow! Can you please clarify what the problem is? "It doesn't work" is not very helpful. What exactly did you try? What happened? Do you get any errors? Please take a moment to read through [How do I ask a good question?](http://stackoverflow.com/help/how-to-ask). – Martin Tournoij Mar 09 '16 at 14:50
  • I only found ways to enable premissions: 'os.chmod(path, 0444)' – jonathan Mar 09 '16 at 14:51

1 Answers1

12

A Unix permission primer:

Every file has an user. This is a user on the system. Every file also has a group. This is a group on the system. A user can be in one or more groups. A file has exactly one user and one group that "own" the file.1

So what does a number like 0444 mean?

The first number is used for some special flags such as sticky, setuid, setgid. We don't need to bother with that right now. Just remember to set it to 0

The next three numbers indicate the three permissions: one for the user, group, and other (everybody that is not user or group), in that order.

To set the permissions we use a number from zero to seven (an octal number). This is actually a bitmask. 1 is for execute, 2 is for write, 4 is for read.

In a table it looks like:2

N   Description                    ls output

0   No read, no write, no execute    ---
1   No read, no write, execute       --x
2   No read, write, no execute       -w-
3   No read, write, execute          -wx
4   Read, no write, no execute       r--
5   Read, no write, execute          r-x
6   Read, write, no execute          rw-
7   Read, write, execute             rwx

read and write should be self-explanatory. execute means that you can run a file with ./ls (this is not a security measure, and can be circumvented by the way). Note that directories are also files on Unix systems such as Linux. A directory must have the execute bit set if you want to be able to cd into it.

The number you'll use most often are:

  • 7, for full access
  • 6, for full access except execute
  • 4, for read only.

So, if you look at your command os.chmod(path, 0444) we see that you've set read-only access for all users. This is not what you want.

The correct permissions depend on which user and group own the file. If the file does not belong to the user you want to disallow access to, and is not in the group that the file belongs to, you can use:

os.chmod(path, 0440)

If we look at the table above, we see that it means:

  • Read, write, no execute for user.
  • Read, write, no execute for group.
  • NO permissions for other.

If the file does not belong to the user you want to disallow access to, and is in the group that the file belongs to, you can use:

os.chmod(path, 0400)

This will make it readable for the user only. Note that this may have side-effects, as everyone else in the group can't read it now either.

However, if the file belongs to the user, then you need to change the file user. This can be done with the os.chown() function. e.g.:

os.chown(path, 'martin')
os.chmod(path, 0400)

1: You can use ACLs if you want to assign more users or groups to a file, but in >95% there is no need to, and it only adds complexity that may be difficult to manage. It's often disabled by default.

2: Table lifted from the FreeBSD handbook

Martin Tournoij
  • 26,737
  • 24
  • 105
  • 146
  • thank you, but i guess i was not clear enoght. My target is to create a system that works this way: when anyone tries to open a specific folder, it will not open and a login GUI that i created will pop up. Can you please help me? – jonathan Mar 09 '16 at 15:39
  • @jonathan The way to do that is to disallow access to the file for the user wanting to access it, and run a background process (daemon) as a different user which *does* have access to these files which will create such dialogs and send the files when needed. You can monitor file access with inotify or gamin. This requires some amount of programming and a full answer to this is somewhat beyond the scope of an SO answer... Such programs probably already exist in one form or another by the way. – Martin Tournoij Mar 09 '16 at 19:25