The operations that a user can perform on an object are based on the permissions that the user is granted for that object.
Each permission entitles a user to a specific set of operations on the current object, including all operations permitted by its child permissions. For example, the FULL CONTROL permission entitles the user to perform a set of operations, which includes those permitted by the DELETE and by the READ/WRITE permissions.
Refer to specific permissions with the constants defined by IPcdStandardPermissions .
Allowed Operations
The following is a list of permissions and the PCD operations that each permission enables. The PCD operations are generally performed on IPcdContext , IDeltaLink or IAclHandle objects.
Permission
Operations/Methods
OWNER
Includes all permissions for GRANT.
GRANT
IAclHandle.createAcl()
IAclHandle.removeAcl()
IAcl.createAclEntry()
IAcl.removeAclEntry()
IAcl.removeOwner()
This permission provides the same operations as OWNER. We recommend that you use OWNER instead.
FULL CONTROL
Includes all permissions for DELETE and READ/WRITE.
READ/WRITE
Includes all permissions for CREATE, READ and WRITE ATTRIBUTES.
DELETE
IPcdContext.destroySubcontext()
IPcdContext.unbind()
The above operations can be performed on a unit object. For subobjects of a unit, only WRITE ATTRIBUTES is required.
CREATE
IPcdContext.createSubcontext()
IPcdContext.bind()
IPcdContext.rebind()
IPcdContext.createDeltalink()
READ
Includes all permissions for LOOKUP and READ ATTRIBUTES.
WRITE ATTRIBUTES
IPcdContext.modifyAttributes()
For objects that are subobjects of a unit, the following can also be performed:
IPcdContext.destroySubcontext()
IPcdContext.unbind()
READ ATTRIBUTES
IPcdContext.getAttributes()
LOOKUP
IPcdContext.lookup()
IPcdContext.lookupLink()
IPcdContext.list()
IPcdContext.listBindings()
IPcdContext.search()
USE
Any of the above operations if the PCD is called in personalization mode (except for those defined by the GRANT permission).
Different options available for setting the permissions of files and directories in different hosting environments.
Permission basics
Setting permissions is one of the most basic elements of web security. Assigning the correct permissions to the files and directories helps prevent data theft and malicious intrusions. Permissions specify who and what can read, write, modify, and access content on your site.
There are two different methods to express permissions in Linux. Permissions may be expressed numerically or alphabetically. At Nexcess, we prefer to numeric permissions because they are easier to read.
Each file and directory will have three permission categories for all users: owner, group, and other. The owner group identifies the owner of the file or directory. The group identifies entities assigned to the file or directory. The category of other lists all entities who do not fall into the other two categories.
There are three permission types: read, write, and execute.
- Read: The capability to read contents. This is expressed as either the number 4 or letter r.
- Write: The capability to write or modify. This is expressed as either the number 2 or letter w.
- Execute: The capability to execute. This is expressed as either the number 1 or letter x.
It is critical to know the permissions of your files and directories. To list the contents of a directory and see the permissions, run this command"
ls -lThe output of this command would show a similar output to the following:
-rw-r--r-- 1 user user 418 Oct 20 23:59 index.phpThe columns in a directory listing like the one above are: permissions, number of links, owner, group, size, timestamp, and file or directory name.
Permissions
Number of Links
Owner
Group
Size
Timestamp (last modified time)
File or Directory Name
-rw-r--r--
1
user
user
418
Oct 20 23:59
index.php
In this example, the directory permissions, -rw-r--r--, can be divided into the three permission categories.
Owner
Group
Other
6
4
4
r + w
r
r
4 + 2 + 0
4 + 0 + 0
4 + 0 + 0
The permissions -rw-r--r-- translate into the numeric value 644. The read and write permissions’ numeric value is added to provide both read and write permissions to the owner category. Only the read permission is added to the group and other categories.
This is a breakdown of the combinations possible and the permissions they apply.
7 = 4 + 2 + 1 (read/write/execute)
6 = 4 + 2 (read/write)
5 = 4 + 1 (read/execute)
4 = 4 (read)
3 = 2 + 1 (write/execute)
2 = 2 (write)
1 = 1 (execute)
Restricting permissions
When setting permissions on your site, only provide the files and directories with as much access as they need. Open permissions like 777 give files and directories the unlimited capacity to modify and execute code, leaving your site vulnerable to attack. Files holding sensitive information should not be openly accessible, otherwise you risk compromising your site’s data and your visitor’s data.
For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.