Contact
Site: US UK AU |

How to set Magento file permissions

How to set Magento file permissions

Overview
This article discusses how to set the proper permissions for files within a Magento installation.

Environmental considerations

Before installing Magento, first consider the environment in which you are hosting your site. Linux runs within two main environments: PHP scripts that use mod_php or equivalent, and PHP scripts that use an intermediate construct.

Mod_php or equivalent PHP scripts

PHP scripts that use mod_php or equivalent are executed as the webserver user. When your script is running, it can read and sometimes write with the same privilege level as the web server. This allows cross-account snooping in shared-hosting setups and is dangerous in shared environments, particularly in eCommerce.

PHP scripts running using an intermediate construct

Other PHP scripts use an intermediate construct such as suPHP, PHP suEXEC, PHP-FPM, and so on. In this case, your scripts run offer a more secure overall configuration when running on a shared server, and our team prefers this setup.

This method is also preferred because Linux provides an extra level of security when the permissions are configured correctly. All of our shared Magento SIP plans provide this preferred environment, giving isolated user-based permissions, and therefore more strict file permissions.

Magento file permissions

You must have SSH access to execute any of the the changes shown below. If you do not have SSH access, contact the Nexcess Support Team for assistance.  

Linux permissions

The first of these changes to Linux permissions restricts reading and writing privileges to all files in your Magento base directory to you; all others will only have reading privileges. The following command establishes a baseline in which the webserver itself can read all files. It will need read-access to serve static content like images, CSS and Javascript files:

find </path/to/magento> -type f \-exec chmod 644 {} \;

The second of these changes to Linux permissions makes all directories in your Magento base directory istable, file-editable and navigable for you, while only navigable for all others:

find </path/to/magento> -type d \-exec chmod 711 {} \;

The third change locks permissions for all PHP scripts so only you can read them. This is ideal because only you need to know the contents of scripts.

find </path/to/magento> -type f -name “*.php” \-exec chmod 600 {} \;

Finally, we recommend restricting all access to your local Magento configuration files to yourself with the below command. Only the PHP scripts need to read these files and PHP is running under your login; therefore, you can disable access to all others. This will prevent other users from accessing sensitive information:

chmod 600 </path/to/magento/app/etc/*.xml>

Web-based software requirements

You may encounter web-based software that claims all file permissions must be set to 777, meaning the software has full read, write, and execute permissions for all files. This may be necessary for some directories, but is rarely the case for files. Permissions of 666, or read and write permissions for all, are adequate in these cases if more strict permissions cannot be set. In addition, the 777 permission sets the execute bit on files, though most web servers do not require them.

 
For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.
Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to enable CAPTCHA for user creation in Magento 1.x
Added on Fri, Aug 18, 2017
How to change your Magento 1.x password
Added on Wed, Nov 30, 2016
What are some useful Magento scripts?
Added on Mon, Oct 13, 2014
What is Magento?
Added on Thu, Sep 10, 2015
How to perform Magento database maintenance
Added on Tue, Jul 30, 2013
How to disable maintenance mode in Magento
Added on Fri, Dec 15, 2017
How to remove index.php from your Magento site URL
Added on Wed, May 31, 2017
How to install Magento CE v1.8 and later
Added on Thu, Mar 6, 2014
How to create Magento and WordPress dev sites
Added on Wed, Aug 3, 2016
How to disable caching in Magento
Added on Tue, Nov 5, 2013