Magento Imagine Awards 2019 Finalist

File Permissions & Associated Security Risks with Magento

by iWeb

Magento has been under a lot criticism for it’s Magento Connect Manager requiring “chmod 777” permissions across your files and folders in order for it to work correctly, this is obviously rather risky from a security point of view and here’s why:

Why you should never use “777” permissions

You should never ever set 777 (read write execute to all) permissions on a file/folder, because if a rootkit makes it’s way into the server – then 777 would give it permission to be executed (meaning very bad times indeed). Effectively by making anybody able to execute stuff on your server, if your server gets compromised for example via a file upload script or a SQL injection, ending up in malicious code being stored somewhere on your web server somewhere, this could mean that this code is able to be executed and who knows what could happen then – depending on the malicious code itself of course. So you have been warned!

Using Magento with safe permissions

If you set your writeable folders to “chmod 775” and your writeable files to “chmod 664” this will allow Magento to use these files and folders with Magento Connect Manager absolutely fine. Plus you don’t have the added risk of exposing the execute permissions to anybody. You can quickly set the file and folder permissions to these settings via SSH with the following command:

find . -type d -exec chmod 775 {} ;
find . -type f -exec chmod 664 {} ;

These two commands would recursively set the folders to 775 and files to 664 permissions inside your current directory, so if you wanted to run this over the whole store, change directory to your Magento root folder before running it. Alternatively you can do this via your FTP client, this will take slightly longer than doing it via SSH though.

If this approach this doesn’t work with your Magento Connect Manager, contact your web host and ensure that all the files on your store have the group permissions to all the files set to apache and that your server is running PHP as an apache module (not as a CGI binary).

Hopefully now you can freely use your Magento installation properly with Magento Connect Manager functioning, but keeping your file and folder permission secure.

Subscribe via email

Sign up to get notifications of new posts by email.

Share this article

Posted in Magento

Tagged

Other posts you might like

Secure from the start

by Phil Wylie

Kieran O’Shea, open source enthusiast and author of the Calendar plugin gave a talk at WordCamp Edinburgh 2012 on methods…

What We Learned at Mage Titans Manchester 2016

by Andrew McCombe

Last Saturday 12th November myself and eight of my teammates donned our iWeb hoodies, packed our rain macs and headed…

10 Ways to Show Your Magento Site ❤ This Valentine’s Day

by Andrew Pemberton

Stuck for what to get your loved one this Valentine’s Day? Don’t worry, we’ve got your back. Here’s 10 Magento…

Contact us by phone.

Call us on 01785 279920

Our friendly Magento experts are happy to answer your questions.

Follow us!

Get the latest eCommerce news, reviews and expert advice in your inbox.

To find out more about how we use your data, read our Privacy Policy