File Permissions & Associated Security Risks with Magento

Magento has been under a lot criticism for it’s Magento Connect Manager requiring “chmod 777” permissions across your files and folders in order for it to work correctly, this is obviously rather risky from a security point of view and here’s why:

Why you should never use “777” permissions

You should never ever set 777 (read write execute to all) permissions on a file/folder, because if a rootkit makes it’s way into the server – then 777 would give it permission to be executed (meaning very bad times indeed). Effectively by making anybody able to execute stuff on your server, if your server gets compromised for example via a file upload script or a SQL injection, ending up in malicious code being stored somewhere on your web server somewhere, this could mean that this code is able to be executed and who knows what could happen then – depending on the malicious code itself of course. So you have been warned!

Using Magento with safe permissions

If you set your writeable folders to “chmod 775” and your writeable files to “chmod 664” this will allow Magento to use these files and folders with Magento Connect Manager absolutely fine. Plus you don’t have the added risk of exposing the execute permissions to anybody. You can quickly set the file and folder permissions to these settings via SSH with the following command:

find . -type d -exec chmod 775 {} ;
find . -type f -exec chmod 664 {} ;

These two commands would recursively set the folders to 775 and files to 664 permissions inside your current directory, so if you wanted to run this over the whole store, change directory to your Magento root folder before running it. Alternatively you can do this via your FTP client, this will take slightly longer than doing it via SSH though.

If this approach this doesn’t work with your Magento Connect Manager, contact your web host and ensure that all the files on your store have the group permissions to all the files set to apache and that your server is running PHP as an apache module (not as a CGI binary).

Hopefully now you can freely use your Magento installation properly with Magento Connect Manager functioning, but keeping your file and folder permission secure.