Get Started
How to Set Magento 2 File Permissions for Secure Operations?

How to Set Magento 2 File Permissions for Secure Operations?

Magento Hosting

Are you having trouble managing file permissions in Magento 2? Magento 2 file permissions ensure your store runs smoothly and securely.

This tutorial will cover the key aspects of setting Magento 2 file permissions.

Best Magento Hosting now

Key Takeaways

  • Common types of commands to set or change permissions for files and folders.
  • Properly configured file and folder permissions that ensure your store operates securely & efficiently.
  • Performance impact of correct ownership to ensure smooth operations.
  • Insights into the role of the file system owner in proper ownership and permissions.
  • Recommended settings like 660 permissions for files and 770 permissions for directories.
  • Tips to using commands like chmod 660 for files and chmod 770 for directories.
  • Troubleshooting issues to minimize potential vulnerabilities and ensure your Magento store operates reliably.

Why Proper Magento 2 Permissions Matter for Security?

1. Prevention of Unauthorized Access

Proper file permissions in Magento 2 create a strong security barrier. They prevent unauthorized users from accessing sensitive files and directories.

Setting 644 permissions on configuration files like app/etc/config.php allows the owner to read and write, while others can only read. It prevents malicious users from modifying critical configuration settings.

Using 770 permissions for sensitive directories like var/session ensures that only the owner and group have full access, while others have no access at all. It protects session data from being compromised.

2. Protection Against Common Attacks

proper file permissions in magento 2 protecting against unauthorized access and common attacks

  • Block file modification attempts by malicious actors.
  • Prevent unauthorized code injection.
  • Stop directory traversal attacks.
  • Protect sensitive configuration files.
  • Secure customer and payment data.

3. System Stability Benefits

Setting correct Magento file system owner permissions ensures:

  • Clean separation between system processes
  • Script execution by setting 755 permissions on core directories
  • Potential conflict prevention between different system processes
  • Stable deployment procedures
  • Accidental modification elimination during runtime for more predictable and stable deployments
  • Reliable cache management
  • Smooth update processes
  • Consistent backup operations

4. Security Zones for the Correct File Setup

  • Use automation tools/scripts to audit regularly & correct permissions in these critical areas.
  • Implement file integrity monitoring for high-security zones to detect any unauthorized changes.
  • Consider using SELinux or AppArmor for an extra layer of security, especially for sensitive areas like the vendor directory.

Below is a detailed breakdown of file permission security zones to consider:

Directory/File Type Security Priority Why It Matters
app/etc/env.php High Contains database credentials and encryption keys
var/report Medium Stores error logs that could expose system details
pub/media Medium-High Prevents unauthorized file uploads
vendor High Protects core files from tampering
app/code High Secures custom modules and core functionality

5. Real-World Impact

real-world benefits of correctly setting file permissions in magento 2 for secure operations

Incorrect file permissions can lead to:

  • Security breaches
  • Data leaks
  • System crashes
  • Failed updates
  • Compromised customer information

6. Performance and Maintenance

optimized performance and maintenance benefits with proper magento 2 file permissions

Correct permissions also impact:

  • Cache generation speed
  • Static asset generation
  • Static content deployment
  • Module installation process
  • System upgrade procedures
  • Backup creation efficiency

6 Common Magento 2 File and Folder Permission Types

Permission Code What It Does When to Use Security Level Common Use Cases
644 Owner: Read/Write
Others: Read		 - Configuration files
- PHP scripts
- Template files		 Medium - app/etc/config.php
- Theme files
- Static content
755 Owner: Full control
Others: Read/Execute		 - Directories needing navigation
- Public folders		 Medium-High - bin directory
- pub/static
- Setup directories
660 Owner: Read/Write
Others: No access		 - Sensitive data files
- Integrated configurations		 High - env.php
- Database credentials
- API keys
770 Owner: Full control
Others: No access		 - Private directories
- System-sensitive folders		 Very High - var/session
- Custom modules
- Private media
664 Owner/Group: Read/Write
Others: Read		 - Log files
- Cache files
- Shared resources		 Medium-Low - var/log
- var/cache
- Generated code
775 Owner/Group: Full control
Others: Read/Execute		 - Shared execution directories
- Web server-accessible folders		 Medium - pub/media
- Script directories
- Deployment files

How to Set Up File System Permissions for Magento 2 Development and Production?

Proper file system ownership is a must for both development and production environments. Using two users enhances security by separating administrative tasks from web server operations.

The role of file system users includes:

  • Web Server User: Handles the admin panel and storefront operations.

  • Command-Line User: Executes Commerce cron jobs and utilities via the server.

When appropriately configured, this setup ensures efficient & secure ownership management for production systems.

File system ownership varies based on your server setup:

1. Single User

  • Common for shared hosting providers where only one user account is available.
  • Users can log in, transfer files via FTP, and run the web server.

2. Two Users (Recommended)

  • Ideal for self-hosted environments or dedicated servers in Magento.
  • One user manages file transfers and command-line operations.
  • A separate user runs the web server software.

Magento 2 Directory Structure Configurations for Default File Permission Mask

Directory Default Permission Mask Purpose Access Requirements
app/etc 660 Configuration Files - Owner/Group: Read/Write
- Contains sensitive configs like env.php
- Requires highest security
var 770 Dynamic Data - Stores cache, logs, sessions
- Needs web server write access
- Requires temporary file creation
pub/static 775 Public Assets - Frontend static files
- Requires public read access
- Web server write permissions
vendor 660 Core Files - Third-party modules
- Limited access needed
- Vital for security
app/code 770 Custom Code - Custom modules
- Development files
- Restricted access essential
pub/media 777 Media Storage - Uploaded content
- Public access needed
- Web server write access required

How to Configure Magento File Permissions and Ownership for Production?

1. File System Ownership for Shared Hosting (Single User)

When using shared hosting, you must log in to your Commerce server as the same user who runs the web server. It is common in shared hosting environments.

For better security, deploy Commerce on a private server when possible.

i. Developer Mode

The following directories must be writable by the user:

  • vendor
  • app/etc
  • pub/static
  • var
  • Any other static resources
  • generated/code
  • generated/metadata
  • var/view_preprocessed

Note: Set permissions using either:

  • The command line
  • A file manager application provided by your hosting provider

ii. Production Mode

To enhance security in production mode:

  • Remove write access from the following directories:

  • vendor

  • app/code

  • app/etc

  • pub/static

  • Any other static resources

  • generated/code

  • generated/metadata

  • var/view_preprocessed

Make the directories writable only when updating components or upgrading Commerce software.

Note: To adjust permissions, follow these commands:

a. Remove write permissions:

find app/code var/view_preprocessed vendor pub/static app/etc generated/code generated/metadata \( -type f -or -type d \) -exec chmod u-w {} + && chmod o-rwx app/etc/env.php

b. Make directories writable again using the command below:

chmod -R u+w

2. File System Ownership for Private Hosting (Two Users)

If you use a private server, configure two users:

i. Web Server User

  • Manages Magento admin and storefront operations.
  • Lacks a shell for direct login.

ii. Command-Line User

  • Runs CLI commands and cron jobs.
  • Also referred to as the file system owner.

Note: It is recommended that a shared group be created to allow both users access to the duplicate files.

iii. Default or Developer Mode

Directories that must be writable by both users include:

  • var
  • generated
  • pub/static
  • pub/media
  • app/etc

Set the setgid bit on directories to inherit permissions from the parent directory:

find var generated pub/static pub/media app/etc -type d -exec chmod g+ws {} +

iv. Production Mode

To secure production environments, remove write access from sensitive directories like:

  • vendor
  • app/code
  • app/etc
  • lib
  • pub/static
  • generated/code
  • generated/metadata
  • var/view_preprocessed

Remove write permissions using:

find app/code lib pub/static app/etc generated/code generated/metadata var/view_preprocessed \( -type d -or -type f \) -exec chmod g-w {} + && chmod o-rwx app/etc/env.php

How to Automate and Set Default Permissions for Newly Created Files in Magento 2?

Component Default Setting Implementation Purpose & Security Impact
Umask Setting 002 (775/664) Create magento_umask in the root. - Ensures consistent permission structure
- Base security template for new files
Directory ACLs 775 find . -type d -exec chmod 755 {} \; - Allows necessary group access
- Maintains directory navigation security
File ACLs 664 find . -type f -exec chmod 644 {} \; - Restricts write access
- Protects file integrity
Sensitive Directories 777 chmod 777 -R var/ generated/ pub/static/ - Enables system operations
- Required for cache and media handling
Configuration Files 660 chmod 644 ./app/etc/*.xml - Protects sensitive data
- Limits access to sensitive configs
Executable Files u+x chmod u+x bin/magento - Enables CLI operations
- Maintains command execution security
Cache Files 664 Auto-generated - Optimizes performance
- Balances access needs
New Modules 664 Inherited - Maintains installation consistency
- Standardizes security
Media Files 664 Dynamic - Enables content management
- Protects uploaded assets
Generated Code 664 System - Allows compilation
- Prevents unauthorized access
Web Server Access Group permissions chown -R :<web server group> - Balances access and security
- Enables proper server operation

4 Steps to Specify Files or Directories Read-Only

  1. Access your Magento server using your credentials.
  2. Move to the root directory of your Magento installation.
  3. Run the following command to enable production mode:

bin/magento deploy:mode:set production

  1. Use this command to make code files and directories read-only:

find app/code var/view_preprocessed vendor pub/static app/etc generated/code generated/metadata \( -type f -or -type d \) -exec chmod u-w {} + && chmod o-rwx app/etc/env.php && chmod u+x bin/magento

How to Use Correct File Permissions for the Magento One File System Owner?

Component Permission Setting Performance Impact Security Considerations
Standard Files 644 - Reduced permission checking overhead
- Faster file reading
- Optimized file access patterns		 - Owner read/write access
- Other read-only access
Core Directories 755 - Improved navigation speed
- Simplified cache operations
- Better module loading		 - Controlled execution permissions
- Protected directory structure
Temporary Directories 770 - Enhanced cache performance
- Improved static content deployment
- Quick file generation		 - Restricted to owner/group
- No public access
Configuration Files 660 - Faster config loading
- Optimized access patterns
- Efficient updates		 - Maximum security for sensitive data
- No public access
Media Directory 775 - Optimized asset delivery
- Improved static content deployment
- Enhanced upload speed		 - Controlled write access
- Protected media assets
var Directory 770 - Better caching performance
- Simplified operations
- Quick log writing		 - Secure log storage
- Protected cache files
app/etc 660 - Fast configuration reads
- Reduced overhead checks
- Efficient updates		 - Protected database credentials
- Secured encryption keys
Generated Code 664 - Optimized code compilation
- Enhanced deployment speed
- Faster page loading		 - Controlled access to generated files
- Protected compiled code

3 Steps to Update Magento Configurations & Make Directories Writable by the Web Server

  1. Sign in to your Magento server with your credentials.
  2. Access the root directory where your Magento installation resides.
  3. Run the following command to make files and directories writable:

chmod -R u+w

Security Best Practices for Using Pre-Installation Ownership and Permissions in Adobe Commerce

Directory/Files Base Permission Command Security Purpose Verification Steps
Root Directory admin:www-data chown -R admin:www-data /var/www/magento2 - Establishes proper ownership
- Controls access hierarchy
- Enables secure deployment		 ls -l /var/www/magento2
All Files 640 `find /var/www/magento2 -type f -print0 xargs -r0 chmod 640` - Restricts file access
- Prevents unauthorized modifications
- Maintains data integrity
All Directories 750 `find /var/www/magento2 -type d -print0 xargs -r0 chmod 750` - Controls directory access
- Enables navigation
- Secures folder structure
pub/var directories g+w chmod -R g+w /var/www/magento2/{pub,var} - Enables media uploads
- Allows cache operations
- Maintains performance		 ls -l pub/ var/
Web Installation Files g+w chmod -R g+w /var/www/magento2/{app/etc,vendor} - Facilitates installation
- Enables config writes
- Allows module setup		 ls -l app/etc/ vendor/
Sensitive Files 660 Manual setting per file - Protects sensitive data
- Limits access scope
- Secures configurations		 stat [filename]
Sensitive Folders 770 Manual setting per directory - Controls sensitive operations
- Maintains security
- Enables necessary functions		 stat [dirname]
System Files 644 Default for new files - Balances access needs
- Maintains security
- Enables operations		 umask check

4 Steps to Fix File Permission Errors for Changing the Permissions of the Magento Admin

Step 1: Configure Magento 2 pub/static Permission Command

Temporary & media directories need 777 permissions for proper functionality. Use the following commands to ensure public access for them (e.g.,/var, /pub/media, /pub/static):

find ./var -type d -exec chmod 777 {} \; find ./pub/media -type d -exec chmod 777 {} \; find ./pub/static -type d -exec chmod 777 {} \;

Step 2: Fix Bin/magento Permission Denied Errors

This error occurs when the file lacks execute permissions. Follow these steps to resolve it:

  1. Open the terminal.
  2. Navigate to the folder containing the file.
  3. Run the command to add execute permissions using:

chmod +x path_to_file/file_name

Step 3: Resolve Magento 2 File Permission Check Failures

When directories are not writable by the web server user, the Web Setup Wizard displays errors. Ensure the following prerequisites:

  • Magento is installed at /var/www/html/.
  • Command-line access is available.

Follow these steps to resolve the below:

  1. Open the terminal and navigate to the Magento root directory using:

cd /var/www/html/magento

  1. Change directory permissions using the command given below:

sudo chmod 777 -R var/ generated/ pub/

Step 4: Reset Magento 2 File Permissions

  1. Navigate to the Magento root directory using the following command:

cd <your Magento install dir>

  1. Apply file and folder-specific permissions using these commands:

find . -type f -exec chmod 644 {} \; # 644 for files find . -type d -exec chmod 755 {} \; # 755 for directories chmod 644 ./app/etc/*.xml chown -R :<web server group> chmod u+x bin/magento

Troubleshooting Unix-like Operating Systems to Change and Run Magento Command File Permissions

Error Type Symptoms Solution Command Verification Method
Permission Denied Cannot access files/directories chown -R www-data:www-data /var/www/magento2 && find . -type f -exec chmod 660 {} \; ls -la
Write Access Error Can't write to var/generated find var vendor generated pub/static pub/media app/etc -type d -exec chmod 775 {} \; find /var/www/magento2 -type d -ls
Command Execution bin/magento not executable chmod u+x bin/magento ls -l bin/magento
Cache Generation Unable to generate cache chmod -R g+w /var/www/magento2/{pub,var} find var -ls
Theme Installation Generated directory issues find . -type f -exec chmod 644 {} \; && find . -type d -exec chmod 755 {} \; ls -la generated/
Configuration Access Can't write to app/etc chmod 644 ./app/etc/*.xml stat app/etc/env.php
Log File Access Cannot write to var/log find var/log -type d -exec chmod 770 {} \; ls -l var/log
Media Upload Cannot upload to pub/media chmod -R g+w pub/media find pub/media -ls
Full Reset Multiple permission issues find . -type f -exec chmod 644 {} \; ls -la
Directory Structure Incorrect directory permissions find . -type d -exec chmod 755 {} \; find . -type d -ls
Ownership Issues Wrong file ownership chown -R :<web server group> . ls -ln

FAQs

1. How do 770 permissions give full control in Magento?

770 permissions give full control to the owner and group. Others have no access, ensuring secure operations. These permissions allow authorized users to read, write, and execute files or directories.

2. What happens if users do not have permissions in Magento?

When users have no permissions, they cannot access directories. Only the owner and the group can read and write the file, ensuring restricted access.

3. How are permissions of a specified file changed in Magento?

Permissions of the specified file can be changed using the command line or a file manager provided. Both methods allow quick updates to file access settings.

4. What does 660 permissions mean the owner can do?

660 permissions mean the owner can read and write the file. The group has the same access, while others have no permissions.

5. How does a file creation mask from the default permissions work?

A file creation mask sets the default file permissions. It applies a permissions mask to the specified files and directories during creation, limiting access.

6. How can permissions of the directory be updated?

The permissions for the directory can be updated using command-line commands in Magento. It allows the file or directory to inherit specific access levels for users.

7. What is the role of the owner of the Magento file?

The owner of the Magento file manages its file permissions. Depending on the assigned access level, the file can be read, written, or executed.

CTA

Summary

Magento 2 file permissions ensure smooth performance with proper file permissions. It allows store owners to:

  • Set ownership and permissions to avoid incorrect permission issues that can prevent updates.
  • Maintain their Magento store’s performance and security.
  • Ensure correct ownership and avoid common errors.
  • Protect files and folders from unauthorized access.
  • Improve security and performance with correct settings.
  • Secure the functionality of your store.
  • Avoid 777 permissions to prevent unauthorized access and security risks.
  • Prevent unauthorized access to their store.
  • Create a file permission to ensure & prevent unauthorized access to your files & folders.

Keep your store secure & optimized by configuring file permissions with managed Magento hosting.

Dikshya Shaw
Dikshya Shaw
Technical Writer

Dikshya leverages her content marketing and writing proficiency to deliver fresh, insightful content. Her meticulous research ensures industry expertise and emerging trends within the Magento landscape.

Get the fastest Magento Hosting! Get Started