File Permissions & Associated Security Risks with Magento

Posted on

Magento has been under a lot criticism for it’s Magento Connect Manager requiring “chmod 777″ permissions across your files and folders in order for it to work correctly, this is obviously rather risky from a security point of view and here’s why:

Why you should never use “777” permissions

You should never ever set 777 (read write execute to all) permissions on a file/folder, because if a rootkit makes it’s way into the server – then 777 would give it permission to be executed (meaning very bad times indeed). Effectively by making anybody able to execute stuff on your server, if your server gets compromised for example via a file upload script or a SQL injection, ending up in malicious code being stored somewhere on your web server somewhere, this could mean that this code is able to be executed and who knows what could happen then – depending on the malicious code itself of course. So you have been warned!

Using Magento with safe permissions

If you set your writeable folders to “chmod 775″ and your writeable files to “chmod 664″ this will allow Magento to use these files and folders with Magento Connect Manager absolutely fine. Plus you don’t have the added risk of exposing the execute permissions to anybody. You can quickly set the file and folder permissions to these settings via SSH with the following command:

find . -type d -exec chmod 775 {} ;
find . -type f -exec chmod 664 {} ;

These two commands would recursively set the folders to 775 and files to 664 permissions inside your current directory, so if you wanted to run this over the whole store, change directory to your Magento root folder before running it. Alternatively you can do this via your FTP client, this will take slightly longer than doing it via SSH though.

If this approach this doesn’t work with your Magento Connect Manager, contact your web host and ensure that all the files on your store have the group permissions to all the files set to apache and that your server is running PHP as an apache module (not as a CGI binary).

Hopefully now you can freely use your Magento installation properly with Magento Connect Manager functioning, but keeping your file and folder permission secure.

For even the most complex eCommerce projects, contact iWeb.

Call today for a free no obligation chat on
01785 279 920 or send us your brief

  • Tom

    I’m facing an issue with permissions in magento. My extension has a user image upload, in order for this to function the media/catalog/product + subs need 777 permissions. Any way around this or is it ok if its only these folders?

    • Bas Mostert

      It depends on your hosting set up. If the user account that you log in with via FTP is in the same unix user group as your webserver (on Ubuntu linux installations, the apache webserver runs under a username and group name of www-data), you can use 775 for your permissions. Permissions of 775 mean that the unix group (and therefore all users within it) have read, write & execute permissions on that file/directory.

      If you do not have control over your user group assignments and your user account is not in the same unix group as the web server, there is unfortunately no way around having to assign 777 to media/catalog/product.