Currently, I’m with a company who wants to switch to magento for all of our ecommerce customers. Unfortunately, because magento requires such strange file permissions for an install, it takes us quite some time to install the program. We have never been hacked by anyone, until we installed a copy of magento to our server.
Is it possible to install magento, and update through magento connect without having to set any permissions to 777?
Can the permissions be set back to a more secure set once magento has been installed?
Is there a safer, yet just as automated way to install updates into magento?
If you are concerned about security, I suggest you to enable suPHP/suEXEC in the server, as it uses 755 instead of 777, which is uses “user” instead of “nobody” for writing.
I installed on my server without using 777. I followed the command line instructions I found in the Wiki (the only way I found to get it to actually install). But I skipped the last commands that set everything to open permissions.
Then I tried a few things in the backend. It wouldn’t load the javascript, so none of the menus worked. Basically, I monitored the error log to see which directories it didn’t like. There are just a few that you have to remove the group write permission from in order for Magento to work.
I have used Magento Connect and it works too, so I don’t understand why the recommendation is to open it up to 777.
